[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE Automation Working Group Charter

CVE Board Members,


I am recommending the attached CVE Automation Working Group charter for approval by the board.  Please review the charter and submit your vote to this email list  by Noon EDT on Thursday, May 31.  The results of the vote will be announced at the June 13th board meeting.


The charter is also available from the GitHub repository:




Thank you,

Chris Johnson

CVE Automation Working Group

# CVE Automation Working Group (CAWG) Charter

## Scope:
The CVE Automation Working Group is focused on identifying and 
advancing proposals for the collaborative design, 
development and deployment of automated capabilities that support the 
efficient management of the CVE Program. The following 
goals section includes current high-level goals for the CAWG. The 
operating principles section captures the principles that 
the SAWG uses as part of any effort. Last, the objectives section 
provides some of the measurable actions that the CAWG has 
currently targeted for assignment. All of the lists are subject to 
change as the CAWG evolves and as new items are identified.
When a proposal is accepted, an CAWG project will be established. A 
project consists of one or more participants and will 
focus on a single proposal. Each CAWG project will include a separate 
charter, where needed, to provide an overview of the effort,
define objectives, and describe the scope of activities to be performed 
by the project. In general, CAWG projects are initiated
through a requirements project. Proposals, and the project(s) that are 
initiated based on them, should align with the goals,
operating principles, and objectives described in this charter.

## Goals:
- Realize greater efficiency in the creation, ingest, and publication 
of CVEs
- Implement CVE processing and publishing in near-real time
- Enable more effective management of CVEs, CNAs, and associated 
- Develop capabilities that help improve CVE coverage
- Make it easier to assign CVE IDs to any and all public 
vulnerabilities that conform to CNA rules.
- Improve the quality of CVE data and metadata
- Reduce the amount of human intervention needed to publish, consume, 
and use CVE data.
- Provide improved transparency throughout the CVE management process
- Achieve greater interoperability of CVE tools, repositories, and 
- Promote seamless integration with other enumerations (e.g. CWE, 
CAPEC) and internal processes
- Reduce the barriers for participation in the CVE Program. (e.g., 
costs, fees, time, effort, and technical expertise)

## Operating Principles:
- Employ a decentralized approach to CVE management 
- Use free and open source solutions where possible. Avoid solutions 
that require propriety, closed systems, or are not compatible with CVE 
terms of use.
- Promote free and open standards and best practices for automated 
information exchange. Avoid standards that are not free and not open.
- Develop modular code and pluggable capabilities that can be readily 
reused or extended
- Use consistent terminology and naming conventions

## Objectives:
- Document current roles, responsibilities, workflows, data formats, 
and protocols
- Define CVE user stories/use cases
- Design, develop, and deploy automated and enhanced CVE services 
(ingest, publication, processing)
- Design, develop, and deploy software tools for the development and 
management of CVE content/information
- Streamline existing processes and lay a foundation for future 

Page Last Updated or Reviewed: May 17, 2018