[CVEPRI] Future Directions for CVE
Now that CVE has reached the 1000 entry milestone and MITRE is
(mostly) done with the conference circuit for the next few months,
here is a high level description of the next activities we will be
1) There will be several changes in Board membership, such as a number
of new members, "substitutions" of existing members with others in
their organization, and a "semi-formal" list of roles and
responsibilities that will become the basis for evaluating how
members are contributing to the CVE Initiative. We are also
working on establishing a set of vendor liaisons - individuals that
aren't on the Editorial Board, but who could give technical
feedback on vulnerabilities in their own products.
2) Our next big focus will be on educating the public - and vendors -
about CVE compatibility. We will finalize the compatibility
requirements, establish a process for reviewing compatibility, and
offer specialized logos for those that "pass" the review process.
3) We have begun to actively ask some organizations to include
candidate numbers in their advisories. The current focus is on
established organizations or individuals who work with vendors
before disclosure. We will continue to provide candidates to
others who ask us to provide them (note that Rain Forest Puppy
recommends this approach in his latest vulnerability disclosure
policy at http://www.wiretrip.net/rfp/policy.html, though we have
only received one request since it was updated last week). The
concept and use of "diligence levels" will be re-examined as this
4) The upcoming "vulnerability summit" on November 3rd may have an
impact on the role of CVE in vulnerability disclosure. (See
http://www.vulnerabilitysummit.org). I will keep you informed.
5) Several changes to CVE content are upcoming. (a) A new
"maintenance" version of CVE will be released in the next few
weeks. It will mostly add references to some entries. The Board
will be given time to review the proposed changes. (b) A new
approach to content decisions will be finalized, and candidates
that are affected by CD's will be accepted as official entries.
(c) The content team continues to process the legacy submissions
that were sent in by various Board members over the summer. Many
of those submissions are in the refinement phase, which is the last
phase before candidates are created.
6) The backlog of "recent" candidates will be cleared in the next
month as we recover from our efforts on the new web site and the
7) We have been investigating an approach for satisfying both sides of
the "quality of CVE" camp. Some Board members advocate only having
highly-reviewed and reliable entries at the expense of time; others
want CVE entries as fast as possible at the expense of noise. The
approach could also make the voting process faster and easier, but
we need to develop it a little more before proposing it to the
8) Pete Tasker and Margie Zuk have been actively working behind the
scenes to create an "Advisory Council" of government sponsors to
provide a vehicle for longer-term, continued funding of CVE.
Council members are at the CIO level of their respective agencies.
The kickoff meeting happened last week, and it was well received.
Note that our attempts to get funding through industry have not
been successful, so the current focus is on government. There is
the possibility of non-US government involvement as well. Note
that we are trying to structure the council in a way that does not
allow members to directly dictate the course of CVE. The Advisory
Council is still in the early stages. We will keep you informed of
9) Work on the Common Intrusion Event List (CIEL) continues. Bill
Hill and I are wrestling with a number of issues (many of which
were discussed in previous presentations or emails), but I think
we're closing in on the guiding principles that are forming the
creation of the draft CIEL. Since much of our work is
example-driven, we will be asking Board members for IDS signature
databases sometime in the future.
10) We will probably hold a teleconference in early December. Also,
the next face-to-face meeting will probably be held at Cisco in
Austin, Texas sometime in February or March, thanks to Andy