Re: Review request: CVE website news article regarding CVE ID number size

["Landfield, Kent B" <kent.b.landfield@intel.com>]

I have no issues with it but you might want to run it by the affected community, the CNAs. I am sure they would appreciate this being posted to the cna list and getting the opportunity to provide potential feedback.

 

---

Kent Landfield

+1.817.637.8026

 

From: <owner-cve-editorial-board-list@lists.mitre.org> on behalf of "Adinolfi, Daniel R" <dadinolfi@mitre.org>
Date: Tuesday, January 24, 2017 at 3:53 PM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Review request: CVE website news article regarding CVE ID number size

 

Greetings,

 

We would like to include the following in our News section of the CVE website. We have received a few bits of feedback asking about the larger CVE numbers this year.

 

We would appreciate your feedback on this article before we publish it.

 

Thanks.

 

-Dan

_________________________

Daniel Adinolfi, CISSP

Lead Cybersecurity Engineer, The MITRE Corporation

CVE Communications and CNA Coordinator

Email: <dadinolfi@mitre.org>  Phone: 781-271-5774

_____

 

Some CVE users have noticed a change in the value of the CVE ID numbers being assigned in the beginning of 2017. At the time of this news posting, newly requested CVE ID assignments are being assigned numbers in the 5000 range (CVE-2017-5xxx). This is much higher than in previous years. There are two primary reasons for this change.

 

In 2016, the number of vendors and organizations acting as <a href="" href="http://cve.mitre.org/cve/cna.html">http://cve.mitre.org/cve/cna.html">CVE Numbering Authorities (CNAs)</a> increased significantly. CNAs can reserve a block of CVE IDs to use when assigning CVE IDs to vulnerabilities in products within their scope. Since the number of CNAs increased, the number of CVE IDs that were reserved also increased.

 

Also, many of these CNAs allocated larger blocks than in previous years. These larger blocks should cover all their CVE ID assignment needs for 2017. In the past, CNAs were given smaller blocks of CVE IDs at a time. To help with improving automation and efficiency of CVE ID assignment for CNAs, the MITRE CVE team has allowed CNAs to reserve larger blocks. The size of these reservations is made based on the reasonable expectation of MITRE and the CNAs as to how many CVE IDs they will realistically need in the next year.

 

These larger reservations do not indicate any expectation on the part of CNAs that the number of vulnerabilities they expect to assign will increase compared to previous years. Instead, it is part of the growth and maturing of the CNA program, making CVE assignment faster and more efficient for CNAs.

 

If you have questions about CVE ID reservation policies or would like more information on becoming a CNA, please contact CVE through the CVE Request form at <a href="" href="https://cveform.mitre.org/">https://cveform.mitre.org/">https://cveform.mitre.org/</a>.