Re: Required information for CVE entry submissions

To: "Adinolfi, Daniel R" <dadinolfi@mitre.org>, cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Subject: Re: Required information for CVE entry submissions
From: Art Manion <amanion@cert.org>
Date: Wed, 20 Sep 2017 16:46:37 -0400
Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=cert.org;
Delivery-date: Thu Sep 21 07:44:21 2017
Dkim-filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu v8KKkcuJ007340
In-reply-to: <47AC6966-9805-49EA-A902-2DEECAB35165@mitre.org>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <47AC6966-9805-49EA-A902-2DEECAB35165@mitre.org>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 5952c28dcc454f0789fb433d26f936ef
Spamdiagnosticoutput: 1:2
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Thunderbird/52.3.0

On 9/13/17 11:15 AM, Adinolfi, Daniel R wrote:

CVEID

PRODUCT, including vendor/project

VERSION, describing what versions are and are not affected

PROBLEMTYPE, a free-form bit of data, though some use CWEs here

REFERENCES, URLs pointing to public information about the
vulnerability that includes all the information that may be in the
CVE entry

DESCRIPTION, a human-readable description of the vulnerability
To summarize the proposed changes, the following information would be
required under the proposals:

CVEID

PRODUCT

VERSION

PROBLEM TYPE

PUBLICATION DATE (of the vulnerability information becoming public;
or a timeline of specific events related to the vulnerability being
made public)

ASSIGNING CNA (or chain of assigning CNAs if there is a Sub-CNA under
a Root doing the assignment)

IMPACT>There is also a proposal to remove REFERENCES from required information if all the required information can be included in the description. There is a related discussion as to whether the CVE List can include vulnerability information not found anywhere else, acting as a first publication point. <https://github.com/CVEProject/docs/issues/26>


DESCRIPTION would also become optional, the argument being that all the 
same information would be available in the required fields.

We do not currently have a proposed categorization or taxonomy of 
"IMPACT".


Require DESCRIPTION.  I don't think the other fields are (yet) careful enough 
about capturing "all" the necessary information.

Require REFERENCES.  CVE's mission is primarily identification, not 
publication or disclosure.  Yes, a well-detailed CVE entry could 
possibly contain enough information to act as a primary publication, 
but that's across the scope line for me.  If CVE can be the 
primary/first/only documentation of a vulnerability, we need more 
fields and more effort.

Require ASSIGNING CNA.

Make IMPACT optional, it is very dependent on context and can be 
optionally covered in DESCRIPTION.

Also on the call today, there was an important discussion about 
providing better guidance/semantics for what goes in fields.

Regards,

 - Art

Follow-Ups:
- Re: Required information for CVE entry submissions
  - From: Art Manion <amanion@cert.org>

References:
- Required information for CVE entry submissions
  - From: "Adinolfi, Daniel R" <dadinolfi@mitre.org>

Prev by Date: RE: Required information for CVE entry submissions
Next by Date: Re: Required information for CVE entry submissions
Previous by thread: RE: Required information for CVE entry submissions
Next by thread: Re: Required information for CVE entry submissions
Index(es):
- Date
- Thread