[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [CVEPRI] CVE accuracy, consistency, stability, and timeliness



All,

As I'm at a conference for the rest of this week, I may not have
sufficient time to respond to all the issues that have come up during
this discussion.  Warning: I'm sending this email with less review
than I usually perform for these kinds of discussions, so I apologize
ahead of time for any glaring errors, omissions, or non-neutral
statements.

Briefly, I think that MITRE would be comfortable in avoiding the
"over-analysis" we're doing for CVE and living with the inaccuracy,
but I'd like to be sure we aren't making things much more problematic
for a significant CVE "user base," e.g. tool vendors.  We'll have to
make a decision that inconveniences somebody, so I encourage other
Board members to share their opinions.  And whatever decision is made,
being open about the approach is important so that CVE users can
understand its limitations.

We can spend some time discussing this at next week's teleconference,
whose date and time will be decided in the next day or so.  (So please
let me know your availability if you plan on participating).

With respect to issues that are "held up" by MITRE's deep analysis, we
haven't really tried to keep Board members "in the loop," with the
exception of a few emails I've sent out to the Board at various times
in the past (usually with no response).  But the main reason we didn't
bring up specific problems to the Board was because most of the deeper
analysis involved candidates that are affected by content decisions,
so the candidates wouldn't be accepted until the associated CD's were
agreed to anyway.  We will look into ways of making this more open (a
query for all REVIEWING votes by Steve Christey would be a good start
;-)

Regarding losing the "history" of deep analysis, we could resolve that
problem by including analysis results in the voting record, and/or
further annotate the associated candidates with that analysis.  Some
of that is already covered by my own REVIEWING votes.  For example,
see:

     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0061
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0257

However, voting commentary may not be the best "format" for capturing
all the work and multi-page analyses that may come out of the analysis
process.  For example, see:

     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0138

which is clunky at best.

- Steve

Page Last Updated or Reviewed: May 22, 2007