Rough Drafts of CVE Counting Documents

["Coffin, Chris" <ccoffin@mitre.org>]

All,

 

Sorry for the delay, these were supposed to go out last week.

 

Attached is the latest marked up version of the Simplified Counting Rules, as well as the promised very rough version of a new CVE Vulnerability Counting for CNAs document. There is still plenty of work to be done on this new document, but the main focus so far has been to develop the decision trees. The included decision trees are meant to replace the older decision trees found at https://github.com/CVEProject/docs/blob/gh-pages/cna/application-guidance.md.

 

Current thinking is that the introduction of the “independently fixable” concept obsoletes many of the older counting decisions, but we’d be interested to hear others opinions on this. Also, the inclusion rules actually grew a bit, but these all seem to be fairly straightforward.

 

The Report Type decision is something that came up during internal discussions and is probably new to everyone. An earlier version of the doc didn’t have good coverage for how to count when independently fixable resulted in No or Not Sure. The Report Type allows for common reporting cases to be handled in a somewhat uniform way. The idea is to handle the most common reports and the recommended counting action for each. We are definitely interested in hearing others thoughts on this entire counting decision, as well as the common reports and actions that are defined.

 

Like I said before, this is a very early version so I am open to any and all feedback. Thanks in advance!

 

Chris Coffin

The CVE Team

Attachment: CVE Counting for CNAs_v0.3_20160725.docx
Description: CVE Counting for CNAs_v0.3_20160725.docx

Attachment: CVE Counting - Draft for comment - 2016-07-13_no-markup.docx
Description: CVE Counting - Draft for comment - 2016-07-13_no-markup.docx