[CVEPRI] Upcoming Editorial Board tasks for CVE content

["Steven M. Christey" <coley@linus.mitre.org>]

All:

As we approach the 1-year anniversary of the first Editorial Board
meeting at SANS-Baltimore on May 9, 1999, we will be entering a new
phase of activity for CVE content.  Other MITRE activities continue,
such as communications and Editorial Board recruitment, but they are
not detailed here.

Relatively speaking, things have been quiet in the past two months
since the Editorial Board meeting at AXENT.  At the meeting, we
discussed some near-term activities that I haven't yet started.  As a
result, we didn't achieve the content goals that had been slated for
May 1.  This isn't all bad news, however.  The work we've done at
MITRE behind the scenes should make future activities easier.  And in
April, we finally had more entries than candidates!  (Unfortunately,
that will change very shortly :-) Also, we achieved a milestone when
ISS began to release security advisories that included candidate
numbers, and we received another request for a candidate from a
reliable non-Board member.  Finally, while we didn't achieve the goal
of 700 entries, 644 isn't too bad (CVE version 20000425).

Many of those delayed activities will begin in the course of the next
month or so.  Hopefully we will not miss one of the primary goals of
achieving 1000 entries by September 1.

Here are the new activities that will be undertaken shortly.

0) You've already been witnessing some "cleanup" with respect to
   making final decisions on older candidates.  This activity will
   continue, but much of it will ultimately depend on resolving
   content decisions (see below).

1) An online voting capability is being actively developed.  This
   should make it easier for everyone to vote on candidates, and to
   see other people's comments.  Regular voting Board members have
   reviewed a first draft of a voting ballot, and later drafts will be
   made available to the whole Board for feedback, as the hope is that
   this will make voting easier for members who don't vote regularly.
   The first version will incorporate a number of features that were
   discussed at the Board meeting at AXENT.  The engineering is not
   complete yet, but access will be restricted to Board members.

2) Candidates for all advisories published in 1999 will be created and
   proposed to the Board.  These will include advisories from software
   vendors, security vendors, and response teams.  We are initially
   focusing on advisories because (a) they are often major issues, (b)
   the problem is known to exist because it's acknowledged by the
   vendor, and (c) since they are advisories, we can have a concrete
   measurement of how well CVE is covering these issues.  The Board
   should be able to quickly process these candidates.

3) We wish to obtain copies of Board members' databases in order to
   create the remaining set of legacy candidates.  A subsequent email
   will provide details for this request.  A related effort will be to
   create a "focus group" of participating Board members who will
   actively work toward getting 80% of their products to map to CVE
   names, provided they commit to voting on those issues.

4) There are over 40 content decisions, few of which have been
   approved by the Board.  These CD's are now holding back the
   acceptance of up to 300 candidates.  Discussion with the Editorial
   Board will be re-opened for a few CD's at a time, beginning with
   the ones we discussed at AXENT that *didn't* generate hour-long
   debates :-) The resolution of CD's should allow us to ACCEPT (or
   RECAST) a number of candidates that were proposed to the Board as
   early as June 7, 1999.

5) CVE compatibility requirements will be modified to reflect the
   feedback at AXENT and our own internal review, further discussed
   and refined by the Board, then published on the CVE web site.

6) Modifications to CVE entries will be taking place.  For the most
   part, this involves adding references or making minor changes to
   the description.  In some cases, we will need to REASSESS certain
   entries based on new information and/or CD's.  The process for this
   still needs to be refined, but it will probably be simpler than it
   is for candidates.

7) If there is sufficient demand for MITRE to perform private
   candidate number assignment (i.e. for issues that aren't public but
   will be announced shortly), then we will examine the possibility of
   opening up the process to other Candidate Numbering Authorities
   (CNA's), who will be given the capability to assign candidate
   numbers themselves.  This has been discussed at various times in
   the past, but we are revisiting the issue as a result of recent
   events.

8) We will be making a number of enhancements to the CVE web site to
   make it more usable to "end users" and mappers.  This may require
   making some portions of CMEX publicly available, e.g. which content
   decisions are preventing a candidate from being accepted.  However,
   we will be careful to avoid overlap with existing vulnerability
   databases whenever possible.



REVIEW OF GOALS
---------------

As a reminder, here are the basic goals for CVE content that we
discussed at AXENT.  I've adjusted some numbers and dates as a result
of recent activities.

June 1
------

1) Receive 10 vulnerability databases from Board members, to help
   populate CVE.


July
----

1) Primary Goal: have CVE include a total of 850 entries (i.e. add
   about 200 more entries).

2) Add 500 more legacy candidates.

3) Create candidates for advisories published in 1999/2000.  For those
   candidates not affected by unresolved content decisions, move them
   into the Entry stage, i.e. get them added to the official CVE.
   These candidates will count as part of the 500 in step 2.

4) Discuss and resolve 15 content decisions.



September
---------

1) Primary Goal: achieve 1000 total entries.

2) Add 250 more legacy candidates.

3) Create candidates for all problems announced in 1999 and 2000.

4) Expand CVE to cover 80% of participating tools or databases.

5) Discuss and resolve 15 content decisions.



- Steve