Re: CVE Response Time

[Mark J Cox <mjc@redhat.com>]

> For the sake of this discussion, time here is measured from the time a 
> disclosure is first made (on one of the established and tracked 
> information sources) until the time that at a CVE id is published and 
> generally available.

There's really two different things that can happen

- issue already has a CVE name because it was allocated by CNA or by 
request from Mitre in advance.  Time is the time between issue being 
public and details being filled in on site.  In these cases delays are not 
a big problem as the public and press already have a name they can use.

- issue doesn't have a name and needs one.  Now there is the time between 
the issue being public and there being a CVE name assigned - this is the 
dangerous time when multiple CNAs and Mitre might all allocate a name, or 
the ability for press and reporters to confuse issues.  Then the time 
between the name being assigned and the details on the site as before.

In our experience it's really hard to predict which issues will get 
significant public and press attention and which ones will not, it's not 
related to the severity or risk of the issues.  Many times I've seen Mitre 
criticised for having blank descriptions for some weeks for some 'hot' 
issue.

My suggestion would be, as hinted previously, to allow descriptions to 
have some quick and fast preliminary skeleton, perhaps provided by the 
CNA, which get filled in properly once Mitre has had time to do the 
research and analysis.  (Perhaps I'm just missing the old CAN->CVE 
approach).

> CVE VULNERABILITY RESPONSE TIME
>
> Please vote:
> Fast = notionally 1-3 days
> Normal = notionally 1-3 weeks
>
>
> Government & Related Information Sources
Fast to allocate a CVE name where one doesn't exist
Normal where one is allocated already
>
> Vendor Published Information
Normal
>
> Mailing Lists & VDBs
Fast to allocate a CVE name where one doesn't exist
Normal where one is allocated already

Mark