Q1 - What the two biggest realities that need to be understood or recognized when addressing the problem of Global Vulnerability Reporting? These realities can be misperceptions, challenges, end user needs, market forces or any other issue that you think needs to be squarely put on the table prior to crafting solutions to the GVR problem.
The biggest reality is that we do not understand what others are doing. Without this knowledge we cannot seriously discuss a solution to the problem. It is not just my lack of understanding; I would be hard pressed to find anyone on this list that could answer the following off the top of their heads. This is by it's nature a global problem which means the dialog must be globally based. We need to assure all those looking for a solution, truly understand the current landscape and the problems that others have addressed or are encountering. What has worked and what hasn't needs to be understood before we make real progress.
(Note: Feel free to add questions to list and I will make sure they get asked….)
We don't know what we need to in order to answer the question. The question seems to lead the questionnaire that they have more information than they do.
Q2 - What are the two most important goals that need to be achieved by any reasonable GVR solution? If you think there should be different goals in the near term and in the long term, please elaborate.
Globally usable vulnerability identifier that is globally visible so those that need the information, SOC staff, security administrators, incident response, information sharing capabilities, vendor products, etc….can use it to effectively and accurately communicate the appropriate information That is the goal.
We cannot continue to be blind to software vulnerabilities 'developed' in those parts of the world that don't speak the (fill in the blank) language. We need to have a capability similar to the reporting that is done in various individual countries/languages today.
How we get there may be what you were alluding to in the questions (near term vs long term). Until we have a good understanding of the current landscape and needs, we cannot make the leap to a solution.
The Kyoto meeting is to get to that needed level set, or at least a lot closer to one. Once that has been accomplished then I can effectively answer the questions from my perspective. There will be multiple CVE Board members attending this event and participating in the discussions. I am sure those attending will do a reasonable job of communicating what they learn back to the Board. I believe that it would be beneficial to have a conference call after the Summit meeting for that communication to happen and allow the Board members to ask questions in a high bandwidth environment…
From: <Mann>, David Mann <firstname.lastname@example.org>
Date: Monday, November 5, 2012 1:55 PM
To: cve-editorial-board-list <email@example.com>
Subject: Kyoto FIRST Meeting On GVR?