[Date Prev][Date Next
][Thread Prev][Thread Next
[CVEPRI] Planned CVE activities for this summer
Planned CVE activities for this summer
If everything goes as planned, this summer will be a very busy one for
the CVE Initiative.
We are about to follow up on a number of topics discussed at the last
face-to-face Board meeting. Below is a list of upcoming activities.
1) Various significant issues will be discussed and decided in the
upcoming weeks. I'd like to schedule a teleconference for the week
of June 18 to June 22. Please let me know what days and times you
are available. We will likely be having other teleconferences over
the summer, as there is a lot to be decided.
2) After one final Board member is added, membership will be frozen
until we have finished the changes to the Board that we discussed
at the face-to-face meeting.
3) On Thursday, I'll present a writeup on Board tasks, roles, and
expectations. The Board will review and finalize them over the
next few weeks. I will be sending individual emails to each Board
member regarding the roles and tasks I've observed, then conducting
followup discussions with those members whose level or type of
participation is uncertain. (There are simply too many Board
members to discuss membership with every person at this time, and
many of you have steady participation and clear roles and tasks).
4) At the Black Hat conference on July 11, I will be giving a
presentation on "CVE behind the scenes." Besides covering content
decisions and various thorny issues we've wrestled with over the
years, I will also publicly announce the candidate reservation
capability which has technically been open to the public for a year
now. We would also like to have several more non-MITRE CNA's
(candidate numbering authorities) in place. There are various
issues that need to be considered. Next week, we expect to present
our initial approach to CNA's to the Board.
We also plan to conduct outreach to software vendors this month
with respect to including candidate numbers in their advisories.
After the announcement at Black Hat, we will concentrate on
recruiting established researchers.
These activities will help address the needs of people who would
like CVE candidates sooner rather than later.
5) Since many Board members will probably be at the Black Hat
conference, we could have an informal get-together or dinner. I
think the conference itself would be too "distracting" for a "real"
meeting, so we could make it a casual affair. Let me know if
6) Once the Board's tasks and roles are finalized, we will propose a
method for adding new members. As discussed at the face-to-face
meeting, many members wanted to play a more active role in
evaluating and approving new members. We agree that this is a
useful function for the Board and expect to make some modifications
to the current process.
7) Note that we are delaying the recruitment of up to 12 new Board
members until the tasks, roles, and recruitment process have been
addressed. For those of you who are concerned about the increasing
size of the Board, we should have a much better understanding of
the "right" size and composition after all these discussions. In
addition, I expect that some members will be leaving the Board.
8) When the method for adding new members has been finalized, we will
form the CIEL working group. There are several potential members
who might make significant contributions to CIEL.
9) After the major "Board business" is completed, we will concentrate
on major content issues, including discussing voting requirements
and confidence, adding legacy candidates, addressing limitations of
the current naming scheme, etc.
10) In parallel, we will be restructuring CVE compatibility
requirements and putting the evaluation and approval process in
11) The next face-to-face Board meeting could be held in September.
Over the course of the next month, we will identify potential
sites. While RAID might be an optimal location, unfortunately
most of MITRE's CVE task leaders have scheduling conflicts.
(However, some of us could attend a CIEL working group meeting
before or after RAID.)
The week of September 17th might be best. Please let me know your
availability, or if you would be willing to host the next meeting.