[Date Prev][Date Next
][Thread Prev][Thread Next
[CVEPRI] Recent and upcoming activities
It's been a while since you've heard from us, so I thought I'd give
you a brief summary of some of the major CVE activities.
1) We have almost completed a first pass in processing the legacy
submissions that you provided to us about a year ago.
Approximately 600 new candidates will be produced from this first
pass. Many submissions were related to configuration problems,
which pose challenges for CVE in terms of level of abstraction (do
we assign one candidate or 30?). These will be researched by the
content team in the second pass, then discussed with the Editorial
Board, to determine the best way to handle such issues. Other
submissions have incomplete references or details, and we need to
consult with the source to obtain the proper information. These
submissions and others will be processed in the second pass of
2) More details on the legacy issues will be provided when I finish
editing the results of the content team members who have helped to
refine the legacy submissions. After editing, candidate numbers
will be assigned. The candidates will be placed in clusters and
proposed to the Board. The CAN-1999-XXXX numbering scheme will be
used for all issues discovered in 1999 and earlier. For later
issues, the year of initial announcement will be used (barring some
rare exceptions related to rediscoveries of old issues). This
approach was generally advocated by the Board. The particular
choice is less critical now that it is likely that we will be
changing the entire naming scheme altogether.
3) The creation of candidates for newly discovered security issues has
suffered due to (a) my personal concentration on finishing the
first round of legacy problems with others on the content team, and
(b) the departure of content team member Ramsay Key for grad
school. We do have replacement members who are coming "up to
speed." In addition, the content team members who have been
refining the legacy issues for the last six months will be able to
dedicate more resources to keeping up with new issues - as will I.
4) Recently, we have been discussing the possibility of a face-to-face
meeting sometime in September. However, the timing does not seem
quite right (both for us at MITRE as well as for some Board
members), so we will delay the face-to-face. However, we do expect
to have a teleconference in September.
5) Sometime later this month, I expect to finalize the roles and
responsibilities of the Board, as well as the process for adding
new members. Once that has happened, we will form the CIEL working
group. We believe that Brian Caswell, whom some of you may know
from his work on Snort, will be one of the key MITRE personnel
working on CIEL.
6) While it seems I keep saying this :-) we believe that we will be
finishing the process and requirements for CVE compatibility in the
next few months. Bob Martin leads this task, but the bottleneck
has been me, as I have needed to restructure the requirements. I
expect to be completing that work sometime in the next month or so.
7) Candidate Numbering Authorities (CNAs) have not been forgotten.