[Date Prev][Date Next
][Thread Prev][Thread Next
[TECH] CVE content update
Here is a short update on CVE content.
Over the last half of 2002, we have been following a new process that
streamlines the generation of candidates for "important" issues.
1) More researchers and vendors (especially Linux vendors) are
reserving candidate numbers from MITRE ahead of time.
2) MITRE is conducting more "out-of-band" (priority) assignment for
issues that are not explicitly reserved, but satisfy some vague
definition of "high priority," which generally covers (a) security
advisories for a major product/OS, or (b) an important issue in a
major product, even if it has not been acknowledged by the vendor.
3) The original submission refinement process, as documented heavily
in various CVE papers including the one at
http://cve.mitre.org/docs/docs2002/prog-rpt_06-02/ , has been split
into two separate streams:
- First pass - I perform both matching and refinement on incoming,
recent submission lists, focusing on a list from a particular CVE
source. I concentrate primarily on "easy-to-create" issues as
well as "moderately important" issues. Complex issues might be
deferred for deeper analysis.
- Second pass - the rest of the CVE content team processes the
submissions that are not removed from the first pass. This may
include more complex issues, but it also includes far more
submissions that already match candidates from the First pass,
although they may suggest additional references. As CVE Editor,
I still need to review and approve "second pass" refinements.
Due to several unexpected non-CVE emergencies over recent months, I
have fallen behind a little bit on First pass refinement. CVE content
team members have been steadily creating candidates during Second pass
refinement, but they still need to be edited before being proposed.
However, I have steadily maintained the pace on steps 1 and 2
(reservation and out-of-band assignment), which means that the most
important issues are still being assigned CVE candidates within hours
Shortly, I will be proposing approximately 500 candidates, most of
them from steps 1 and 2 (i.e. already public), and the remainder from
first pass refinement.
I will then be creating a new CVE version.
Second pass refinements will generate another 500 candidates or so,
and those will be proposed within a month, after I have edited them.
The CVE content team is currently discussing additional improvements
to the refinement process.
Finally, the concept of "voting clusters" is becoming untenable as the
number of publicized issues increases, along with our own process
modifications. I will be examining alternate ways of proposing
candidates to Board members and/or supporting alternate methods of