[CVEPRI] Details for 1/18/01 Editorial Board teleconference

To: cve-editorial-board-list@lists.mitre.org
Subject: [CVEPRI] Details for 1/18/01 Editorial Board teleconference
From: "Steven M. Christey" <coley@linus.mitre.org>
Date: Wed, 17 Jan 2001 20:20:32 -0500 (EST)
Delivery-Date: Wed Jan 17 20:20:44 2001
Sender: owner-cve-editorial-board-list@lists.mitre.org

All:

Here are the details for the Editorial Board teleconference.  A
verbose agenda is included at the end of this message.  There are no
PowerPoint slides.

Date: Thursday, January 18, 2001
Time: 12:30 to 2:30 PM, Eastern Time (5:30 to 7:30 PM GMT)


Call this phone number: 888-456-0352
Enter the passcode: 53744
Meeting leader's name: Margie Zuk


Contact Margaret Dawson (781-271-3611, dawson@mitre.org) if you have
any problems dialing in, or need to reach us during the meeting.


- Steve




Agenda
------

CVE content update
  - January 22, 2001 projection (assumes ACCEPT 234 candidates
    currently in Interim Decision)
  - 1311 entries
  - 813 active candidates
  - 185 need at least 1 more vote
  - 10,095 submissions
    - 200+ submissions for new issues will create ~100 new candidates
    - ~1400 submissions have been matched
    - ~400 submissions are being refined (1999 problems)
  - Content team has solidified in recent months
    - Barbara Pease, Jeff Taylor, Ramsay Key, Jean-Paul Otin, Dave
      Goldberg, Dave Baker

New CVE content goals for MITRE
  - Match all legacy submissions by June 15
  - Create candidates for all 1999 issues by July 1
  - Refine all legacy submissions by December 31
    - regular proposals of legacy clusters starting around July
  - Create candidates for remaining 2000 issues
  - How important is it to create legacy candidates, relative to:
    - keeping up with new issues
    - increasing focus on CVE compatibility
    - improving voting support for the Board
    - adding software vendor liaisons
    - is 1 year too long to wait?

Board voting status and issues
  - lack of voting activity without specific goals
  - 38 total non-MITRE Board members as of 1/17/2001
    - only 17 have ever voted on RECENT-XX candidates
      - of 12 members for 6+ months, 5 voted on less than 50 CAN's
    - several members added with specific voting requirement have
      never voted
    - estimate 5 votes per CAN is needed
  - 150+ "recent" CAN's have insufficient votes
  - decrease in # of votes per CAN
    - increase in NOOP's
    - increased noise in resulting CVE entries
    - increased raw number of CAN's
  - lack of voting consistency in multi-member organizations
  - declining use of voting site since initial deployment
    - what changes are necessary?
    - question of diminishing returns
  - handling old CAN's with many NOOPs and insufficient ACCEPTs
  - custom ballots/reminders/clusters Real Soon Now (tm)
    - question of diminishing returns
  - REVIEWING votes to expire by next CVE version
  - considering making voting summaries more easily accessible to public
  - what should be the minimum number or percentage of votes for
    voting Board members?  Over what period of time?
    - 20% of all CAN's proposed since member's addition?

Content goals for Editorial Board
  - number of entries by June, September, December 2001?
  - increase in votes per CAN
  - sufficient votes for all CAN's older than 2 months?

Confidence levels
  - increases "competition" with some databases that already provide
    this information
  - however, Board generally advocates their use
  - voting record can include voters' reasons; users will have to
    create their own confidence from voting record, if they want
  - plan to propose confidence levels concept outside of CVE context
  - still faced with the underlying issue: fast-and-loose CVE, or a
    slow-and-valid one?  I.e. Should CVE entries describe proven
    vulnerabilities, or should they just accurately describe reports
    of vulnerabilities?

Entry Deprecation
  - we have some duplicate entries in CVE that we need to get rid of
  - [REASSESS] phase - DEPRECATE xxx entries
  - short review period (try for minimum 8 days?)
  - if decision to DEPRECATE
    - change description of candidate to say "DEPRECATED"
    - state reason for deprecation.  If duplicate, identify real
      CAN/CVE
    - deprecation noted in CVE version difference report	

Entry Modification
    - [REASSESS] phase - MODIFY xxx entries
    - short review period, say 4 days
    - modifications go in next CVE version
    - modifications noted in CVE version difference report

Candidate Rejection
  - We need to REJECT some candidates (mostly duplicates) in CVE
  - General process:
    - Interim Decision to REJECT - separate notification from "ACCEPT"
    - Voting record includes reasons for rejection
    - if Final Decision made to REJECT:
      - change candidate description to say "REJECTED"
      - state reason
      - if duplicate, identify real CAN/CVE
      - continue to include candidate in downloads
      - may want to add a status field for easy filtering

Candidate reservation
  - major OS vendors starting to include CAN's in advisories
  - developing a process for software vendors to obtain candidates for
    announcements/bulletins
  - many complex issues

Other brief updates
  - CVE compatibility
  - Advisory Council
  - Vendor liaisons

Face-to-Face meeting at Cisco
  - which dates are best?
  - full 2 day meeting
  - some discussion topics:
     - formalizing Board membership, roles and responsibilities,
       removal of members, trial memberships
     - CVE compatibility
     - CIEL progress report
     - CVE: fast-and-loose or slow-and-valid
     - new directions in content decisions
     - candidate reservation issues

Prev by Date: Upcoming conference in Austin
Next by Date: [CVEPRI] Face-to-face Editorial Board meeting on March 15-16?
Prev by thread: Upcoming conference in Austin
Next by thread: [CVEPRI] Face-to-face Editorial Board meeting on March 15-16?
Index(es):
- Date
- Thread