[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Summary of CNA Rules review session 7/11



All,

 

On Tuesday, 7/11, we held a conference call to give the CNA community an opportunity to discuss the CNA Rules and suggest any changes they thought would be useful as we enter this year's CNA Rules review period.

 

The CNA Rules review process will make use of the GitHub site for tracking the suggested changes. The current list of suggestions is here:

 

<https://github.com/CVEProject/docs/blob/cna-documents/cna/CNA%20Rules/CNA%20Rules%20Development/Suggested%20Rules%20Changes>

 

Anyone interested in making a suggestion can still add information to that file. The group suggested we make use of the GitHub Issue tracker that is part of GitHub infrastructure, and we will migrate to using the Issue tracker for the second phase of the review process.

 

There was general consensus that the CNA Rules as they are today are working well in general. That said, the discussion pointed out a number of places where more meta-information about the CVE List would be useful, such as better statistics on the total number of CVE IDs assigned, reserved, or rejected. Also, more information about what software is related to what vulnerabilities would be useful (e.g., the "supply chain" problem). Some of this meta-information can be included in JSON-based submissions. Other data would need to be submitted by CNAs and Root CNAs up the chain to the Primary CNA for collation and reporting. Some rules to facilitate all this will be included in the suggestions.

 

No one objected to making the JSON format the preferred method for describing CVE ID entries. A set of guidelines on data formats will be added to the CNA Rules which will include this idea.

 

A number of opportunities for making use of automated tools and processes were suggested, and those suggestions will be passed along to the Automation Working Group.

 

The meeting ended with a discussion of how to change the CNA Rules to reduce the gap in time between when a CVE ID is made public and when the entry is published in the CVE List. Any changes to the CNA Rules would have to be guidelines instead of hard-and-fast deadlines, but having those guidelines will help push processes along within CNA organizations.

 

The next open CNA Rules review session will be 10:30AM ET on 20 July.

 

Thanks.

 

-Dan

_________________________

Daniel Adinolfi, CISSP

Lead Cybersecurity Engineer, The MITRE Corporation

CVE Communications and CNA Coordinator

Email: <dadinolfi@mitre.org>  Phone: 781-271-5774

 

 


Page Last Updated or Reviewed: July 13, 2017