As mentioned in the Editorial Board teleconference on Tuesday, we will be actively working to resolve the CVE ID syntax change over the next couple months.
The basic steps will be:
1) MITRE will review existing Board feedback and perform a “down-select” of ID schemes to consider, with no more than 3 options. We intend to do this early next week.
2) After the down-select, we will engage the public to get their feedback on the choices. This will take the form of posts to some security mailing lists, our CVE-Announce mailing list, and direct emails to CNAs and CVE-compatible vendors.
The public feedback period will begin soon after the down-select.
3) After a period of public feedback – probably no less than 2 weeks, possibly more – MITRE will have another round of internal discussions to process the feedback and come up with recommendations.
4) We will then have a formal Editorial Board vote. We have not yet decided on the mechanics of the vote (e.g., whether to select a single scheme and have the Board vote yes/no, or to do something more complex). However, the rule of “one
vote per organization” will apply.
5) After the vote, the final ID scheme will be selected.
Since RSA will be a great opportunity to engage the public and get direct feedback, we might delay the formal vote and final decision until after then. However, we have not decided yet.
We will keep you informed on our progress.