Re: CVE ID Syntax - Seeking Suggestions for Outreach

To: "cve-editorial-board-list (cve-editorial-board-list@lists.mitre.org)"<cve-editorial-board-list@LISTS.MITRE.ORG>
Subject: Re: CVE ID Syntax - Seeking Suggestions for Outreach
From: Art Manion <amanion@cert.org>
Date: Wed, 2 Apr 2014 14:31:43 -0400
Delivery-Date: Wed Apr 2 14:30:54 2014
In-Reply-To: <ED311CBEE6993C428563DEDF6D083BC870A6AF9A@usilms113b.ca.com>
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
OpenPGP: id=36C268A3
References: <ED311CBEE6993C428563DEDF6D083BC870A6AF9A@usilms113b.ca.com>
Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.3.0

On 2014-04-02, 13:15 , Williams, James K wrote:

> * Post to BugTraq and Full-Disclosure mailing lists.
> * Ask Secunia, PacketStorm, NIST, CERT, DoD, etc to make special announcements on their sites.
> * Promote at DEFCON and Blackhat.

CERT (CERT/CC) can send mail to our vendor contacts and post on our web
site, probably a blog entry.  We can talk to US-CERT about something on
their web site too.

> -----Original Message-----
> From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Steven M. Christey

> There also seems to be little press interest, as the syntax change is
> probably regarded as "old news."

The news story, unfortunately, would be that CVE is not working, despite
CVE's best efforts.

> * Are there Board members who are willing to announce the change
>    and/or post educational material to their customer base?  If so,
>    what form would be the most useful - PowerPoint slides, a web page,
>    newsletter, webinar, etc.?

The ability to reference authoritative material from CVE/MITRE is
important, and I think already well covered here:

  http://cve.mitre.org/cve/identifiers/syntaxchange.html

  http://cve.mitre.org/cve/identifiers/tech-guidance.html

CERT/CC's announcements would basically point to these references.

> * Would it be effective for us to encourage implementers to announce
>    when they have achieved "compliance" with the new syntax, and then
>    publicize these vendors?  Would this be useful in fostering some
>    competiveness to drive organizations to a resolution?

Or document new syntax errors if/when they occur?  As examples for
others to avoid.

> * Are there ways that we can help customers to directly engage with
>    their vendors to ensure that the issues are addressed?  We have not
>    yet directly emphasized customers in our outreach, but they might be
>    the most effective in contacting the right people within the vendors
>    and getting resolution.

Publish a few test IDs using the new syntax and see what breaks?

Is CVE on track to need the new syntax in 2014?  Without
motivation/reason to change, I'd expect continued inertia.

Regards,

 - Art

Follow-Ups:
- RE: CVE ID Syntax - Seeking Suggestions for Outreach
  - From: "Booth, Harold" <harold.booth@nist.gov>

References:
- RE: CVE ID Syntax - Seeking Suggestions for Outreach
  - From: "Williams, James K" <Ken.Williams@ca.com>

Prev by Date: RE: CVE ID Syntax - Seeking Suggestions for Outreach
Next by Date: Re: CVE ID Syntax - Seeking Suggestions for Outreach
Prev by thread: RE: CVE ID Syntax - Seeking Suggestions for Outreach
Next by thread: RE: CVE ID Syntax - Seeking Suggestions for Outreach
Index(es):
- Date
- Thread