|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CVE Response Time
- To: cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
- Subject: CVE Response Time
- From: "Mann, Dave" <damann@mitre.org>
- Date: Tue, 11 Oct 2011 16:19:16 -0400
- Accept-Language: en-US
- acceptlanguage: en-US
- Delivery-Date: Tue Oct 11 16:19:47 2011
- List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
- Thread-Index: AcyIUU80JX+jb5/MTm6ArQeYa2/1IQ==
- Thread-Topic: CVE Response Time
Folks, With the list of information sources (mostly) stabilizing, I would like to ask you all to consider the question of how fast CVE ids need to be produced. For the sake of this discussion, time here is measured from the time a disclosure is first made (on one of the established and tracked information sources) until the time that at a CVE id is published and generally available. CVE response time is related to a sense of risk or severity. We recognize that, at times, we will have access to information that will cause us to respond faster to some issues rather than others. Still, it would be useful for us to collectively have a sense of expected response time based on nothing other than the source of the information. As a starting point, I want to suggest that issues can be responded to in a 3 tiered approach: Fast = notionally 1-3 days Normal = notionally 1-3 weeks Slow = notionally, time permitting There are 2 questions to ask of you. Q1: Does this tiered response time approach make sense and if not, can you suggest an alternative? Q2: What should be the response time be based only on the information source? Please review of list of "must-have" sources and for each, vote for either "fast" or "normal". If you strongly feel that response time should be decided based on factors other than source, please vote for "normal" for all the sources that follow and explain what factors you feel should be considered to escalate something to a fast response. Note, sources that are categorized as ignored will be ignored, so there's no point discussing response time. Sources categorized as nice to have will be treated as "slow", since they are only nice to have and not must haves. -Dave ================================================================== David Mann | Principal Infosec Scientist | The MITRE Corporation ------------------------------------------------------------------ e-mail:damann@mitre.org | cell:781.424.6003 ================================================================== CVE VULNERABILITY RESPONSE TIME Please vote: Fast = notionally 1-3 days Normal = notionally 1-3 weeks Government & Related Information Sources US-CERT Advisories (aka CERT-CC Advisories) US-CERT Vulnerability Notes (CERT-CC) US-CERT Bulletins (aka Cyber-Notes) CMU/CERT-CC DoD IAVAs Vendor Published Information Microsoft RedHat Apache Apple OSX Oracle Solaris Suse Mandriva HP-UX AIX Cisco IOS Free BSD Open BSD Net BSD Gentoo (Linux) Ubuntu (Linux) Adobe Mozilla Google Chrome Mailing Lists & VDBs Bugtraq Full Disclosure Security Focus Security Tracker OSVDB Oss-security
- Follow-Ups:
- Re: CVE Response Time
- From: Mark J Cox <mjc@redhat.com>
- Re: CVE Response Time
- Prev by Date: CVE Must-Have Coverage
- Next by Date: RE: CVE Must-Have Coverage
- Prev by thread: Re: CVE Must-Have Coverage
- Next by thread: Re: CVE Response Time
- Index(es):