回复：拟议的工作组和研讨会

[："Landfield, Kent B" <kent.b.landfield@intel.com>]

看起来您也表示您也有兴趣吗？;-)这将是在WG电话中讨论的一个很好的问题。我看到了关于发行方法的战略方向问题。…

---

肯特·兰德菲尔德

+1.817.637.8026

From:kurt seifried
Date:2016年8月26日，星期五，上午11:02
到：“威廉姆斯，肯”
CC：肯特·兰德菲尔德（Kent Landfield
主题：回复：拟议的工作组和研讨会

愚蠢的问题，但是为什么我们对CVE如此吻合？我们应该像糖果一样分发它们，并将“重要”的数据库放入数据库中（并接受所有人的数据库提交）。

My only concern with DWF right now is SLAs (so we measure/do the right things) and then automation of it all.

On Fri, Aug 26, 2016 at 9:14 AM, Williams, Ken <ken.williams@ca.com>写道：

I’d definitely like to participate. Comprehensive CVE coverage of ALL vulnerabilities is a worthwhile goal to consider in such a WG.

Regards,
Ken Williams

脆弱性响应总监，产品脆弱性响应团队

CA技术|520 Madison Avenue, 22nd Floor, New York NY 10022

From:owner-cve-editorial-board-list@lists.mitre.org[[mailto:owner-cve-editorial-board-list@lists.mitre.org这是给予的On Behalf Of肯特郡兰德菲尔德
Sent:Friday, August 26, 2016 7:30 AM
到：CVE编辑板列表<cve-editorial-board-list@lists.mitre.org>
主题：FW：拟议的工作组和研讨会

全部，

First off, a little history. Six months ago CVE was in a very different place than it is today. There was a lot of frustration around. Security researchers had nearly given up trying to work with CVE to get the IDs needed to label discovered vulnerabilities. Competing efforts seemed on the horizon. Board members’ frustration was becoming extremely apparent. Negative articles were being published about CVE management and while MITRE was doing things behind the scenes to try to improve the CVE processes, it was not apparent to anyone else.

Fast-forward 6 months… During this time, we have had a reasonable amount of success.

自3月1日以来取得了成功：

1）常规董事会电话会议

2）New Charter developed and about to be voted on

3）DWF构思并成功开始的联合概念证明

4）CVE ID请求随着自动化方面的更改（新的Web请求页）

5）New CVE Counting Document

6）Multiple CNAs trained and added

7）介绍公共CVE流程更改的MITER沟通计划

8）First issuance of CVEs in the 1,000,000 range

9）新董事会成员和老年人辞职

10)新建议的使用条款以包括对描述贡献的支持

11）为所有实际用作CNA的人创建的CNA列表

12）CNA治理和规则文件将于下周发布给董事会

我们已经改变了对CVE的风险反对方法，为“我们不怕失败。我们将进化。”

We have refocused our Board membership back on the passionate individuals wishing to advance CVE instead of any specific organization, which is now reflected on the web site.

我们花了一些时间将CNA体系结构从集线器和讲话模型更改为联合模型。DWF的“概念证明”是运营的，从所有明显的角度来看，成功。尽管有很多事情要做，但很明显，联邦CVE CVA模型将留在这里。

So what do we want CVE to look like in 3-5 years? How do we plan on getting there?

On the Board call today I suggested we create a working group to try to address some of those questions. This is a working group as identified in the Charter. Instead of waiting weeks to get started, I suggested we create the WG as an ad-hoc working group until the Charter is approved and then we can ‘officially anoint’ it.

The purpose of the working group is to create the overall CVE strategy, identify where it is we want to go, assure we identify what is needed to create a generic new ‘root’ CNA, (get our terminology consistent), and then start addressing a tactical plan to get there. There are lots of questions we need to address. It is envisioned we will be using the CNA Rules document as one of the more foundational documents to describe the overall effort, governance and coordination processes.

我想问谁想参加？我已经与你们中的一些人交谈，过去似乎有兴趣。我会让斜切工作的机制来设置物品。他们得到报酬，为董事会做这些类型的事情。;-)克里斯提供了。）

是时候进行真正的基础对话来为CVE的未来奠定基础工作，并扩大了覆盖范围和能力。

谢谢。

---

肯特·兰德菲尔德

+1.817.637.8026

--

--
Kurt Seifried-红色帽子 - 产品安全 - 云
PGP A90B F995 7350 148F 66bf 7554 160d 4553 5E26 7993
Red Hat Product Security contact:secalert@redhat.com