CVE Response Time

["Mann, Dave" <damann@mitre.org>]

Folks,

With the list of information sources (mostly) stabilizing, I would like to ask you all to consider the question of how fast CVE ids need to be produced.

For the sake of this discussion, time here is measured from the time a disclosure is first made (on one of the established and tracked information sources) until the time that at a CVE id is published and generally available.

CVE response time is related to a sense of risk or severity.  We recognize that, at times, we will have access to information that will cause us to respond faster to some issues rather than others.   Still, it would be useful for us to collectively have a sense of expected response time based on nothing other than the source of the information.

As a starting point, I want to suggest that issues can be responded to in a 3 tiered approach:
Fast = notionally 1-3 days
Normal = notionally 1-3 weeks
Slow = notionally, time permitting

There are 2 questions to ask of you.
Q1: Does this tiered response time approach make sense and if not, can you suggest an alternative?

Q2: What should be the response time be based only on the information source?   

Please review of list of "must-have" sources and for each, vote for either "fast" or "normal".

If you strongly feel that response time should be decided based on factors other than source, please vote for "normal" for all the sources that follow and explain what factors you feel should be considered to escalate something to a fast response.

Note, sources that are categorized as ignored will be ignored, so there's no point discussing response time.  Sources categorized as nice to have will be treated as "slow", since they are only nice to have and not must haves.



-Dave
==================================================================
David Mann | Principal Infosec Scientist | The MITRE Corporation
------------------------------------------------------------------
e-mail:damann@mitre.org | cell:781.424.6003
==================================================================


CVE VULNERABILITY RESPONSE TIME

Please vote:
Fast = notionally 1-3 days
Normal = notionally 1-3 weeks


Government & Related Information Sources
  US-CERT Advisories (aka CERT-CC Advisories) 
  US-CERT Vulnerability Notes (CERT-CC) 
  US-CERT Bulletins (aka Cyber-Notes)   
  CMU/CERT-CC                                 
  DoD IAVAs                             

Vendor Published Information
  Microsoft                                   
  RedHat                                      
  Apache                                      
  Apple OSX                                   
  Oracle                                      
  Solaris                                     
  Suse                                        
  Mandriva                                    
  HP-UX                                       
  AIX                                         
  Cisco IOS                                   
  Free BSD                                    
  Open BSD                                    
  Net BSD                                     
  Gentoo (Linux)                              
  Ubuntu (Linux)                              
  Adobe
  Mozilla
  Google Chrome

Mailing Lists & VDBs
  Bugtraq                                     
  Full Disclosure                             
  Security Focus                              
  Security Tracker                            
  OSVDB                                       
  Oss-security