Posting RBP metrics publicly

I'm not against posting RBP metrics publically as long as the RBP has been verified by the MITRE/CNA. We have an instance on our report has a reserved CVE "public" because someone made a typo on a message board 1.5 years ago.

Chris Levendis ---06/02/2020 02:39:28 PM---Board Colleagues, As part of the ongoing discussions related to the new CVE Program website, public

From: Chris Levendis <>
To: CVE Editorial Board Discussion <>
Date: 06/02/2020 02:39 PM
Subject: [EXTERNAL] Posting RBP metrics publicly

Board Colleagues,

As part of the ongoing discussions related to the new CVE Program website, public facing metrics came up. Public facing metrics are those metrics that reflect both the health and production of the program. Such metrics include the total number of CVE entries populated to-date, number of IDs allocated over time frame n ,total number of CNAs, etc. The topic of Reserved but Public (RBP) IDs arose as a metric that could be posted publicly. RBPs are those CVE IDs that exist in the public domain (e.g., in a product advisory or a blog), but have not been populated to the master list. RBP metrics would be posted in a way that is non-CNA specific, and would communicate how many RBPs exist across the CVE Program, and what the ID numbers are.

We want the community to assist the program in locating RBPs because RBPs are bad for the program. Currently, the primary means for locating RBPs is through web scrapers, but also by community members reporting them to the program. We want more RBP hunters (credit Kent Landfield with naming this role) so that we are maximizing the value of all of our available resources. To increase community participation, we want to post public RBP metrics and provide a means by which new RBPs can be reported to the program.

A concern was raised about getting too much community participation before the program is ready for it. Right now, dealing with community RBP reports is manually intensive. While there are partially automated solutions that can be implemented at fairly low cost, those are not in place yet. We would like to start a discussion on list that addresses the following two questions:

1. Should RBP metrics be posted publicly?
2. Should we worry about having an automated solution in place prior to posting the metrics and providing a way for community members to help the program locate RBPs that have been missed?

We appreciate all opinions about this.C

Chris Levendis
The MITRE Corporation
(W) 703-983-2801
(C) 703-298-8593