[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[CVEPRI] Future Directions for CVE



All,

Now that CVE has reached the 1000 entry milestone and MITRE is
(mostly) done with the conference circuit for the next few months,
here is a high level description of the next activities we will be
undertaking.

1) There will be several changes in Board membership, such as a number
   of new members, "substitutions" of existing members with others in
   their organization, and a "semi-formal" list of roles and
   responsibilities that will become the basis for evaluating how
   members are contributing to the CVE Initiative.  We are also
   working on establishing a set of vendor liaisons - individuals that
   aren't on the Editorial Board, but who could give technical
   feedback on vulnerabilities in their own products.

2) Our next big focus will be on educating the public - and vendors -
   about CVE compatibility.  We will finalize the compatibility
   requirements, establish a process for reviewing compatibility, and
   offer specialized logos for those that "pass" the review process.

3) We have begun to actively ask some organizations to include
   candidate numbers in their advisories.  The current focus is on
   established organizations or individuals who work with vendors
   before disclosure.  We will continue to provide candidates to
   others who ask us to provide them (note that Rain Forest Puppy
   recommends this approach in his latest vulnerability disclosure
   policy at http://www.wiretrip.net/rfp/policy.html, though we have
   only received one request since it was updated last week).  The
   concept and use of "diligence levels" will be re-examined as this
   occurs.

4) The upcoming "vulnerability summit" on November 3rd may have an
   impact on the role of CVE in vulnerability disclosure.  (See
   http://www.vulnerabilitysummit.org).  I will keep you informed.

5) Several changes to CVE content are upcoming.  (a) A new
   "maintenance" version of CVE will be released in the next few
   weeks.  It will mostly add references to some entries.  The Board
   will be given time to review the proposed changes.  (b) A new
   approach to content decisions will be finalized, and candidates
   that are affected by CD's will be accepted as official entries.
   (c) The content team continues to process the legacy submissions
   that were sent in by various Board members over the summer.  Many
   of those submissions are in the refinement phase, which is the last
   phase before candidates are created.

6) The backlog of "recent" candidates will be cleared in the next
   month as we recover from our efforts on the new web site and the
   conferences.

7) We have been investigating an approach for satisfying both sides of
   the "quality of CVE" camp.  Some Board members advocate only having
   highly-reviewed and reliable entries at the expense of time; others
   want CVE entries as fast as possible at the expense of noise.  The
   approach could also make the voting process faster and easier, but
   we need to develop it a little more before proposing it to the
   Board.

8) Pete Tasker and Margie Zuk have been actively working behind the
   scenes to create an "Advisory Council" of government sponsors to
   provide a vehicle for longer-term, continued funding of CVE.
   Council members are at the CIO level of their respective agencies.
   The kickoff meeting happened last week, and it was well received.
   Note that our attempts to get funding through industry have not
   been successful, so the current focus is on government.  There is
   the possibility of non-US government involvement as well.  Note
   that we are trying to structure the council in a way that does not
   allow members to directly dictate the course of CVE.  The Advisory
   Council is still in the early stages.  We will keep you informed of
   its progress.

9) Work on the Common Intrusion Event List (CIEL) continues.  Bill
   Hill and I are wrestling with a number of issues (many of which
   were discussed in previous presentations or emails), but I think
   we're closing in on the guiding principles that are forming the
   creation of the draft CIEL.  Since much of our work is
   example-driven, we will be asking Board members for IDS signature
   databases sometime in the future.

10) We will probably hold a teleconference in early December.  Also,
   the next face-to-face meeting will probably be held at Cisco in
   Austin, Texas sometime in February or March, thanks to Andy
   Balinsky's efforts.

- Steve

 
Page Last Updated: May 22, 2007