Phases of Candidate Acceptance
Since the week for reviewing the CERT candidate cluster has expired,
I've had to consider what the next steps were for moving from a
"candidate" to an official CVE entry. It makes me nervous that
there's been so little response to the CERT cluster, but if we don't
move forward, we'll never get the CVE rolling.
Below are 5 phases that a candidate will go through before it is
accepted (or rejected) as a CVE vulnerability. As with others, these
phases are open to discussion, but I'd prefer to see some discussion
on the proposed candidates. To use the terminology I provide below,
CAN-1999-0001 through CAN-1999-0663 have been assigned; the candidates
in the CERT cluster have been announced; and this Thursday, most of
those CERT candidates will move to Interim Decision.
In other words, speak now on the CERT vulnerabilities, especially if
you have any problems with them :) I will post another cluster later
Phases of Candidates
1) Assignment - CNA reserves a candidate number
2) Announcement - CNA announces the candidate (strongly preferred that
it just be to the Editorial Board, if vulnerability is previously
known; we want to reduce the presence of candidates in the public as
much as possible). Editorial Board discusses the vulnerability and
3) Interim Decision - Editor posts a decision based on discussion.
Members have 2 days to post objections. If significant discussion
ensues, vulnerability stays at Interim Decision.
When is a candidate ready for the Interim Decision phase? The
- high percentage of ACCEPT votes from *active* board members
- no new discussion for a week
4) Final Decision - Editor makes a final decision, announces to the
board. If a CVE number is assigned, board can reliably believe that
the CVE number will be used.
When is a candidate ready for the Final Decision phase? When
discussion dies down, or the Editor believes it is in the best
interests of the community to assign a name.
5) Publication - if accepted, candidate is "announced" to the public.
Otherwise, decision is recorded in candidate database, which can be
accessed by public via web site.