Very much agree. At least part of of that discussion: https://github.com/CVEProject/quality-workgroup/issues/12
- Art On 2024-06-14 13:43, MZ MegaZone wrote: > I will say that, for now, CPE should not be part of this. There are > major issues with CPE in CVE Records which are currently under > discussion in the QWG, and elsewhere. Very fundamental issues including > just what it means when CPEs are included – are those vulnerable? > Fixed? Something else? It is already clear the current schema has > major shortcomings in this regard and different CNAs have very good > reasons for taking different approaches. I’d go as far as to say right > now the CPEs in a CVE record are not usable as there is no way to know > what the meaning behind them is. > > I know that, as a CNA, this has paused our work in implementing CPEs > completely until there is clarity and, IMHO, likely schema changes. I > don’t think it would be far to CNAs to apply pressure on CPE until the > program has worked out the issues currently being discussed. > > I’d like to be part of the discussion, but I have an existing standing > meeting Thursdays at noon eastern. > > > > *MegaZone (aka MZ) *(he/him) | Principal Security Engineer – F5 SIRT > > D 978-513-4171 M 432-363-4296 > > GIAC Certified Incident Handler (GCIH) > <https://www.credly.com/badges/2240af1e-c3be-413b-a174-b942a792986f/public_url>GIAC > Certified Forensic Analyst (GCFA) > <https://www.credly.com/badges/a94e4bc4-2c8a-43e6-b57d-40da7ec72963/public_url>GIAC > Network Forensic Analyst (GNFA) > <https://www.credly.com/badges/2656b1e3-9903-4312-a62c-3bf401f0238e/public_url>GIAC > Cyber Threat Intelligence (GCTI) > <https://www.credly.com/badges/9018085d-dabb-4993-acc8-08cee895b74b/public_url> > F5 Logo | Security Incident Response Team > > > > *From:*Alec J Summers <asumm...@mitre.org> > *Sent:* Thursday, June 13, 2024 14:57 > *To:* CVE Editorial Board Discussion <cve-editorial-board-list@mitre.org> > *Subject:* Working Session: CVE Enrichment Metrics Publication > > > > *CAUTION:*This email has been sent from an external source. Do not click > links, open attachments, or provide sensitive business information > unless you can verify the sender’s legitimacy. > > > > CVE Board Members, > > > > I hope you are all well! > > > > Earlier today, the TWG discussed having the CVE Program publish metrics > and recognition for CNA data enrichment adoption. For the last month or > so, the Secretariat has been pulling data on a bi-weekly basis to track > which CNAs are providing CVSS, CWE, and CPE information in their CVE > Records. These data pulls track how often CNAs are providing this > information across the previous 365-days, 4-week, and 2-week time > periods. Spreadsheets have been shared with the Board via email, and the > next one will be coming Monday. > > > > We’d like to establish a working session to plan: > > 1. What to include on such a metrics/recognition webpage > 2. The requirements for, and how to how to label/name the recognition > for CNAs that are doing CVE Record enrichment as part of their > disclosure process. > > > > I have tentatively scheduled a working session for 12pm ET on Thursday, > June 20. We can reschedule, if necessary. Please let me know if you > would like to participate. > > > > Cheers, > > Alec > > > > -- > > *Alec J. Summers* > > Cyber Security Engineer, Principal > > Group Lead, Cybersecurity Operations and Integration > > Center for Securing the Homeland (CSH) > > /––––––––––––––––––––––––––––––––––––/ > > */MITRE - Solving Problems for a Safer World™/* > > >
