|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [CVEPRI] Recent and upcoming activities
All, It's been a while since you've heard from us, so I thought I'd give you a brief summary of some of the major CVE activities. 1) We have almost completed a first pass in processing the legacy submissions that you provided to us about a year ago. Approximately 600 new candidates will be produced from this first pass. Many submissions were related to configuration problems, which pose challenges for CVE in terms of level of abstraction (do we assign one candidate or 30?). These will be researched by the content team in the second pass, then discussed with the Editorial Board, to determine the best way to handle such issues. Other submissions have incomplete references or details, and we need to consult with the source to obtain the proper information. These submissions and others will be processed in the second pass of legacy refinement. 2) More details on the legacy issues will be provided when I finish editing the results of the content team members who have helped to refine the legacy submissions. After editing, candidate numbers will be assigned. The candidates will be placed in clusters and proposed to the Board. The CAN-1999-XXXX numbering scheme will be used for all issues discovered in 1999 and earlier. For later issues, the year of initial announcement will be used (barring some rare exceptions related to rediscoveries of old issues). This approach was generally advocated by the Board. The particular choice is less critical now that it is likely that we will be changing the entire naming scheme altogether. 3) The creation of candidates for newly discovered security issues has suffered due to (a) my personal concentration on finishing the first round of legacy problems with others on the content team, and (b) the departure of content team member Ramsay Key for grad school. We do have replacement members who are coming "up to speed." In addition, the content team members who have been refining the legacy issues for the last six months will be able to dedicate more resources to keeping up with new issues - as will I. 4) Recently, we have been discussing the possibility of a face-to-face meeting sometime in September. However, the timing does not seem quite right (both for us at MITRE as well as for some Board members), so we will delay the face-to-face. However, we do expect to have a teleconference in September. 5) Sometime later this month, I expect to finalize the roles and responsibilities of the Board, as well as the process for adding new members. Once that has happened, we will form the CIEL working group. We believe that Brian Caswell, whom some of you may know from his work on Snort, will be one of the key MITRE personnel working on CIEL. 6) While it seems I keep saying this :-) we believe that we will be finishing the process and requirements for CVE compatibility in the next few months. Bob Martin leads this task, but the bottleneck has been me, as I have needed to restructure the requirements. I expect to be completing that work sometime in the next month or so. 7) Candidate Numbering Authorities (CNAs) have not been forgotten. - Steve
|
||||
