[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Proposed Working group and workshop

I think we need to consider how any Strategy WG output will be aligned or used to inform DHS funding and program direction. I guess that means I'm signing up.

Tom Millar, US-CERT

Sent from +1-202-631-1915

From: owner-cve-editorial-board-list@lists.mitre.org on behalf of Landfield, Kent B
Sent: Friday, August 26, 2016 5:05:23 PM
To: Kurt Seifried; Williams, Ken
Cc: cve-editorial-board-list
Subject: Re: Proposed Working group and workshop

Looks like you are indicating you are interested as well? ;-)  This will be a great question to discuss during the WG calls.   I see a strategic direction question there on approaches to issuance. …



Kent Landfield



From: Kurt Seifried <kseifried@redhat.com>
Date: Friday, August 26, 2016 at 11:02 AM
To: "Williams, Ken" <Ken.Williams@ca.com>
Cc: Kent Landfield <kent.b.landfield@intel.com>, cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: Proposed Working group and workshop


Stupid Question but why are we being so stingy with CVEs? We should be handing them out like candy, and putting the "important" ones into the database (and accepting well formed database submissions from all).


My only concern with DWF right now is SLAs (so we measure/do the right things) and then automation of it all.


On Fri, Aug 26, 2016 at 9:14 AM, Williams, Ken <Ken.Williams@ca.com> wrote:

I’d definitely like to participate.  Comprehensive CVE coverage of ALL vulnerabilities is a worthwhile goal to consider in such a WG.


Ken Williams

Vulnerability Response Director, Product Vulnerability Response Team

CA Technologies | 520 Madison Avenue, 22nd Floor, New York NY 10022



From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Landfield, Kent B
Sent: Friday, August 26, 2016 7:30 AM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: FW: Proposed Working group and workshop




First off, a little history.  Six months ago CVE was in a very different place than it is today. There was a lot of frustration around. Security researchers had nearly given up trying to work with CVE to get the IDs needed to label discovered vulnerabilities. Competing efforts seemed on the horizon. Board members’ frustration was becoming extremely apparent. Negative articles were being published about CVE management and while MITRE was doing things behind the scenes to try to improve the CVE processes, it was not apparent to anyone else.


Fast-forward 6 months… During this time, we have had a reasonable amount of success.


Successes since March 1:

1)      Regular Board Meeting Calls

2)      New Charter developed and about to be voted on

3)      Federated Proof of Concept with DWF conceived and successfully started

4)      CVE ID Request changes with automation aspects (new web request page)

5)      New CVE Counting Document

6)      Multiple CNAs trained and added

7)      MITRE communication plan for introducing public CVE process changes

8)      First issuance of CVEs in the 1,000,000 range

9)      New Board member and old ones resigning

10)  Newly proposed Terms of Use to include support for Description contributions

11)  CNA List created for all those actually acting as a CNA

12)  CNA Governance and Rules document to be released next week to the Board


We have changed our risk averse approach to CVE to one of “We are not afraid to fail. We will evolve.”


We have refocused our Board membership back on the passionate individuals wishing to advance CVE instead of any specific organization, which is now reflected on the web site.


We have taken the time to change the CNA architecture from the hub and spoke model to a federated model. The DWF “proof of concept” is operational and from all apparent perspectives, successful. While there is a lot to do, it is obvious the federated CVE CNA model is here to stay.


So what do we want CVE to look like in 3-5 years?  How do we plan on getting there? 


On the Board call today I suggested we create a working group to try to address some of those questions. This is a working group as identified in the Charter. Instead of waiting weeks to get started, I suggested we create the WG as an ad-hoc working group until the Charter is approved and then we can ‘officially anoint’ it. 


The purpose of the working group is to create the overall CVE strategy, identify where it is we want to go, assure we identify what is needed to create a generic new ‘root’ CNA, (get our terminology consistent), and then start addressing a tactical plan to get there. There are lots of questions we need to address. It is envisioned we will be using the CNA Rules document as one of the more foundational documents to describe the overall effort, governance and coordination processes.


I would like to ask who would like to participate? I have talked with a few of you and there seemed to be interest in the past. I will let MITRE work the mechanics of getting things set up.  They get paid to do those types of things for the Board. ;-)  Chris offered. ;)


Time to have the real foundational conversations needed in order to lay the ground work for the future of CVE, it’s expanded coverage and capabilities.





Kent Landfield





Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: 

Page Last Updated or Reviewed: August 29, 2016