[日期Prev] [下一个日期] [线Prev] [线程接下来] [日期Index] [线Index]

RE: Proposed Working group and workshop

To：“兰德菲尔德，肯特·B” <kent.b.landfield@intel.com>, Kurt Seifried <kseifried@redhat.com>, "Williams, Ken" <Ken.Williams@ca.com>
Subject: RE: Proposed Working group and workshop
从: "Millar, Thomas" <thomas.millar@hq.dhs.gov>
日期: Fri, 26 Aug 2016 16:29:15 +0000
Accept-language: en-US
身份验证重分: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=hq.dhs.gov;mitre.org; dkim=none (message not signed) header.d=none;
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Delivery-date：8月29日星期一07:50:34 2016
In-reply-to：<6F586BC3-FF37-4BB4-8BAC-72E9CDEA07D4@intel.com>
列表助手：<mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
列表所有者：<mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
列表订阅：<mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe：<mailto：cve-editorial-board-list-unsubscribe-request@lists.mitre.org>
参考：<2B69E70F-493B-45E0-97A6-A59E8B743E4B@intel.com> <A3D7367D-EC10-4197-94DF-F8F902FDCA5D@intel.com> <MWHPR01MB2237A7F46BEE58E94BE05B76F1EC0@MWHPR01MB2237.prod.exchangelabs.com> ，<6F586BC3-FF37-4BB4-8BAC-72E9CDEA07D4@intel.com>
发件人：<所有者cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
spamdiagnosticOutput: 1:2
线-index: AQHR/xuIt94cJx6AVkS7SiNzPzgTWqBbToaAgAALLPCAAFGvAIAAAMOA///DnVM=
线主题：提议的工作组和研讨会

I think we need to consider how any Strategy WG output will be aligned or used to inform DHS funding and program direction. I guess that means I'm signing up.

Tom Millar, US-CERT

Sent from +1-202-631-1915
https://www.us-cert.gov

从：所有者cve-editorial-board-list@lists.mitre.orgon behalf of Landfield, Kent B
发送：2016年8月26日，星期五下午5:05:23
To:Kurt Seifried；威廉姆斯，肯
CC：cve-editorial-board-list
Subject:Re: Proposed Working group and workshop

Looks like you are indicating you are interested as well? ;-) This will be a great question to discuss during the WG calls. I see a strategic direction question there on approaches to issuance. …

- --

Kent Landfield

+1.817.637.8026

从：Kurt Seifried
日期：Friday, August 26, 2016 at 11:02 AM
To:"Williams, Ken"
CC：Kent Landfield , cve-editorial-board-list
Subject:Re: Proposed Working group and workshop

Stupid Question but why are we being so stingy with CVEs? We should be handing them out like candy, and putting the "important" ones into the database (and accepting well formed database submissions from all).

我现在对DWF的唯一关注是SLA（因此我们测量/做正确的事情），然后自动化所有这些。

2016年8月26日星期五上午9:14，威廉姆斯，肯<Ken.Williams@ca.com> wrote:

我绝对想参加。CVE对所有漏洞的全面覆盖范围是值得考虑的目标。

问候，
肯·威廉姆斯

Vulnerability Response Director, Product Vulnerability Response Team

CA Technologies |纽约纽约22楼麦迪逊大街520号10022

从：所有者cve-editorial-board-list@lists.mitre.org[Mailto：所有者cve-editorial-board-list@lists.mitre.org]代表Landfield, Kent B
发送：2016年8月26日，星期五，上午7:30
To:cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject:FW: Proposed Working group and workshop

All,

首先，有一点历史。六个月前，CVE与今天的地方完全不同。周围有很多挫败感。安全研究人员几乎放弃了与CVE合作，以获取标记发现漏洞的标签所需的ID。竞争的努力似乎即将到来。董事会成员的挫败感变得非常明显。正在发表有关CVE管理的负面文章，而Miter在幕后做事以改善CVE流程，但对其他人来说并不显而易见。

快进6个月…在这段时间里，我们取得了合理的成功。

Successes since March 1:

1)Regular Board Meeting Calls

2)开发了新的宪章，即将投票

3)Federated Proof of Concept with DWF conceived and successfully started

4)CVE ID Request changes with automation aspects (new web request page)

5)新的CVE计数文档

6)多个CNA训练并添加了

7)MITRE communication plan for introducing public CVE process changes

8)CVE在1,000,000范围内的首次发行

9)New Board member and old ones resigning

10）Newly proposed Terms of Use to include support for Description contributions

11)CNA List created for all those actually acting as a CNA

12)CNA Governance and Rules document to be released next week to the Board

We have changed our risk averse approach to CVE to one of “We are not afraid to fail. We will evolve.”

我们已经将董事会的会员重新放在希望推进CVE而不是任何特定组织的热情的人身上，而这些组织现在反映在网站上。

We have taken the time to change the CNA architecture from the hub and spoke model to a federated model. The DWF “proof of concept” is operational and from all apparent perspectives, successful. While there is a lot to do, it is obvious the federated CVE CNA model is here to stay.

那么，我们希望CVE在3 - 5年内看起来像什么？我们如何计划到达那里？

今天，我建议我们创建一个工作组来尝试解决其中一些问题。这是宪章中确定的工作组。我建议我们将WG创建为一个临时工作组，而不是等待数周才能开始，直到宪章被批准为止，然后我们就可以“正式涂抹”。

The purpose of the working group is to create the overall CVE strategy, identify where it is we want to go, assure we identify what is needed to create a generic new ‘root’ CNA, (get our terminology consistent), and then start addressing a tactical plan to get there. There are lots of questions we need to address. It is envisioned we will be using the CNA Rules document as one of the more foundational documents to describe the overall effort, governance and coordination processes.

I would like to ask who would like to participate? I have talked with a few of you and there seemed to be interest in the past. I will let MITRE work the mechanics of getting things set up. They get paid to do those types of things for the Board. ;-) Chris offered. ;)

Time to have the real foundational conversations needed in order to lay the ground work for the future of CVE, it’s expanded coverage and capabilities.

Thanks.

- --

Kent Landfield

+1.817.637.8026

- -

- -
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
红帽产品安全联系人：secalert@redhat.com

参考:
- FW: Proposed Working group and workshop
  - 从：“ Landfield，Kent B”
- RE: Proposed Working group and workshop
  - 从："Williams, Ken"
- Re: Proposed Working group and workshop
  - 从：Kurt Seifried
- Re: Proposed Working group and workshop
  - 从：“ Landfield，Kent B”

Prev by Date:Re: Proposed Working group and workshop
Next by Date:Re: Proposed Working group and workshop
上一个线程：Re: Proposed Working group and workshop
下一个线程：Re: Proposed Working group and workshop
索引：
- 日期
- 线