Re: CVE ID Syntax Vote - results and next steps
On Thu, 18 Apr 2013, Kent_Landfield@McAfee.com wrote:
: So what types of things could POTENTIALLY impact CVE in the future? All listed below are potentials only?
: 1. Increased CNAs in the existing US speaking countries
This will no doubt happen. I am also going to start a campaign to yank CNA
status from some vendors who are not following established procedure
: 2. Potential global expansion with other geo-regions using CVE (global CNAs)
This has potential to significantly increase CVEs, and we would break 10k
quickly. I don't see it breaking 1MIL by any current standard or policy,
even if every single country had 10 CNAs.
: 3. Automated vulnerability identification means.
See previous arguments. I don't consider this valid, despite it being my
primary argument of "how to reach 1mil vulns in a year".
: 4. Expansion to other evolving technologies such as tablet, mobile, etc.
Uh... have you been watching CVE assignments the last few years? Those are
already in the fold. This should be reworked to a significant jump in
Android applications being analyzed for low hanging fruit, which has the
potential to spike it well past 10k, but not into the 1MIL+ mark.
: The CVE format cannot be decided based on the landscape today. There
Then why are we deciding on a new format, based on the landscape today?