Very much agree.

At least part of of that discussion: 
https://github.com/CVEProject/quality-workgroup/issues/12

 - Art

On 2024-06-14 13:43, MZ MegaZone wrote:
> I will say that, for now, CPE should not be part of this.  There are
> major issues with CPE in CVE Records which are currently under
> discussion in the QWG, and elsewhere.  Very fundamental issues including
> just what it means when CPEs are included – are those vulnerable? 
> Fixed?  Something else?  It is already clear the current schema has
> major shortcomings in this regard and different CNAs have very good
> reasons for taking different approaches.  I’d go as far as to say right
> now the CPEs in a CVE record are not usable as there is no way to know
> what the meaning behind them is.
> 
> I know that, as a CNA, this has paused our work in implementing CPEs
> completely until there is clarity and, IMHO, likely schema changes.  I
> don’t think it would be far to CNAs to apply pressure on CPE until the
> program has worked out the issues currently being discussed.
> 
> I’d like to be part of the discussion, but I have an existing standing
> meeting Thursdays at noon eastern.
> 
>  
> 
> *MegaZone (aka MZ) *(he/him) | Principal Security Engineer – F5 SIRT
> 
> D 978-513-4171   M 432-363-4296
> 
> GIAC Certified Incident Handler (GCIH)
> <https://www.credly.com/badges/2240af1e-c3be-413b-a174-b942a792986f/public_url>GIAC
>  Certified Forensic Analyst (GCFA) 
> <https://www.credly.com/badges/a94e4bc4-2c8a-43e6-b57d-40da7ec72963/public_url>GIAC
>  Network Forensic Analyst (GNFA) 
> <https://www.credly.com/badges/2656b1e3-9903-4312-a62c-3bf401f0238e/public_url>GIAC
>  Cyber Threat Intelligence (GCTI) 
> <https://www.credly.com/badges/9018085d-dabb-4993-acc8-08cee895b74b/public_url>
>   F5 Logo | Security Incident Response Team
> 
>  
> 
> *From:*Alec J Summers <asumm...@mitre.org>
> *Sent:* Thursday, June 13, 2024 14:57
> *To:* CVE Editorial Board Discussion <cve-editorial-board-list@mitre.org>
> *Subject:* Working Session: CVE Enrichment Metrics Publication
> 
>  
> 
> *CAUTION:*This email has been sent from an external source. Do not click
> links, open attachments, or provide sensitive business information
> unless you can verify the sender’s legitimacy.
> 
>  
> 
> CVE Board Members,
> 
>  
> 
> I hope you are all well!
> 
>  
> 
> Earlier today, the TWG discussed having the CVE Program publish metrics
> and recognition for CNA data enrichment adoption. For the last month or
> so, the Secretariat has been pulling data on a bi-weekly basis to track
> which CNAs are providing CVSS, CWE, and CPE information in their CVE
> Records. These data pulls track how often CNAs are providing this
> information across the previous 365-days, 4-week, and 2-week time
> periods. Spreadsheets have been shared with the Board via email, and the
> next one will be coming Monday.
> 
>  
> 
> We’d like to establish a working session to plan:
> 
>  1. What to include on such a metrics/recognition webpage
>  2. The requirements for, and how to how to label/name the recognition
>     for CNAs that are doing CVE Record enrichment as part of their
>     disclosure process. 
> 
>  
> 
> I have tentatively scheduled a working session for 12pm ET on Thursday,
> June 20. We can reschedule, if necessary. Please let me know if you
> would like to participate.
> 
>  
> 
> Cheers,
> 
> Alec
> 
>  
> 
> -- 
> 
> *Alec J. Summers*
> 
> Cyber Security Engineer, Principal
> 
> Group Lead, Cybersecurity Operations and Integration
> 
> Center for Securing the Homeland (CSH)
> 
> /––––––––––––––––––––––––––––––––––––/
> 
> */MITRE - Solving Problems for a Safer World™/*
> 
>  
> 

Reply via email to