Work is near done on a set of slides documenting the CVE program approach to container, description, and reference tagging in a CVE record. These slides identify the initial tags to be used in each context along with usage requirements, define the process to be used to add new tags to a specific context, and provide instructions to the AWG on changes that are needed to the CVE record format to support tagging.
The final point that we have been discussing has been around deprecating the use of description tags (e.g., **rejected**) in CVE descriptions starting with the CVE record 5.0 format. This is possible because there are structured fields defined in the CVE 5.0 format for this information that did not exist in the 4.0 format. This was discussed in both the QWG and the SPWG and there is an emerging consensus around making this change.
Note: Description tags will continue to work as they have, unchanged in the CVE record 4.0 format.
Kent Landfield and Dave Waltermire are working to document the last of the tagging issue resolutions discussed during the 8/20 meeting. The QWG chairs plans to share the completed slides with the CVE Board and the SPWG once these changes have been reviewed by the QWG.
During the next QWG call on 9/3, the WG will be considering which next set of topics it will work on.
Regards,
Dave and Jonathan, QWG Chairs