[CVEPRI] Progress report on timeliness of CVE

["Steven M. Christey" <coley@linus.mitre.org>]

All,

Following is a brief progress report on what we are doing with respect
to making CVE more timely.

1) I am beginning to perform more "out-of-band" candidate reservation
   for the most serious vulnerabilities, monitoring basic information
   sources on a near-daily basis.  Typically, this means that they
   will show up on the CVE server within a few days of announcement.

2) Candidates are being reserved by more parties.  Most notably, Linux
   vendors are starting to become more involved (thanks in large part
   to Mark Cox' efforts.)

3) I'm more heavily involved in the refinement phase, and I focus on
   more recent issues.  Other content team members continue refinement
   on older issues, plus those that "slip through the cracks" from my
   own refinements.  It will take a few months to really understand
   how effective this new approach is going to be.

4) I have begun to conduct a closer "process review" with those team
   members who do refinement, by consulting with the team member while
   refinement is happening, in addition to the "editor feedback" that
   I've mentioned previously.  Initial results suggest that this will
   help team members to generate content more quickly.  Side-by-side
   consultation has been difficult due to the geographical dispersion
   of team members, who may adopt certain practices that are not as
   efficient as the ones I've developed (and vice versa :-)

5) Candidates are being proposed more often.  Currently, the rate is
   once a month, which is faster than the every-6-weeks average of the
   previous year or so.  I will see if we can improve the frequency
   even more.

The result is that I am about to propose another 300+ candidates, only
a month after the last proposal.  At this stage, we have generated
more candidates than we did in all of 2001.  And the recent timeliness
figures speak for themselves (see below).

- Steve



PROPOSED #cans   0-30d  31-60d  61-90d  90+
-------- -----   -----  -----   -----  ----
20020830   334      98     97     60     79
20020726   147      66      9     51     21
20020611   285      43     58     92     92
20020502   331      49      2    127    153
20020315   237      40     22     62    113
20020131   234      40     13     48    133
20011122    71      46      4      2     19
20011012    84      22      1      0     61
20010912   583       0      1      0    582
20010829    60      14      2     20     24
20010727   127      32     11     31     53
20010524   167      50     70     43      4
20010404    79       9     45     23      2
20010309    83      27     52      4      0
20010214    56      12     29      0     15
20010202   106      21     79      6      0
20001219   111      60     50      1      0
20001129   190      29    113     45      3
20001018    68       3     54     10      1
20000921   127      32     91      4      0
20000803    55      55      0      0      0
20000719    53      53      0      0      0
20000712    98      36     62      0      0
20000615    92      47     45      0      0
20000524    22       0      0      0     22
20000518    37      28      2      0      7
20000426    54      53      1      0      0
20000412    22      21      1      0      0
20000322    58      54      4      0      0
20000223    15      15      0      0      0
20000216    14      14      0      0      0
20000215     1       0      0      1      0
20000208    50      50      0      0      0
20000125    43      43      0      0      0
20000111    43      41      0      1      1
19991222    48      19      6      4     19
19991214    38      20     10      1      7
19991208    50      43      0      0      7