Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is designed to bring recent news about CVE, such as new compatible products, new website features, CVE in the news, etc. right to your email box. Common Vulnerabilities and Exposures (CVE) is the standard for cyber security vulnerability names. CVE content is approved by the CVE Editorial Board, which is comprised of leading representatives from the information security community. CVE Numbering Authorities (CNAs) are major OS vendors, security researchers, and research organizations that assign CVE Identifiers to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE Identifiers in the first public disclosure of the vulnerabilities. Details on subscribing (and unsubscribing) to the email newsletter are at the end. Please feel free to pass this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/October 7, 2015
-------------------------------------------------------
Contents:
1. Upcoming Changes to CVE
2. 1 Product from Hillstone Networks Now Registered as Officially "CVE-Compatible"
3. Also in this Issue
4. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
Upcoming Changes to CVE
We would like to take this opportunity to notify the CVE Editorial Board and the community of changes that are coming for CVE.
We recognize that there is deep frustration with some aspects of CVE, and that there are areas in need of updating after 16 years of continuous operation. We have been working on a number of things to improve our internal processes and workflow and will start to make visible changes to CVE in the coming weeks and months.
The operation and use of CVE has significantly evolved in the last 16 years. While CVE has served the community very well, its current operating model is proving to be unable to keep up with the breadth and volume of CVE requests and subsequent production of final CVE entries.
Our intent is to be heavily engaged with the CVE community and users, now and even more so in the future, and to be completely transparent about what we are doing and why. If you believe at any time that we are not meeting those goals, we respectfully request your engagement and feedback telling us where we are falling short so that we can better understand the needs and requirements of the community.
CVE EDITORIAL BOARD
The CVE Editorial Board was created to define and shape CVE, even before CVE first went public. The Board's operating model and framework have evolved significantly in the years since as the community and requirements have evolved. Today, the community is more dynamic than it was even just a few years ago, and the Board model is in need of a refresh. To that end, Julie Connolly, a new member of the MITRE CVE Team, is taking on the role of liaison from MITRE to the Board.
Julie will be putting out an email that will outline what we believe are the objectives for a Board refresh, including responsibilities, membership, and a number of other aspects that have been discussed. Julie will provide more details in her email, and we hope the Board will be very engaged as we seek your suggestions, feedback, and comments to help us refresh, shape, and formalize a number of aspects of the CVE Editorial Board and its operation.
CVE NUMBERING AUTHORITIES (CNAs)
The CVE CNAs are another aspect of CVE that was instantiated years ago, and have proven valuable to the operation of CVE. As with the Board, the operation of and requirements on CNAs have evolved significantly and need to be updated. In particular, as the volume of requests for CVE-IDs continues to increase, the need for, definition of the role, and the successful operation of CNAs becomes even more critical to CVE and the community.
Tiffany Bergeron of the MITRE CVE Team is taking the lead for CNAs, and will be emailing this list to describe requirements and objectives for CNAs and to solicit suggestions, feedback and comments from the Board.
Tiffany will be engaging with the Board, and will email to describe the objectives and plans for updating multiple aspects of the CNA relationship and functioning. Our aim is to improve both sides of the operation and reliability of CNAs, to have CNAs evolve to take on a larger role in the creation of CVEs, and to ultimately expand the number of CNAs.
CVE ASSIGNMENT (CVE-ID REQUESTS)
No single aspect of CVE has been more problematic or engendered more frustration for both the community and for CVE than the process of requesting and assigning CVE-IDs for newly discovered vulnerabilities. We will begin to implement changes in the next few days that will result in reasonable response times and process improvements, and to put in place new feedback mechanisms for requesters. We will be providing documented guidelines for requesting CVE-IDs, including required elements and criteria. Because of the increasing volume of requests, we are planning to push more responsibility for well-constructed and informational requests back onto the requesters, rather than provide individual, educational responses as we sometimes have in the past. We will, of course, always be available to help researchers and disclosers understand what goes into a "good" CVE request, and we will be providing documentation to help both first-time and experienced requesters.
Steve Boyle is taking responsibility for this area and will be following up with changes and plans. We are actively seeking additional comments, suggestions, and feedback from the community to help us shape the process, feedback, and utility of CVE-ID requests.
MOVING FORWARD
MITRE has never, and will never, presume that "we know best" for CVE and its use within the community. The original operating principle of being guided by the Board remains as important as it ever has been in the history of CVE. For our part, we will be working to actively demonstrate more engagement and transparency with the Board and with the community.
If you are a Board member, please provide any responses to the CVE Editorial Board Email Discussion List. For others, please send your feedback to cve@mitre.org.
Thank you for your advice and engagement to date. We look forward to your comments and input as we move forward with the evolution of CVE.
Steve Boyle MITRE
CVE Project Leader
NOTE: The information above was previously posted to the CVE Editorial Board Email Discussion List on September 24, 2015.
LINKS:
CVE Editorial Board -
https://cve.mitre.org/community/board/index.html
CVE Numbering Authorities -
https://cve.mitre.org/cve/cna.html
CVE Assignment -
https://cve.mitre.org/cve/request_id.html
News page Article -
https://cve.mitre.org/news/index.html#october12015_Upcoming_Changes_to_CVE
---------------------------------------------------------------
1 Product from Hillstone Networks Now Registered as Officially "CVE-Compatible"
One additional information security product has achieved the final stage of MITRE's formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 148 products to-date have been recognized as officially compatible.
The following product is now registered as officially "CVE-Compatible":
* Hillstone Networks - Next Generation Firewall
Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.
For additional information about CVE compatibility and to review all products and services listed, visit CVE Compatibility Process and CVE-Compatible Products and Services on the CVE Web site.
LINKS:
Next Generation Firewall -
https://cve.mitre.org/compatible/questionnaires/167.html
CVE Compatibility Process -
https://cve.mitre.org/compatible/process.html
CVE-Compatible Products and Services -
https://cve.mitre.org/compatible/compatible.html
CVE Compatibility Requirements -
https://cve.mitre.org/compatible/requirements.html
Make a Declaration -
https://cve.mitre.org/compatible/make_a_declaration.html
News page article -
https://cve.mitre.org/news/index.html#october12015_1_Product_from_Hillstone_Networks_Now_Registered_as_Officially_CVE_Compatible
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* CVE Mentioned in Article about Vulnerabilities Fixed by Apple's iOS 9 on eWeek
* CVE-IDs Used throughout Qualys' July 2015 "Top 10 Vulnerabilities" List
* CVE Mentioned in Article about Vulnerabilities in Baby Monitors on SC Magazine
Read these stories and more news at https://cve.mitre.org/news.
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Steve Boyle, Cyber Security Technical Center. Writer: Bob Roberge. The MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical guidance to the CVE Editorial Board and CVE Numbering Authorities on all matters related to ongoing development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the message to: listserv@lists.mitre.org. To subscribe, send an email message to listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE CVE-Announce-List".
Copyright 2015, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications) at the U.S. Department of Homeland Security (www.dhs.gov).
For more information about CVE, visit the CVE Web site at https://cve.mitre.org or send an email to cve@mitre.org.
No comments:
Post a Comment