[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
RE: CVE ID Syntax - Seeking Suggestions for Outreach
Agree with Ken and Elizabeth,
We'd be happy to post an announcement as well. Webpage would work...
rgds
- Mike
-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Elizabeth Scott
Sent: Wednesday, April 02, 2014 1:20 PM
To: Williams, James K; cve-editorial-board-list (cve-editorial-board-list@lists.mitre.org)
Subject: RE: CVE ID Syntax - Seeking Suggestions for Outreach
We (Microsoft) will be mentioning this in our Post Patch Tuesday Webcast
Thanks,
Elizabeth Scott
-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Williams, James K
Sent: Wednesday, April 2, 2014 10:16 AM
To: cve-editorial-board-list (cve-editorial-board-list@lists.mitre.org)
Subject: RE: CVE ID Syntax - Seeking Suggestions for Outreach
Hello,
* Post to BugTraq and Full-Disclosure mailing lists.
* Ask Secunia, PacketStorm, NIST, CERT, DoD, etc to make special announcements on their sites.
* Promote at DEFCON and Blackhat.
Asking implementers to announce compliance achievement is a great idea.
We'd be happy to post an announcement to our customer base. Webpage would be best.
Thanks and regards,
Ken Williams
CA Technologies
Director, Product Vulnerability Response Team Ken.Williams@ca.com
-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Steven M. Christey
Sent: Wednesday, April 02, 2014 9:02 AM
To: cve-editorial-board-list@lists.mitre.org
Subject: CVE ID Syntax - Seeking Suggestions for Outreach
All,
In recent months, MITRE has been working on public communications for the CVE ID syntax change. We would like suggestions from the Editorial Board about how to further expand our outreach and educate the public.
1) We published more detailed technical guidance for implementers to
find and address issues related to the syntax change:
http://cve.mitre.org/cve/identifiers/tech-guidance.html
This page includes some extensive testing data so that
implementations can have confidence that they have sufficiently
addressed the ID syntax. For example, we have lists of dozens of
valid identifiers that could indicate parsing issues (such as
CVE-2014-2147483648 for triggering 32-bit representation problems),
and hundreds of invalid identifiers, some of which were drawn
directly from real-world requests to the CVE web site.
2) We have also been gathering contact information for CVE-compatible
vendors, and we expect to email them shortly. However, it's likely
that many of our contacts are from the marketing side of the
organization, so we might not always reach the right technical
people.
3) We continue to periodically remind the public of the syntax change
through the cve-announce mailing list, Twitter, and LinkedIn.
4) We have been making syntax-related code changes to our own web
sites and internal processes. For example,
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1012 now
provides a custom page that educates consumers about potential
truncation problems and the ID protection block, and
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-a1012
provides more specific error messages when CVE IDs are malformed.
5) We have mentioned or focused on the syntax in talks that we've
given, especially in the last year, and will continue to do so. We
are also considering offering a webinar.
Despite these efforts, there are indications that we are not reaching everybody who needs to handle the change, especially the developers of CVE-compatible or CVE-using products.
There also seems to be little press interest, as the syntax change is probably regarded as "old news."
We would like suggestions from the Board about how we can reach the right people.
For example:
* Are there Board members who are willing to announce the change
and/or post educational material to their customer base? If so,
what form would be the most useful - PowerPoint slides, a web page,
newsletter, webinar, etc.?
* Would it be effective for us to encourage implementers to announce
when they have achieved "compliance" with the new syntax, and then
publicize these vendors? Would this be useful in fostering some
competiveness to drive organizations to a resolution?
* Are there ways that we can help customers to directly engage with
their vendors to ensure that the issues are addressed? We have not
yet directly emphasized customers in our outreach, but they might be
the most effective in contacting the right people within the vendors
and getting resolution.
Any other ideas or suggestions are welcome and encouraged!
If there is sufficient interest or need, we could have another Editorial Board teleconference that is focused on this topic.
Thank you!
- Steve