Re: CVE program priorities

[Pascal Meunier <pmeunier@cerias.purdue.edu>]

On 12/22/2015 12:55 PM, Boyle, Stephen V. wrote:
> coverage of the software and devices used in the U.S. IT sector.

What is "the U.S. IT sector"?  Is "U.S. IT sector" intended to include 
devices used in our homes or micro-businesses with firmware developed 
abroad, especially if they are connected to the internet, or does this 
only cover software and devices used in U.S. enterprises?  Also, would 
US-based firms using foreign software when they do business abroad be 
covered;  is that "used in the U.S. IT sector" or not?  Whose 
responsibility is it (or should it be) to generate identifiers for 
software and devices "not used in the U.S. IT sector", but used in or 
for U.S. supply chains and used by important partners we collaborate 
with, trust and rely upon?  Inasmuch as MITRE and its CNAs shoulder the 
responsibility of managing identifiers for "the U.S. IT sector", who 
should be responsible for international IT sectors?

I'm wondering how much software and how many devices exist that won't be 
used somewhere in the U.S. at some point.  Does trying to exclude "never 
used in the U.S." software and devices really provide a significant 
workload relief, worth the effort of sorting and the risk of error?  I 
ask because it seems a given that manufacturers and software vendors 
will try to target everything they have at the U.S. market, due to 
economies of scale.  The criterion "used in the U.S. IT sector" is 
indistinct, and I doubt its usefulness and practicality.  Instead, 
"products developed by firms or organizations based in the U.S." would 
be more clearcut, and so would be the responsibility.  Coverage would be 
significantly reduced and more manageable, but consequently it would be 
narrow to the point of making the CVE less useful.

Given the conflicting desire to restrict the workload but usefulness of 
prompt and broad coverage, perhaps it's time to ask other countries or 
regions (I mean to include the European Union in this) to be responsible 
for their share of produced software and to peer with MITRE using 
"Olympic swim lanes" (eh, Olympic as in "a time for laying aside 
political and religious differences") that would avoid duplication of 
effort and redundant identifiers?  Besides directly contacting foreign 
organizations, I would think this is worthy of the United Nations' 
attention, given its goal of promoting international co-operation, and 
given the ubiquitous distribution of software.  This sounds idealistic 
but the very idea is important.  I believe this needs to be stated and 
recognized as something desirable, and even needs to be attempted so 
that perhaps we'll obtain through compromise an intermediate solution 
that works well enough.

Other related "can of worms" thoughts: Can CNAs be foreign nations, or 
could foreign nations have the power to designate CNAs, or would it be 
preferable that they have their own identifiers?  Would it be useful if 
they used different letters than 'CVE' but kept the format similar and 
recognizable (a Universally Unique Vulnerability ID, UUVID)?  Can they 
be trusted enough, and what mechanisms could detect misbehavior, and 
then work around it or even repair it?

Pascal