|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: CD PROPOSAL: INCLUSION - Interim Decision 8/23
In an offline vote to MODIFY this content decision, Kent Landfield suggested: ># 4) At least 2 non-MITRE members from different organizations vote on ># the candidate, preferably 3. If there are more than 5 active voters, ># then 75% of active voters will be preferred. > >I'd require 3 votes from different organizations outside of MITRE. So far, I haven't accepted any candidates without at least 3 non-MITRE votes. This is a reasonable approach in theory, but we do face a problem in practice, namely that there are only 3 or 4 individuals who vote on any one issue, and even that normally takes a month or more to accomplish. For example, I am very much feeling the fact that Adam Shostack isn't able to participate actively this month, since he's a very active voter :) An additional challenge is that some voters will not vote on vulnerabilities that they do not know intimately. Of course this is a rational approach, but it prevents NT experts from voting on Unix vulnerabilities and vice versa, which further limits the number of possible voters on any one candidate. We have to deal with the pure volume of older vulnerabilities that will need to be added to the CVE. Specifically, we have (roughly) 1500-2000 vulnerabilities that will need to be "back-filled" into the CVE. Many of the candidates that have been proposed so far are the "easy" ones, in that they're associated with advisories from trusted sources (from a CERT or the vendor or a respected vulnerability team); generally, the only changes that need to be made from the original proposal is to add a reference or change the wording of the description. Some of these "easy" ones haven't been voted on by more than one person, despite the fact that they've been proposed for a month or more; many are also tested for by a number of security tools. Of course, there have been other issues such as all the high-level debates, and the fact that everyone has other work to do :) I required only "2 votes" here because I wanted to allow for a streamlined process of approving these older vulnerabilities, especially the well-understood and prevalent ones. On the other hand, with new vulnerability information, there's a greater burden on validation (a topic in the EX-VALIDATE content decision), so it makes sense to require at least 3 votes in that situation. How about this modification: - If at least 3 non-MITRE members vote, then the vulnerability may be included. - If only 2 non-MITRE members vote, and the vulnerability predates the initial public release of the CVE, and at least 2 well-known security tools claim to check/test for the vulnerability, and at least one of those tools is NOT associated with one of the voters, then the vulnerability may be included. [In other words: a well-known tool whose company didn't vote for an old vulnerability, can be counted as a vote.] - Steve
|
||||
