Ok, thanks for the update. That sounds great. P On Thu, May 30, 2024 at 9:45 AM Art Manion <zman...@protonmail.com> wrote:
> On 2024-05-30 09:32, Pete Allor wrote: > > > Question, how long will access to the CVE database be disabled? > > We're having a technical process meeting today, preliminary guess is ~2 > hours to load data and test. But we might have a more confident estimate > later. > > - Art > > > > On Wed, May 29, 2024 at 9:13 PM Kent Landfield <bitwatc...@gmail.com > > <mailto:bitwatc...@gmail.com>> wrote: > > > > On the May 29th Board call, the CISA ADP pilot was discussed. > > Background information provided during the call allowed the Board to > > authorize the Strategic Planning Working Group (SPWG) to decide on > > the status of transitioning the pilot to a production capability for > > the CVE program. The SPWG met later that afternoon to finalize this > > decision. > > > > > > In a previous discussion, the SPWG had questions about the > > performance and impact on CVE services, which needed validation > > before deciding. Kris Britton and MITRE worked with CISA staff to > > ensure that CISA ADP updates would not adversely affect CVE > > operations. It was confirmed during both the Board and SPWG calls > > that there were no performance issues. From the Secretariat’s > > perspective, the CISA ADP pilot is ready to transition to the > > production database. > > > > There was also a discussion on how CISA updates would handle > > Vulnrichment data if the original CNA later updated the record with > > missing information. The outcome is as follows: > > > > * > > * > > > > *A Note About Updated CVE Entries:* > > > > /Since the CISA ADP is committed to encouraging CNAs to “Do The > > Right Thing” and provide their own CWE, CVSS, and CPE metrics, if a > > CVE entry is updated to include those metrics after the CISA ADP has > > made their assessment, the CISA ADP will drop/remove its own > > assessments from the CVE entry. This approach will reduce duplicate > > (and conflicting) data within the CVE record. In the rare event that > > there is a CWE, CVSS, or CPE string provided by the originating CNA > > and the CISA ADP, this should be treated as an error in the CISA ADP > > container -- the originating CNA's data should take precedence for > > any decision making. / > > > > /In this case, SSCV and KEV data will still be included./ > > > > The SSVC is for every record, KEV is for CVEs with exploits or POCs > > available, and Vulnrichment updates are for CVEs that meet specific > > threat characteristics. Future changes in CISA processing may > > address discovered issues. CISA expects to be able to have the > > capability to update all past records. However, the determination > > to do so will be on a case-by-case basis. > > > > *Decision of the SPWG:* *The SPWG decided to move forward with > > making the CISA ADP pilot a production capability. * > > > > > > Eighteen attendees participated in the SPWG call. > > > > > > The flow of the transition to production is as follows: > > > > 1. The Secretariat staff will halt global access to the CVE > database. > > 2. A snapshot of the CVE data will be taken to ensure rollback > > capabilities if needed. > > 3. Access to the CVE database will be enabled only for CISA using > > IP filtering. > > 4. CISA will update the CVE data with SSVC, KEV, and the existing > > 7000+ Vulnrichment records. > > 5. When completed, CISA and the Secretariat staff will perform a > > cursory examination to ensure proper updates. > > 6. Once verified, IP filtering will be removed, and CVE Services > > will be enabled for all. > > > > > > CISA and MITRE will have a preparation call to ensure readiness, > > covering credentialing, IP filtering, and execution schedules. Kris > > Britton is scheduling this call for Thursday. > > > > > > The transition from pilot to production will occur on Tuesday, June > > 4th, with corresponding updates on the CVE.org website posted that > > day as well. > > > > This is a major milestone for the CVE program. Congratulations to > > all that made this capability possible. > > > > > > Kent Landfield > > > > Chair, CVE SPWG > > > > > > >