[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DWF and CVE Integration Proposal

That sounds excellent. The devil will be in the details, such as business continuity planning and lifecycle planning (e.g., what to do if/when a root CNA winds down). There's an implicit assumption that, using the current DWF setup as example, GitHub won't fail, and so on. However that should all be fixable later and is no reason to delay.

Great start!  I can't wait to see that seed bloom.


On 04/06/2016 06:52 AM, Landfield, Kent B wrote:

Following up on the conversations we had on the Board call last week, 
Kurt, the DWF Board, myself and other CVE Board members have been 
working to put together the proposal as requested by MITRE.  We have 
tried to lay out what the intent, parameters, expectations and 
hopefully what the successful outcome will result in.

We were pleased to hear MITRE’s agreement with the overall objective of 
the project on the call and to see it listed in the minutes of the Board 
meeting.  As requested by Jon Baker, we have documented the proposal and it is 
submitted below.

We believe it is in the best interest of CVE and the community to 
initiate the DWF / CVE Integration Project as soon possible.

DWF and CVE Integration Proposal

Harold Booth, NIST (harold.booth@nist.gov<mailto:harold.booth@nist.gov>)
Larry W. Cashdollar, Akamai Technologies 
Kent Landfield, Intel 
Art Manion, CERT/CC (amanion@cert.org<mailto:amanion@cert.org>)
Brian Martin, OSF / OSVDB 
Kurt Seifried, Red Hat 
David Waltermire, NIST 
Zachary Wikholm, Independent 
Area of Focus
The Distributed Weakness Filing (DWF) Project provides a community based Open Source process 
oriented solution to getting CVE identifiers into the hands of people that need them. The 
DWF aims to work with security researchers and other “producers” of CVE IDs to 
assure the timely assignment of IDs. The project’s major focus is to become a CVE 
Numbering Authority (CNA) targeted primarily at the Open Source community.

Proposing a New Type of CNA
The overall purpose of this Proof of Concept (PoC)  is to test the 
validity of creating a new class of CNA. In the past CNAs have been, 
for the most part, an endpoint in the CVE ID issuance process. 
Authorized CNAs have been issued a block from the CVE ID pool they have 
then used to issue their own organizational IDs. This proposal is to 
create a Root CNA. The DWF Root CNA will be able to act as an existing 
CNA by issuing CVE IDs as requested. Additionally, the DWF Root CNA 
will be able to  train and coordinate other organizations and people to 
create CNAs that live within the DWF namespace.

As this is a PoC, the plan is to take a “fail fast” approach. DWF will 
be experimenting where we believe good ideas should be put into an operational 
production environment to test the usefulness of the idea.

The following are the proposed specifics of the effort:

●    The DWF Project will act as a CNA and ensure no conflicts between 
DWF and current CVE ID ranges. The DWF will start at a high range of numbers 
to avoid conflicts with CVE numbers.

●     DWF Project will use the ID range CVE-YEAR-1000000 through 

●    The DWF will assign CVE IDs to answer requests sent directly to 
the DWF by researchers, vendors and others.

●    Any subordinate DWF authorized CNAs will only be allowed to exist 
under the DWF hierarchy and be restricted to the DWF authorized namespace 
(that is CVE-YEAR-1000000 through CVE-YEAR-1999999).
The DWF project will continue to work with MITRE and others to create 
guidelines and requirements for CVE requests, CNA creation, curation of 
CVEs and so forth. As mentioned earlier, the DWF will focus on Open 
Source software, security researchers and security vendors that find 
and report security vulnerabilities.

The DWF Project will continue to coordinate closely with MITRE and the CVE Editorial 
Board to ensure compatibility with existing and future CVE requirements and processes 
such as “what counts as a vulnerability”, SPLIT/MERGE and so forth.

DWF will work with MITRE and the CVE Editorial Board to create a base 
set of documentation of best practices that can assist with the 
development and processes of the Root CNA usage and deployment.  While 
targeted towards DWF, the documentation can be used by others within 
the CVE management community.
Proposed Outcome
The intent of this POC is to determine the effectiveness of new 
techniques, ideas and a new hierarchy-based model for CNA creation and 
CVE issuance. If successful, this approach will allow for other Root 
CNA authorities to be set up. Future CNAs could be assigned based on 
technology sectors or national boundaries thus allowing expansion and 
expertise in areas of vulnerability identification not currently 
possible in the existing CVE management approach/scheme.

Kent Landfield

Page Last Updated or Reviewed: April 06, 2016