[ Date Prev ][ Date Next ][ Thread Prev ][ Thread Next ][ Date Index ][ Thread Index ]

CVE Response Time

To : cve-editorial-board-list < cve-editorial-board-list@LISTS.MITRE.ORG >
Subject : CVE Response Time
From : "Mann, Dave" < damann@mitre.org >
Date : Tue, 11 Oct 2011 16:19:16 -0400
Accept-Language : en-US
acceptlanguage : en-US
Delivery-Date : Tue Oct 11 16:19:47 2011
List-Help : < mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST >
List-Owner : < mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG >
List-Subscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG >
List-Unsubscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG >
Sender : < owner-cve-editorial-board-list@LISTS.MITRE.ORG >
Thread-Index : AcyIUU80JX+jb5/MTm6ArQeYa2/1IQ==
Thread-Topic : CVE Response Time

Folks,

With the list of information sources (mostly) stabilizing, I would like to ask you all to consider the question of how fast CVE ids need to be produced.

For the sake of this discussion, time here is measured from the time a disclosure is first made (on one of the established and tracked information sources) until the time that at a CVE id is published and generally available.

CVE response time is related to a sense of risk or severity.  We recognize that, at times, we will have access to information that will cause us to respond faster to some issues rather than others.   Still, it would be useful for us to collectively have a sense of expected response time based on nothing other than the source of the information.

As a starting point, I want to suggest that issues can be responded to in a 3 tiered approach:
Fast = notionally 1-3 days
Normal = notionally 1-3 weeks
Slow = notionally, time permitting

There are 2 questions to ask of you.
Q1: Does this tiered response time approach make sense and if not, can you suggest an alternative?

Q2: What should be the response time be based only on the information source?

Please review of list of "must-have" sources and for each, vote for either "fast" or "normal".

If you strongly feel that response time should be decided based on factors other than source, please vote for "normal" for all the sources that follow and explain what factors you feel should be considered to escalate something to a fast response.

Note, sources that are categorized as ignored will be ignored, so there's no point discussing response time.  Sources categorized as nice to have will be treated as "slow", since they are only nice to have and not must haves.



-Dave
==================================================================
David Mann | Principal Infosec Scientist | The MITRE Corporation
------------------------------------------------------------------
e-mail:damann@mitre.org | cell:781.424.6003
==================================================================


CVE VULNERABILITY RESPONSE TIME

Please vote:
Fast = notionally 1-3 days
Normal = notionally 1-3 weeks


Government & Related Information Sources
  US-CERT Advisories (aka CERT-CC Advisories)
  US-CERT Vulnerability Notes (CERT-CC)
  US-CERT Bulletins (aka Cyber-Notes)
  CMU/CERT-CC
  DoD IAVAs

Vendor Published Information
  Microsoft
  RedHat
  Apache
  Apple OSX
  Oracle
  Solaris
  Suse
  Mandriva
  HP-UX
  AIX
  Cisco IOS
  Free BSD
  Open BSD
  Net BSD
  Gentoo (Linux)
  Ubuntu (Linux)
  Adobe
  Mozilla
  Google Chrome

Mailing Lists & VDBs
  Bugtraq
  Full Disclosure
  Security Focus
  Security Tracker
  OSVDB
  Oss-security

Follow-Ups :
- Re: CVE Response Time
  - From: Mark J Cox <mjc@redhat.com>

Prev by Date: CVE Must-Have Coverage
Next by Date: RE: CVE Must-Have Coverage
Prev by thread: Re: CVE Must-Have Coverage
Next by thread: Re: CVE Response Time
Index(es):
- Date
- Thread