[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[CVEPRI] Request for CVE submissions - "Top 100" and "Last 6 months"
All: To meet the challenge of 500 CVE entries by Y2K, I requested that Board members prepare their "top 100" vulnerabilities or exposures that haven't yet made it to CVE. The next email will describe the format that you can use to submit this information. The original challenge is at http://cve.mitre.org/archives/msg00490.html In addition, we have a unique opportunity to see how fragmented our knowledge is "before CVE" by seeing what vulnerability databases have for problems discovered in the last six months. Many vulnerability databases have a "date discovered" field which provides information on when a vulnerability/exposure was first discovered. If a number of Board members could use their databases to send me their list of problems that were discovered in the last six months - since April 29, the date of the draft CVE - then this will enable us to do a number of things: 1) Generate CVE candidates for all publicly known vulnerabilities or exposures in the last 6 months, producing a "master" Six Month List. (Only a handful of candidates have been assigned that are more recent than the draft CVE). 2) We could then get some *real* community-wide metrics, e.g. how many problems really were discovered in that period. (Any predictions? I say about 270). 3) CVE-compatible databases could map to the Six Month List and thereby identify their own gaps, a la the Interoperability Demo, but on a much larger scale. 4) The Six Month List could provide some fertile ground for academic research and other follow-on activities. With a number of Board members providing their Top 100 list and/or Six Month list, we could have CVE reflect the most important remaining issues, as well as the most recent. I look forward to the new submissions. - Steve