|
Yeah, lets' talk about this. This is not a website issue. This is a script issue that converts the corpus into downloadable files. These are the files people download and we are giving them bad information today. We will have to have a means for folks to download the CVE list... We've identified this as a problem Kent. Our plan is to fix these things as we roll out the new website. It’s not that we like it, but rather that we only have the cycles to fix it once. So your concerns are our concerns; I want to make that clear. However, instead of going through hundreds of web pages, and scrubbing them for issues like these, we are instead going to use any appropriate existing material (in addition to developing new material) based on the information architecture of the new website. Anything that doesn’t meet the cut will not be on the new website. What you point out below is a subset of crap that won’t make the cut. Our reasoning for taking this approach is simply that the outdated material exists now, and while suboptimal, it hasn't caused that big of a problem. Therefore, we can focus on other priorities and fix these problems in the way that I previously describe. Happy to discuss further if necessary. C I am a bit surprised at the condition of the official files the CVE Program makes available to the world. The top of the files all state the following: CVE version: 20061101 Candidates must be reviewed and accepted by the CVE Editorial Board before they can be added to the official CVE list. Therefore, these candidates may be modified or even rejected in the future. They are provided for use by individuals who have a need for an early numbering scheme for items that have not been fully reviewed by the Editorial ???? There is no such thing. The CAN selection process was terminated in 2006 (??I think??) and all CANs were transformed into CVEs. The Community was instructed not to use CAN for any CVE's in the field and we were asked to convert all existing CAN’s into CVEs in our products. Yet today on our official CVE https://cve.mitre.org/data/downloads/index.html feed page, our downloads look like the history of the world. My votes and things done at the inception of the program, that have nothing to do with the official CVEs are still there? Why? And why are all records in recent years listed as Candidate? Name: CVE-2020-23237 ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. This needs to be discussed. This really looks rather dumb as this is our official face to the world, and we can't even update our feeds to remove process changes that occurred 15 years ago. I now realize why most vendors and users use the NVD for CVE download information. I request we be given the stats for the numbers of downloads that actually occur from the CVE download page. Thank you, Gracias, Grazie, Mahalo, 谢谢, Merci!, Спасибо!, Bedankt,Danke!, ありがとう, धन्यवाद! +1.817.637.8026 |