Re: CVE and NVD WAS: Counting on CVEs

[security curmudgeon <jericho@attrition.org>]

: >another issue many in the industry have, that being the extra day or three
: >delay between CVE assignment and CVSS scoring. If CVE had those analysts,
: >they could get a score affiliated with a CVE assignment that much quicker,
: >not have to go through the daily push of data to NVD who then pushes it on
: >to BA.
: 
: Two things on this.
: 
: First, just my opinion, but I think combining CVE and NVD would be very 
: bad for CVE.
: 
: CVE operates much further upstream in the vulnerability life-cycle than 
: NVD does, as we should expect. The core CVE analytical work is 
: assignment of IDs at a reasonably consistent level.  We need to do this 
: as fast as we can while maintaining enough quality in our descriptions 
: to keep the system searchable.
: 
: The analytical work done on NVD is related, but different.  They focus 
: more on affected platforms and CVSS scoring.  This is really a second 
: phase of analytical work and trying to do that concurrently with CVE 
: analysis would only serve to slow down CVE publication - and 
: dramatically so.

I disagree. You appear to assume that in the proposed combining of 
resources, that a CVE entry could only be pushed with this information. I 
did not (mean to) imply that at all. A CVE could be pushed live, and then 
a second analysis team could come behind them and add CVSS and CPE 
information. This would still save a day in data syncing, and reduce extra 
middle management, freeing up money for more analysts.