[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Method to Request CVE IDs from MITRE Changing Soon



Thank you and I agree with your conclusions and your suggested way ahead.  Our communications plan clearly failed here, particularly in regards to the Board.  We will begin to work to what you’ve laid out in 1-3 going forward, for any major programmatic/operational changes.


If you don’t object, I’d like to discuss the plan you laid out below, in addition to the form, in the meeting tomorrow, so the other members of the Board can be made aware. 


Again, I appreciate your continued help and guidance (and patience).


Thank you,

Meghan E. Manley

Homeland Security Systems Engineering and

Development Institute (HS SEDI)

703-983-4278 (office)

703-674-7081 (cell)





From: Landfield, Kent B [mailto:kent.b.landfield@intel.com]
Sent: Wednesday, August 24, 2016 11:54 AM
To: Manley, Meghan E. <mmanley@mitre.org>; cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: Method to Request CVE IDs from MITRE Changing Soon


Thanks Meghan.


It appears, at least for Intel, that only the Primary POC was notified.  We have a team here working this now across the company. In the future I request MITRE uses the CNA list for issues that may touch or marginally touch CNAs so all can learn, regardless of their status.  They will need to anyway so… This was posted less than 12 hours later to the public CVE Announce list for all to see.


Additionally, it would be better to make sure the Board is aware of these type of changes before they are made public, not after.  I may have missed this as I have not been able to attend recent Board calls due to real work but …  If the Board is supposed to be an advocate for CVE, the value and the process, it is important Board members are not surprised, especially with the closer relationships that have emerged with the press. Hate to be asked a question and my response had to be, “I don’t know anything about that.”


This is really a simple process issue.

1.       When MITRE wants to make changes that affect CVE operations, directions or value, notify the Board of the intended changes.  Use the mailing list since we are a distributed group. You don’t need approval but as a courtesy so we are not caught flat footed by colleagues or press.

2.       If the issue could be of interest to the CNAs, notify the CNA list with a little time for questions if appropriate.

3.       Publicly announce the change, addition, etc.


If something like this is followed all will be adequately informed and can assist with any PR, either internal to our organizations, external to the community or the press…


Not knowing will cause more perception problems that one side does not know what the other is doing and that has not been helpful in the past. ;-)


Also, at least for me, if your team needs a beta-tester for bashing web-based services, just ask.  I love to break things. ;)


Thanks for listening.



Kent Landfield



From: "Manley, Meghan E." <mmanley@mitre.org>
Date: Wednesday, August 24, 2016 at 8:35 AM
To: Kent Landfield <kent.b.landfield@intel.com>, cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: RE: Method to Request CVE IDs from MITRE Changing Soon




Thank you, and we fully agree.  A message communicating the upcoming change was sent to the CNA POCs yesterday shortly after 6:00 ET.  We sent it directly to the CNA POCs, rather than the cve-CNA-list, to avoid confusion, since the cve-CNA-list includes candidate organizations that are not yet fully integrated into the program.  The candidate CNAs will learn about the form as we onboard them.


We also intend to discuss this with Board members at the meeting tomorrow.


The content of the message sent to the CNA POCs is below my signature block.


Thanks again,

Meghan E. Manley

Homeland Security Systems Engineering and

Development Institute (HS SEDI)

703-983-4278 (office)

703-674-7081 (cell)





From: CVE ID Requests
Sent: Tuesday, August 23, 2016 5:08 PM (ET)
To: CVE ID Requests <cve-assign@mitre.org>
Subject: Method to Request CVE IDs from MITRE Changing Soon



Hash: SHA256


**********IMPORTANT NOTIFICATION***************




The method to request blocks of CVE IDs from MITRE will change on

August 29, 2016. In the new method, CNAs will complete and submit a

short, simple web form to request CVE ID blocks from MITRE. The

previous practice of requesting blocks via cve-assign@mitre.org

email will be discontinued. Beginning August 29, 2016, the form will

be available via https://cve.mitre.org/cve/request_id.html.


Learn more at:





- --

CVE Assignment Team

M/S M300, 202 Burlington Road, Bedford, MA 01730 USA

[A PGP key is available for encrypted communications at



Version: GnuPG v2.0.14 (GNU/Linux)

















From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Landfield, Kent B
Sent: Wednesday, August 24, 2016 8:52 AM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: FW: Method to Request CVE IDs from MITRE Changing Soon


Quick question… While I think this is a great step towards better automation, has this new request process been communicated to the CNAs?  I am on the cve-cna-list and I don’t remember seeing this mentioned.  I have been traveling way too much but I do try to keep up…


If I am correct, I’d recommend we not use CVE Announce list for communicating items that, while not directly, have a potential indirect effect on CNAs. I understand this is targeted towards the general community but I would expect we should be letting the front line know so if asked or redirects are needed, they would know the correct way to request a specific CVE directly from MITRE.





Kent Landfield



From: <owner-cve-announce-list@lists.mitre.org> on behalf of "Sain, Joe" <jas@mitre.org>
Date: Tuesday, August 23, 2016 at 5:33 PM
To: cve-announce-list Common Vulnerabilities and Exposures/CVE Annou <
Subject: Method to Request CVE IDs from MITRE Changing Soon


Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is designed to bring recent news about Common Vulnerabilities and Exposures (CVE), such as new compatible products, new website features, CVE in the news, etc. right to your email box. CVE is the standard for cyber security vulnerability names. The CVE Board provides oversight and input into CVE’s strategic direction, ensuring CVE meets the vulnerability identification needs of the technology community. CVE Numbering Authorities (CNAs) are major OS vendors, security researchers, and research organizations that assign CVE Identifiers (IDs) to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE IDs in the first public disclosure of the vulnerabilities. Details on subscribing (and unsubscribing) to the email newsletter are at the end. Please feel free to pass this newsletter on to interested colleagues.


Comments: cve@mitre.org



CVE-Announce e-newsletter/August 23, 2016





1. IMPORTANT NOTICE: Method to Request CVE IDs from MITRE Changing Soon

2. Details/Credits + Subscribing and Unsubscribing





IMPORTANT NOTICE: Method to Request CVE IDs from MITRE Changing Soon


The method to request CVE IDs from MITRE will change on August 29, 2016. Using the new method, CVE ID requestors will complete a “CVE Request” web form when requesting a CVE ID from MITRE. The previous practice of submitting requests via email will be discontinued.


The new web form will make it easier for requestors to know what information to include in their initial request, and will enhance MITRE's ability to respond to those requests in a timely manner. User instructions will be available on the website and on the form itself. Upon completion of the form, the requestor will receive a confirmation message that the request was received and a reference number.


Please send any comments or concerns to cve@mitre.org.




Request a CVE ID -






CVE News page article –




Details/Credits + Subscribing and Unsubscribing


Managing Editor: Dan Adinolfi, Cyber Security Technical Center. Writer: Bob Roberge.

The MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical guidance to the CVE Board and CVE Numbering Authorities on all matters related to ongoing development of the CVE Program.


To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the message to: listserv@lists.mitre.org. To subscribe, send an email message to listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE CVE-Announce-List".


Copyright 2016, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications) at the U.S. Department of Homeland Security (www.dhs.gov).


For more information about CVE, visit the CVE website at https://cve.mitre.org or send an email to cve@mitre.org.



Page Last Updated or Reviewed: August 30, 2016