Re: CVE Announce - May 11, 2017 (opt-in newsletter from the CVE website)

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CVE Announce - May 11, 2017 (opt-in newsletter from the CVE website)

jericho
On Thu, 11 May 2017, CVE wrote:

: Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is
: designed to bring recent news about CVE, such as new website features, new CNAs, CVE in

[..]

: -------------------------------------------------------
: CVE-Announce e-newsletter/May 11, 2017
: -------------------------------------------------------
:
: Contents:
:
: 1. IMPORTANT: CVE Will Reject a Group of Unused CVE IDs on May 11

We received warning a day before you planned to do it. It was pushed an
additional day due to NIST's concerns.

But I don't feel it is appropriate giving the rest of the industry a
same-day notification of this. The fact that NIST said "whoa... hang on"
along with some common sense says that this kind of huge influx of CVEs
could potentially break integrations as much as a change in the ID scheme.

In the future, such big events should come with a lot more public warning.

Brian
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: CVE Announce - May 11, 2017 (opt-in newsletter from the CVE website)

Coffin, Chris
> this kind of huge influx of CVEs could potentially break integrations as much as a change in the ID scheme.

We expect that the number of CVEs produced will grow significantly as we continue to focus on federation and scaling the program. Can you provide some details regarding these integrations and how they might be affected? Also, I'd be curious to know what would be considered a large update. As we move forward and regularly produce more CVEs, the definition of large would probably change as well.

> In the future, such big events should come with a lot more public warning.

We are happy to provide notifications via the CVE web site, Twitter, and LinkedIn channels for large or significant updates. What kind of timeframe were you thinking in regards to a warning?

Chris

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of jericho
Sent: Thursday, May 11, 2017 11:55 PM
To: cve-editorial-board-list <[hidden email]>
Subject: Re: CVE Announce - May 11, 2017 (opt-in newsletter from the CVE website)
Importance: High

On Thu, 11 May 2017, CVE wrote:

: Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is
: designed to bring recent news about CVE, such as new website features, new CNAs, CVE in

[..]

: -------------------------------------------------------
: CVE-Announce e-newsletter/May 11, 2017
: -------------------------------------------------------
:
: Contents:
:
: 1. IMPORTANT: CVE Will Reject a Group of Unused CVE IDs on May 11

We received warning a day before you planned to do it. It was pushed an additional day due to NIST's concerns.

But I don't feel it is appropriate giving the rest of the industry a same-day notification of this. The fact that NIST said "whoa... hang on"
along with some common sense says that this kind of huge influx of CVEs could potentially break integrations as much as a change in the ID scheme.

In the future, such big events should come with a lot more public warning.

Brian
Loading...