Jeremy, Thanks for your note. This is a great topic for a larger discussion, I believe. But till then… elements of your email point more directly to CVMAP and questions that perhaps @Turner, Christopher<mailto:christopher.tur...@nist.gov> could answer best.
Cheers, Alec -- Alec J. Summers Center for Securing the Homeland (CSH) Cyber Security Engineer, Principal Group Lead, Cybersecurity Operations and Integration –––––––––––––––––––––––––––––––––––– MITRE - Solving Problems for a Safer World™ From: Jeremy West <jw...@redhat.com> Date: Wednesday, July 6, 2022 at 10:55 AM To: CWE CAPEC Board <cwe-capec-board-list@mitre.org> Subject: Some questions on expectations of CNAs Hi Everyone, I hosted a CWE discussion within Red Hat today and had the following questions asked ... which I don't have answers to. I'm hoping someone else here on the board can point me in the right direction. How does random sampling work for CWE statistics? Why are CNA's held accountable for old data (CVE's from 2000) within new audit reports? Are CNA's expected to constantly go back and update old data every time new CWE data becomes available? Chaining seems to also throw the statistics off. If a CNA only assigns one ID and NVD lists two, then this counts against the CNA. Vice versa also applies. IMHO this doesn't seem to make sense. Thanks! -- Jeremy West Red Hat Product Security Red Hat Massachusetts<https://www.redhat.com> 314 Littleton Rd jw...@redhat.com<mailto:jw...@redhat.com> M: 9192686967<tel:9192686967> IM: hobbit [Image removed by sender.]<https://red.ht/sig>
