[CVEPRI] CVE的未来方向

既然CVE达到了1000个入场的里程碑，而MITER（主要是）在接下来的几个月中已经完成了会议巡回赛，那么这里是对我们将要进行的下一个活动的高级描述。1）董事会成员资格将有几个更改，例如许多新会员，与其组织中的其他成员的“替换”，以及“半正式”角色和职责清单，这些名单将成为评估的基础成员如何为CVE倡议做出贡献。我们还致力于建立一套供应商联络人 - 不在编辑委员会中，但可以对自己产品中的漏洞提供技术反馈。2）我们的下一个重点将是教育公众和供应商有关CVE兼容性的教育。我们将最终确定兼容性要求，建立审查兼容性的过程，并为“通过”审核过程的人提供专门的徽标。3）我们已经开始积极要求一些组织在其咨询中包括候选人号码。当前的重点是在披露之前与供应商合作的既定组织或个人。我们将继续向要求我们提供他们的其他人提供候选人（请注意，Rain Forest Puppy在他的最新脆弱性披露政策中建议这种方法http://www.wiretrip.net/rfp/policy.html，尽管自上周更新以来我们只收到了一个请求）。在这种情况下，将重新检查“勤奋水平”的概念和使用。4）即将举行的11月3日的“脆弱性峰会”可能会影响CVE在脆弱性披露中的作用。（看http://www.vulnerabilitysummit.org）。我会随时向你通报。5）CVE内容的几个更改即将进行。（a）CVE的新“维护”版本将在接下来的几周内发布。它将主要将引用添加到某些条目中。董事会将有时间审查拟议的更改。（b）将最终确定一种新的内容决策方法，受CD影响的候选人将被接受为官方参赛作品。（c）内容团队继续处理夏季各个董事会成员发送的遗产提交。其中许多提交的内容处于改进阶段，这是创建候选人之前的最后阶段。6）“最近”候选人的积压将在下个月清除，因为我们从新网站和会议上的努力中恢复过来。 7) We have been investigating an approach for satisfying both sides of the "quality of CVE" camp. Some Board members advocate only having highly-reviewed and reliable entries at the expense of time; others want CVE entries as fast as possible at the expense of noise. The approach could also make the voting process faster and easier, but we need to develop it a little more before proposing it to the Board. 8) Pete Tasker and Margie Zuk have been actively working behind the scenes to create an "Advisory Council" of government sponsors to provide a vehicle for longer-term, continued funding of CVE. Council members are at the CIO level of their respective agencies. The kickoff meeting happened last week, and it was well received. Note that our attempts to get funding through industry have not been successful, so the current focus is on government. There is the possibility of non-US government involvement as well. Note that we are trying to structure the council in a way that does not allow members to directly dictate the course of CVE. The Advisory Council is still in the early stages. We will keep you informed of its progress. 9) Work on the Common Intrusion Event List (CIEL) continues. Bill Hill and I are wrestling with a number of issues (many of which were discussed in previous presentations or emails), but I think we're closing in on the guiding principles that are forming the creation of the draft CIEL. Since much of our work is example-driven, we will be asking Board members for IDS signature databases sometime in the future. 10) We will probably hold a teleconference in early December. Also, the next face-to-face meeting will probably be held at Cisco in Austin, Texas sometime in February or March, thanks to Andy Balinsky's efforts. - Steve