|
A majority of the Board membership has voted in favor of the EOL Vulnerability Assignment Process. Because a majority has already been achieved, the voting process has officially ended before the " July 14, 2020" deadline. The EOL Vulnerability Assignment Process will be posted to the CVE Website soon. Jo Bazar CVE Team O-703-983-3699/M-703-727-4021
From:
Jo E Bazar
Board Members, The CVE End of Life Vulnerability Assignment Process is approved by the SPWG and is now ready for CVE Board vote. Please provide your vote on the EOL Vulnerability Assignment Process. Votes will be accepted starting today, July 1, 2020 . The voting period will end COB on July 14, 2020 , or when a majority is reached, whichever comes first. Jo Bazar CVE Team O-703-983-3699/M-703-727-4021 During the past couple of CVE Summits, there have been discussions around the end of life vulnerability assignment process that the CVE Program uses. It has not been documented and was not understood outside of MITRE. Shortly after the 2020 CVE Global Summit, the SPWG decided to rectify the situation. Attached is the EOL process that has been discussed, since the last Summit, in the SPWG, the QWG, in many outside conversations and posted to the CNA list for comments and awareness. The approach taken was to examine a set of potential processes for dealing with reported vulnerabilities in end of life products. After a couple months of discussions, it was decided to reorganize the document focusing on describing the recommended Program's default EOL process. The complete set of initial options were moved to a "Top Level Root EOL Process Considerations" section for future use. In the end, the group agreed on a process extremely close to what has been used by the CVE Program since the Program’s inception. The intent of the document is to provide a complete picture as to how the Program deals with EOL vulnerability reports. It describes not just the process used, but what EOL tagging means as well. The EOL tagging was discussed on multiple QWG meetings. Both the description usage and the JSON tagging was discussed and agreed to as documented here. Additionally, it was previously discussed we wanted to create the content for a webpage to be put on the CVE Program website explaining the Program's EOL perspective. The community needs to understand the reality of reported EOL vulnerabilities in regard to the CVE Program’s usage. The content for the proposed webpage content is described in Appendix C. If approved, the Secretariat will create and post that page on the public website. It should be noted that during the course of the EOL Assignment Process development, we discovered multiple issues with the current CNA Rules. The SPWG will begin a complete review of the CNA Rules no later than July 31, 2020. Section # 3 Temporary CNA Rules Inconsistency and associated comments will be removed once the CNA Rules are corrected in the upcoming effort. The section is included to assure there is no confusion in the interim. The SPWG is making an official recommendation that the attached EOL Vulnerability Assignment Process be approved by the Board for program acceptance. To do so will require a Board vote as requested by the Program. It is proposed that we have an open discussion on this process until July 1, 2020. At that point a vote will be initiated to decide if the EOL process, as documented, will be approved. I want to thank all that participated in the discussions, provided edits, improvements, assisted in adjudicating the comments and overall helped us in getting this process documented and transparent for all. Thank you, Gracias, Grazie, 谢谢, Merci!, Спасибо!, Bedankt,Danke!, ありがとう, धन्यवाद! -- +1.817.637.8026 |