Re: [CVEPRI] Increasing numbers and timeliness of candidates

To: cve-editorial-board-list@lists.mitre.org
Subject: Re: [CVEPRI] Increasing numbers and timeliness of candidates
From: "Steven M. Christey" <coley@linus.mitre.org>
Date: Fri, 3 May 2002 01:27:33 -0400 (EDT)
Delivery-Date: Fri May 3 01:27:48 2002
Sender: owner-cve-editorial-board-list@lists.mitre.org

For reference and further discussion, here are some usable statistics
that show what's been happening.

Column 1 is the date on which the candidates were proposed.

Column 2 is the number of candidates that were proposed on that date.

Column 3 is the number of candidates that had been publicly announced
between 0 and 30 days before they were proposed to the Board.  The
other columns represent other date ranges.


  PROPOSED #cans     0-30   31-60  61-90   90+
  -------- -----     ----   -----  -----   ---
  20000111    43      41      0      1      1
  20000125    43      43      0      0      0
  20000208    50      50      0      0      0
  20000215     1       0      0      1      0
  20000216    14      14      0      0      0
  20000223    15      15      0      0      0
  20000322    58      53      5      0      0
  20000412    22      21      1      0      0
  20000426    54      54      0      0      0
  20000518    37      28      2      0      7
  20000524    22       0      0      0     22
  20000615    92      49     43      0      0
  20000712    98      32     66      0      0
  20000719    53      50      3      0      0
  20000803    55      55      0      0      0
  20000921   127      32     91      4      0
  20001018    68       1     56     10      1
  20001129   190      26    116     45      3
  20001219   111      57     53      1      0
  20010202   106      16     87      2      1
  20010214    56      18     23      0     15
  20010309    83      22     57      4      0
  20010404    79       7     47     23      2
  20010524   167      35     88     40      4
  20010727   127       8     35     31     53
  20010829    60      11      1     23     25
  20010912   583       0      0      0    583
  20011012    84      12      6      5     61
  20011122    71      43      5      4     19
  20020131   234      18     27     53    136
  20020315   237      26     35     62    114
  20020502   331      33     17    120    161


In early 2000, I was clearly focused on handling new issues.

As the volume increased to 100+ CANs (Sep 2000 and on), the 31-60 and
61-90 delays started increasing.

The total number of issues being proposed within 0 and 60 days was
pretty high during the first half of 2001, when we were processing
legacy submissions in addition to handling new submissions; new
submissions were a higher priority.  During Summer 2001, the number of
0-60 day issues dropped dramatically as we focused on the legacy
candidates.

September 2001 is obviously the legacy candidates.  The efforts to get
the legacies out caused a backlog in the more recent candidates.

The remainder of the stats show the impact that that backlog had.  We
started generating many more candidates per month to catch up.  We are
producing at higher rates than we did before, especially in the last 3
months, but the backlog was dragging us down.

Our output has increased dramatically, but we have not been able to
achieve timeliness like we wanted to.  I believe that the bulk of the
backlog is gone, so the numbers should start moving to the left,
although the next few months may still see considerable numbers in the
61-90 and 90+ day range.  However, we are (fortunately) producing
content on a monthly basis that exceeds the current monthly rate of
new vulnerabilities.

- Steve

Prev by Date: Re: Re: [CVEPRI] Increasing numbers and timeliness of candidates
Next by Date: Re: [CVEPRI] Increasing numbers and timeliness of candidates
Prev by thread: Re: Re: [CVEPRI] Increasing numbers and timeliness of candidates
Next by thread: Re: [CVEPRI] Increasing numbers and timeliness of candidates
Index(es):
- Date
- Thread