I will say that, for now, CPE should not be part of this. There are major issues with CPE in CVE Records which are currently under discussion in the QWG, and elsewhere. Very fundamental issues including just what it means when CPEs are included - are those vulnerable? Fixed? Something else? It is already clear the current schema has major shortcomings in this regard and different CNAs have very good reasons for taking different approaches. I'd go as far as to say right now the CPEs in a CVE record are not usable as there is no way to know what the meaning behind them is.
I know that, as a CNA, this has paused our work in implementing CPEs completely until there is clarity and, IMHO, likely schema changes. I don't think it would be far to CNAs to apply pressure on CPE until the program has worked out the issues currently being discussed. I'd like to be part of the discussion, but I have an existing standing meeting Thursdays at noon eastern. MegaZone (aka MZ) (he/him) | Principal Security Engineer - F5 SIRT D 978-513-4171 M 432-363-4296 [GIAC Certified Incident Handler (GCIH)]<https://www.credly.com/badges/2240af1e-c3be-413b-a174-b942a792986f/public_url>[GIAC Certified Forensic Analyst (GCFA)]<https://www.credly.com/badges/a94e4bc4-2c8a-43e6-b57d-40da7ec72963/public_url>[GIAC Network Forensic Analyst (GNFA)]<https://www.credly.com/badges/2656b1e3-9903-4312-a62c-3bf401f0238e/public_url>[GIAC Cyber Threat Intelligence (GCTI)]<https://www.credly.com/badges/9018085d-dabb-4993-acc8-08cee895b74b/public_url> [F5 Logo | Security Incident Response Team] From: Alec J Summers <asumm...@mitre.org> Sent: Thursday, June 13, 2024 14:57 To: CVE Editorial Board Discussion <cve-editorial-board-list@mitre.org> Subject: Working Session: CVE Enrichment Metrics Publication CAUTION: This email has been sent from an external source. Do not click links, open attachments, or provide sensitive business information unless you can verify the sender's legitimacy. CVE Board Members, I hope you are all well! Earlier today, the TWG discussed having the CVE Program publish metrics and recognition for CNA data enrichment adoption. For the last month or so, the Secretariat has been pulling data on a bi-weekly basis to track which CNAs are providing CVSS, CWE, and CPE information in their CVE Records. These data pulls track how often CNAs are providing this information across the previous 365-days, 4-week, and 2-week time periods. Spreadsheets have been shared with the Board via email, and the next one will be coming Monday. We'd like to establish a working session to plan: 1. What to include on such a metrics/recognition webpage 2. The requirements for, and how to how to label/name the recognition for CNAs that are doing CVE Record enrichment as part of their disclosure process. I have tentatively scheduled a working session for 12pm ET on Thursday, June 20. We can reschedule, if necessary. Please let me know if you would like to participate. Cheers, Alec -- Alec J. Summers Cyber Security Engineer, Principal Group Lead, Cybersecurity Operations and Integration Center for Securing the Homeland (CSH) ------------------------------------ MITRE - Solving Problems for a Safer World(tm)
