Good morning! As a reminder, we will be meeting on Thursday at 12:00PM EDT to plan:
1. What to include on such a “CNA Enrichment” metrics/recognition webpage 2. The requirements for, and how to how to label/name the recognition for CNAs that are doing CVE Record enrichment as part of their disclosure process. If you would like to join, please let us know. Invites have been sent out to all who requested thus far. Cheers, Alec -- Alec J. Summers Cyber Security Engineer, Principal Group Lead, Cybersecurity Operations and Integration Center for Securing the Homeland (CSH) –––––––––––––––––––––––––––––––––––– MITRE - Solving Problems for a Safer World™ From: Art Manion <zman...@protonmail.com> Date: Friday, June 14, 2024 at 7:51 PM To: MegaZone, MZ <megaz...@f5.com>, Alec J Summers <asumm...@mitre.org>, CVE Editorial Board Discussion <cve-editorial-board-list@mitre.org> Subject: [EXT] Re: Working Session: CVE Enrichment Metrics Publication Very much agree. At least part of of that discussion: https: //github. com/CVEProject/quality-workgroup/issues/12 - Art On 2024-06-14 13: 43, MZ MegaZone wrote: > I will say that, for now, CPE should not be part of this. There are > major Very much agree. At least part of of that discussion: https://github.com/CVEProject/quality-workgroup/issues/12 - Art On 2024-06-14 13:43, MZ MegaZone wrote: > I will say that, for now, CPE should not be part of this. There are > major issues with CPE in CVE Records which are currently under > discussion in the QWG, and elsewhere. Very fundamental issues including > just what it means when CPEs are included – are those vulnerable? > Fixed? Something else? It is already clear the current schema has > major shortcomings in this regard and different CNAs have very good > reasons for taking different approaches. I’d go as far as to say right > now the CPEs in a CVE record are not usable as there is no way to know > what the meaning behind them is. > > I know that, as a CNA, this has paused our work in implementing CPEs > completely until there is clarity and, IMHO, likely schema changes. I > don’t think it would be far to CNAs to apply pressure on CPE until the > program has worked out the issues currently being discussed. > > I’d like to be part of the discussion, but I have an existing standing > meeting Thursdays at noon eastern. > > > > *MegaZone (aka MZ) *(he/him) | Principal Security Engineer – F5 SIRT > > D 978-513-4171 M 432-363-4296 > > GIAC Certified Incident Handler (GCIH) > <https://www.credly.com/badges/2240af1e-c3be-413b-a174-b942a792986f/public_url>GIAC > Certified Forensic Analyst (GCFA) > <https://www.credly.com/badges/a94e4bc4-2c8a-43e6-b57d-40da7ec72963/public_url>GIAC > Network Forensic Analyst (GNFA) > <https://www.credly.com/badges/2656b1e3-9903-4312-a62c-3bf401f0238e/public_url>GIAC > Cyber Threat Intelligence (GCTI) > <https://www.credly.com/badges/9018085d-dabb-4993-acc8-08cee895b74b/public_url> > F5 Logo | Security Incident Response Team > > > > *From:*Alec J Summers <asumm...@mitre.org> > *Sent:* Thursday, June 13, 2024 14:57 > *To:* CVE Editorial Board Discussion <cve-editorial-board-list@mitre.org> > *Subject:* Working Session: CVE Enrichment Metrics Publication > > > > *CAUTION:*This email has been sent from an external source. Do not click > links, open attachments, or provide sensitive business information > unless you can verify the sender’s legitimacy. > > > > CVE Board Members, > > > > I hope you are all well! > > > > Earlier today, the TWG discussed having the CVE Program publish metrics > and recognition for CNA data enrichment adoption. For the last month or > so, the Secretariat has been pulling data on a bi-weekly basis to track > which CNAs are providing CVSS, CWE, and CPE information in their CVE > Records. These data pulls track how often CNAs are providing this > information across the previous 365-days, 4-week, and 2-week time > periods. Spreadsheets have been shared with the Board via email, and the > next one will be coming Monday. > > > > We’d like to establish a working session to plan: > > 1. What to include on such a metrics/recognition webpage > 2. The requirements for, and how to how to label/name the recognition > for CNAs that are doing CVE Record enrichment as part of their > disclosure process. > > > > I have tentatively scheduled a working session for 12pm ET on Thursday, > June 20. We can reschedule, if necessary. Please let me know if you > would like to participate. > > > > Cheers, > > Alec > > > > -- > > *Alec J. Summers* > > Cyber Security Engineer, Principal > > Group Lead, Cybersecurity Operations and Integration > > Center for Securing the Homeland (CSH) > > /––––––––––––––––––––––––––––––––––––/ > > */MITRE - Solving Problems for a Safer World™/* > > >
