CVE: intellectual property/branding

[Stuart Staniford-Chen <stuart@silicondefense.com>]

[For those of you that don't know me, my background is as an intrusion
detection researcher, and the hat I'm wearing for this mail message is as a
cochair of the IETF's working group IDWG, which is trying to develop a
standard way for IDS systems to report alerts.]

My interest in the CVE, if it's successful, is that it is potentially a very
useful field in standardized IDS alerts.  It fills the "what hole were they
trying to exploit?" niche that an alert should hopefully tell an alert
consumer something about.
So I'm interested in issues that would get in the way of the IETF saying in
an RFC that the n'th field in an IDEF alert is a CVE number.

One is intellectual property - what intellectual property rights does Mitre
plan to assert in the content of the CVE?  For example, I note that all the
vulnerability database information in http://www.securityfocus.com/ is
Copyright and all rights reserved.  Awsome site incidentally, Aleph1.  I
assume Mitre plans to be much less restrictive?

More nebulously, there's the issue of branding.  At the moment, it looks to
me that Mitre is definitely positioning this as "The Mitre CVE" with the
Mitre brand strongly linked to it.  I don't know that there's any definite
policy at the IETF (or other standards bodies), but my instinct is that that
is inhibitory to the CVE being used by standards bodies.

A possible route of evolution for the CVE would be for it to be published
periodically as an RFC.  Steve and other Mitre folks are still the authors,
but it becomes a standards track document.

I meant to think these issues through carefully, and then raise them a while
ago, but instead I got busy and so I'm raising them half-thought-through now,
before it's altogether too late.

Stuart.

--
Stuart Staniford-Chen --- President --- Silicon Defense
                   stuart@silicondefense.com
(707) 822-4588                     (707) 826-7571 (FAX)