CVE Git Pilot / Phase 1 Summary

["Theall, George A" <gtheall@mitre.org>]

The Automation Working Group launched a pilot last May for sharing CVE JSON data using git, hoping to identify requirements for sending and receiving the data as well as to support automation. The initial proposal was for the pilot to run through August 21^st.. It was decided recently to extend the pilot temporarily, pending discussions and approval of the next stage. What follows summarizes pilot activity during the first phase, from May 15^th through August 21^st, 2017.

 

Number of new CVEs from all sources                          : 4,062

Number of new CVEs originating from pull requests : 728 (17.9%)

 

Pilot participants : MITRE, CERT/CC, DWF, Elastic, Fortinet, Hewlett Packard Enterprise, IBM, JPCERT/CC, Juniper, Oracle, Rapid7, and Trend Micro (13 CNAs)  as well as NIST

 

Total number of pull requests : 79

     Open (ie, pending)                : 4

     Declined / rejected               : 7

     Merged                                   : 68

 

Activity by Participating CNA in Merged pull requests :

  CERT/CC : 4 requests; 7 new CVEs; 2 modified CVEs

  DWF : 7 requests; 98 new CVEs; 9 modified CVEs

  Elastic : 4 requests; 19 new CVEs; 0 modified CVEs

  Fortinet : 3 requests; 12 new CVEs; 0 modified CVEs

  IBM : 32 requests; 165 new CVEs; 1 modified CVE

  JPCERT/CC : 7 requests; 148 new CVEs; 0 modified CVEs

  Juniper : 3 requests; 32 new CVEs; 6 modified CVEs

  Oracle : 4 requests; 244 new CVEs; 13 modified CVEs

  Rapid7 : 4 requests; 3 new CVEs; 2 modified CVEs

 

Attached is a CSV file with summary information about each pull request, for those who might want to dive further into the data. The initial line holds column labels; hopefully they’re self-explanatory.

 

If you have questions or would like further information about the git pilot, please let me know.

 

George

--

gtheall@mitre.org

The MITRE Corporation

 

Attachment: pilot-stats.csv
Description: pilot-stats.csv