Cluster proposal schedule, and request for vulnerability lists
With the intention of having a mid-August "CVE review" meeting at
MITRE to discuss still-open issues (I'll have a later email on that),
it has become clear that we need to get all proposals "on the table"
by August 1. If we were to continue on the pace we've been going, I
estimate it would take 10 months to validate just the vulnerabilities
that are in the current CVE.
To have all proposals made by August 1, it would require an aggressive
schedule for proposing candidates, at the rate of about 100 per week.
The idea is to get as many candidates validated as possible by the CVE
review meeting, so that we can focus on "real" issues at that time.
If any issues arise that you strongly believe require more discussion,
please feel free to speak up.
I believe that having vendors see their mappings would expedite things
significantly. So I am asking vendors/database owners to send me
their annotated vulnerability lists now (if they can) so that I can
start working on mappings. Then by the time all our lawyers have
hammered out the NDA's, I can immediately send the mappings to you.
Please let me know if you have concerns with providing me with your
data before the NDA's are signed. As a reminder, the most important
information I need from vendors are 1- or 2-line descriptions of each
vulnerability, and the vendor's own ID for that vulnerability so that
they can easily look up the info in their own database once they get
the mappings back.
It's been difficult for me to effectively track all the candidate
proposals, modifications, moves to Interim Decision, etc. Unchecked,
this problem can only get worse as we get closer to initial release.
In the longer term, having some sort of candidate tracking database
could help to solve this problem.
Starting today, I plan to do the same "phase move" (e.g. from
Modification to Interim Decision) on the same day of each week.
Hopefully, this will make it easier for Editorial Board members to
know what to expect, what becomes "due," and when.
The candidate review schedule for a single cluster is as follows:
- Tuesday (Day 1): propose cluster(s)
- Wednesday (Day 9, 1 week later): propose Modifications, if any
- Monday (Day 14): move to Interim Decision
- Friday (Day 18): move to Final Decision
This schedule is designed to do the following:
- allow between 1 and 2 weeks to review and discuss candidates
before they move to Interim Decision
- allow 2 weekends for Editorial Board members to do reviews and/or
think on issues, if they wish
- allow at least 3 work days between any phase move
- allow 4 work days for any last-minute problems before decisions
- have the same phase move occur on the same day each week
Each Tuesday, I'll propose new clusters.
As I've done with the CERT cluster and expect to do with other
clusters, I'll only move candidates to later phases when it's
reasonable to do so. So there will be times when we will only
validate a portion of a cluster within the 18 day time frame.
Candidates that are still "open" by mid-August could be discussed at
the CVE review meeting.
I'll start the process by proposing some new clusters today, and
pretending it's Tuesday.