On Tue, Mar 1, 2022 at 4:19 PM Alec J Summers <[email protected]> wrote:
> Kurt, > > > > Thanks for your note and patience in my reply. > > > > 1. what happens to the data once submitted? I assume some private work > queue at MITRE? > 1. Yes, for our new web submission form’s initial operating > capability, the entries live in a CWE/CAPEC team private queue. Our > first > goal was primarily to simplify the process for users seeking to suggest > new > entries for us. This is preferable to someone filling out the entire > .txt > form, which we request community members not to do before ensuring their > suggestion is a) in scope and b) warrants an entirely new entry. > Relatedly, > we outline in our submission guidelines some of the most common problems > with integrating content suggestions into CWE (direct link to that > section > here: > > https://cwe.mitre.org/community/submissions/guidelines.html#common_problems > > 2. how do I track stuff I submit? Is there a URL I can check? > > > 1. Not yet. The team is working on a solution for that. For the rapid > expansion of the HW content, the team used SharePoint with a tracking > spreadsheet, but we want to move beyond that into a more collaborative > and > transparent space. This is an ongoing concern, and we are giving it high > priority. For example, many hardware submissions have larger issues that > require consultation with the HW SIG. > > 1. how many requests are in the queue currently? > > > 1. We are not tracking submissions in a way that allows us to easily > generate metrics, as that requires metadata that we have not yet > formalized. We currently have about 10 [software+hardware] "complete" > submissions - that is, submissions that have all the requested fields. > We > also have about 10 hardware and 20 software "bare-bones" submissions - > which usually are barely more than a description and a reference. Almost > all complete submissions have problems related to scope or lack of a > clear > weakness. Almost all bare-bones submissions require extensive analysis > and > original research. We JUST launched the web submission form and we have > thus far received 1 community suggestion through it. > > It sounds like this part would especially benefit from being done in public so more people can participate and flesh these entries out. Especially if they get some credit for it (e.g. a credits section in the CWE for who helped create/write it). > > 1. > 1. can we make this more public so people don't submit duplicates, > or if there are similar ones already in the works we can see it? > > > 1. Yes, that is our plan. We hope that the overall quality of > submissions will be improved by public review in the early stages. > > > > Best, > > Alec > > > > -- > > *Alec J. Summers* > > Cyber Solutions Innovation Center > > Group Leader, Software Assurance Research & Practice > > Cyber Security Engineer, Lead > > O: (781) 271-6970 > > C: (781) 496-8426 > > *––––––––––––––––––––––––––––––––––––* > > *MITRE - Solving Problems for a Safer World* > > > > > > *From: *Kurt Seifried <[email protected]> > *Date: *Monday, February 28, 2022 at 11:32 AM > *To: *CWE CAPEC Board <[email protected]> > *Subject: *Question about https://cwesubmission.mitre.org/ > > I have some questions about https://cwesubmission.mitre.org/ > > > > 1) what happens to the data once submitted? I assume some private work > queue at MITRE? > > 2) how do I track stuff I submit? Is there a URL I can check? > > 3) how many requests are in the queue currently? > > 4) can we make this more public so people don't submit duplicates, or if > there are similar ones already in the works we can see it? > > > > Thanks > > > > > -- > > Kurt Seifried (He/Him) > [email protected] > -- Kurt Seifried (He/Him) [email protected]
