Re: Kyoto FIRST Meeting On GVR?

[<Kent_Landfield@McAfee.com>]

Q1 - What the two biggest realities that need to be understood or recognized when addressing the problem of Global Vulnerability Reporting?   These realities can be misperceptions, challenges, end user needs,  market forces or any other issue that you think needs to be squarely put on the table prior to crafting solutions to the GVR problem.

The biggest reality is that we do not understand what others are doing. Without this knowledge we cannot seriously discuss a solution to the problem. It is not just my lack of understanding; I would be hard pressed to find anyone on this list that could answer the following off the top of their heads.  This is by it's nature a global problem  which means the dialog must be globally based. We need to assure all those looking for a solution, truly understand the current landscape and the problems that others have addressed or are encountering. What has worked and what hasn't needs to be understood before we make real progress.

1. How is this being done in other parts of the world where the local market has produced regional/national approaches to the problem.
2. How is this formatted / published today?  Or is it?
3. How is the local vulnerability ID used in each of the regions today?
4. What are the authoritative locations for this information if it exists?
5. Does the model in use in your region look similar to an existing vulnerability identification mechanism in use somewhere else?
6. What are the rules in use when deciding what needs to be identified with an ID?
7. Are the proposed entries vetted in anyway? If so, how?
8. Is the focus for the identification system more database focused or dictionary focused?
9. What do you like about your approach? What do you like about other approaches?
10. Do you support zero-day issues or only vulnerabilities previously posted somewhere?
11. Yada, yada, yada….

(Note: Feel free to add questions to list and I will make sure they get asked….)

We don't know what we need to in order to answer the question.  The question seems to lead the questionnaire that they have more information than they do.  

Q2 - What are the two most important goals that need to be achieved by any reasonable GVR solution?  If you think there should be different goals in the near term and in the long term, please elaborate.

Globally usable vulnerability identifier that is globally visible so those that need the information, SOC staff, security administrators, incident response, information sharing capabilities, vendor products, etc….can use it to effectively and accurately communicate the appropriate information  That is the goal.

We cannot continue to be blind to software vulnerabilities 'developed' in those parts of the world that don't speak the (fill in the blank) language.  We need to have a capability similar to the reporting that is done in various individual countries/languages today.  

How we get there may be what you were alluding to in the questions (near term vs long term). Until we have a good understanding of the current landscape and needs, we cannot make the leap to a solution.

The Kyoto meeting is to get to that needed level set, or at least a lot closer to one.  Once that has been accomplished then I can effectively answer the questions from my perspective.  There will be multiple CVE Board members attending this event and participating in the discussions. I am sure those attending will do a reasonable job of communicating what they learn back to the Board.  I believe that it would be beneficial to have a conference call after the Summit meeting for that communication to happen and allow the Board members to ask questions in a high bandwidth environment…

Thanks.   

Kent Landfield

McAfee | An Intel Company
Direct: +1.972.963.7096 
Mobile: +1.817.637.8026
Web: www.mcafee.com

From: <Mann>, David Mann <damann@mitre.org>
Date: Monday, November 5, 2012 1:55 PM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Kyoto FIRST Meeting On GVR?

Folks,

In the recent Editorial Board call, we noted that we will be attending the Global Vulnerability Reporting Summit at the FIRST meeting in Kyoto next week.

As much as is possible, we would like to be able to accurately represent the thoughts and concerns of the CVE Editorial Board.

To this end, could you respond to the following 2 open ended questions?

Q1 - What the two biggest realities that need to be understood or recognized when addressing the problem of Global Vulnerability Reporting?   These realities can be misperceptions, challenges, end user needs,  market forces or any other issue that you think needs to be squarely put on the table prior to crafting solutions to the GVR problem.

Q2 - What are the two most important goals that need to be achieved by any reasonable GVR solution?  If you think there should be different goals in the near term and in the long term, please elaborate.

-Dave

==================================================================

David Mann | Principal Infosec Scientist | The MITRE Corporation

------------------------------------------------------------------

e-mail:damann@mitre.org | cell:781.424.6003

==================================================================