First off, a little history. Six months ago CVE was in a very different place than it is today. There was a lot of frustration around. Security researchers had nearly given up trying to work with
CVE to get the IDs needed to label discovered vulnerabilities. Competing efforts seemed on the horizon. Board members’ frustration was becoming extremely apparent. Negative articles were being published about CVE management and while MITRE was doing things
behind the scenes to try to improve the CVE processes, it was not apparent to anyone else.
Fast-forward 6 months… During this time, we have had a reasonable amount of success.
Successes since March 1:
1) Regular Board Meeting Calls
2) New Charter developed and about to be voted on
3) Federated Proof of Concept with DWF conceived and successfully started
4) CVE ID Request changes with automation aspects (new web request page)
5) New CVE Counting Document
6) Multiple CNAs trained and added
7) MITRE communication plan for introducing public CVE process changes
8) First issuance of CVEs in the 1,000,000 range
9) New Board member and old ones resigning
10) Newly proposed Terms of Use to include support for Description contributions
11) CNA List created for all those actually acting as a CNA
12) CNA Governance and Rules document to be released next week to the Board
We have changed our risk averse approach to CVE to one of “We are not afraid to fail. We will evolve.”
We have refocused our Board membership back on the passionate individuals wishing to advance CVE instead of any specific organization, which is now reflected on the web site.
We have taken the time to change the CNA architecture from the hub and spoke model to a federated model. The DWF “proof of concept” is operational and from all apparent perspectives, successful. While
there is a lot to do, it is obvious the federated CVE CNA model is here to stay.
So what do we want CVE to look like in 3-5 years? How do we plan on getting there?
On the Board call today I suggested we create a working group to try to address some of those questions. This is a working group as identified in the Charter. Instead of waiting weeks to get started,
I suggested we create the WG as an ad-hoc working group until the Charter is approved and then we can ‘officially anoint’ it.
The purpose of the working group is to create the overall CVE strategy, identify where it is we want to go, assure we identify what is needed to create a generic new ‘root’ CNA, (get our terminology
consistent), and then start addressing a tactical plan to get there. There are lots of questions we need to address. It is envisioned we will be using the CNA Rules document as one of the more foundational documents to describe the overall effort, governance
and coordination processes.
I would like to ask who would like to participate? I have talked with a few of you and there seemed to be interest in the past. I will let MITRE work the mechanics of getting things set up. They
get paid to do those types of things for the Board. ;-) Chris offered. ;)
Time to have the real foundational conversations needed in order to lay the ground work for the future of CVE, it’s expanded coverage and capabilities.
Thanks.
+1.817.637.8026