The Roots of CVE
CVE is the result of ten month''s worth of collaborative efforts by MITRE and CVE participants. The board consists of over 15 security-related organizations that include tool vendors, academic institutions, government, and security experts. MITRE Corporation maintains the CVE and serves as the coordinator of the editorial board, providing neutral guidance throughout the CVE development and maintenance process.
MITRE Corporation is non-profit organization that operates in the public''s interest. They address issues of national importance using their engineering and IT expertise to provide effective industry solutions.
CVE began in January 1999 with the publication of a paper by MITRE entitled, "Towards a Common Enumeration of Vulnerabilities," presented at the CERIAS Workshop on Vulnerability Databases.
The CVE draft was developed and circulated for a comment period from February-April 1999. It enumerated 663 vulnerabilities derived from security tools, hacker sites, and security advisories. The CVE Editorial Board was formed in May 1999. The CVE underwent a validation period at the same time the validation process was formalized. CVE Version 1 was released to the general public at the end of September 1999.
CVE Acceptance Phases
According to CVE documentation, security information goes through the following phases as it''s being considered for acceptance into CVE.
Discovery - A potential vulnerability or exposure is discovered.
Public Announcement - A public announcement is made about the potential vulnerability/exposure through postings to Bugtraq, newsgroups, security advisories, etc.
Assignment - A Candidate Numbering Authority (CNA) obtains a candidate number from the Chair. A CNA has been approved by the Editorial Board to obtain candidate numbers.
Proposal - A board member (possibly not the original CNA) proposes the potential vulnerability/exposure to the Editorial Board, using the candidate number obtained during Assignment. It then becomes a candidate for CVE acceptance. Members discuss the candidate and vote on it. They may ACCEPT, REJECT, RECAST, have NO OPINION, or say that they are actively REVIEWING the candidate.
Modification - The candidate is discussed by the Editorial Board in light of CVE content decisions. In some cases, it may need to be significantly altered for it to be accepted. The Chair decides on what alterations need to be made, then resubmits the altered candidates to the board for additional voting. Some candidates may skip this phase if they do not need to be modified in any significant way.
Interim Decision - The Chair decides when it is appropriate to determine whether debate about the candidate is complete or has come to a standstill. The Chair assigns an accepted, rejected, or recast vote. The Chair then gives the board a short amount of time to post any final comments or objections.
Final Decision - If the Chair decides that there are not sufficient grounds for changing the vote made in the Interim Decision, the decision becomes final. If the candidate is accepted or recast, the Chair guarantees to all Board members that the candidate shall be placed into CVE, and identifies the CVE name(s) that will be produced.
Publication - If the candidate is accepted or recast, a CVE name (or names) is assigned, and the candidate is added to CVE. It then becomes a CVE entry and is published via the CVE web site. If the candidate is rejected, the chair notes the reason for rejection.
Deprecation - In some rare cases, the Editorial Board may decide that a CVE entry should no longer remain active in the CVE. For example, the Board may decide to modify the level of abstraction by splitting the entry into lower-level entries, or merging it with others. In such cases, the vulnerability will be annotated with a status of "Deprecated." However, it will not be deleted from CVE.
The CVE Web Site
On the CVE Web site you can find detailed information about:
CVE Introduction
CVE Terminology: Vulnerabilities and Exposures
Using CVE
Frequently Asked Questions
CVE-Compatible Tools & Databases
CVE Related Documents
Editorial Board
Editorial Board Archives
There, you can also search, view, and download copies of the CVE to import into your own database systems. If you''re interested in the rationales behind the various content decisions for CVE, you can read the Editorial Board archives where you''ll find public record of the mailing list used to discuss CVE content issues.
Add ecommerce-guide.com to your favorites Add ecommerce-guide.com to your browser search box IE 7 | Firefox 2.0 | Firefox 1.5.xReceive news via our XML/RSS feed
IE 7
Firefox 2.0
