CVE Record Format Audience and Expectations

[ccoffin]

Who are we trying to serve with the CVE Record Format and what data do they expect/want from us?

Other related questions:

• Should we just focus on identifying and cataloging vulnerabilities and anything that doesn't support this core idea is a nice to have/optional?
• Should we expect that our consumers are getting CVE data from other sources (who enrich the data) and not directly from the CVE program? For example, should we worry about remediation and fix info or let the tool vendors and data aggregators add this data later?

[andrewpollock]

I encourage a use-case based approach and I'll offer my suggested use cases:

• programmatic vulnerability detection and remediation
• retroactive aggregate analysis

Should we expect that our consumers are getting CVE data from other sources (who enrich the data) and not directly from the CVE program? For example, should we worry about remediation and fix info or let the tool vendors and data aggregators add this data later?

In my opinion: no. The CVE List should (must?) be able to be directly usable as-is.

[darakian]

Should we expect that our consumers are getting CVE data from other sources (who enrich the data) and not directly from the CVE program? For example, should we worry about remediation and fix info or let the tool vendors and data aggregators add this data later?

I agree with Andrew on the response to this question. Other groups may enrich data for specific use cases and we should be able to learn from those efforts, but it would be a failure of the system to abdicate to other databases in the long term.

Should we just focus on identifying and cataloging vulnerabilities and anything that doesn't support this core idea is a nice to have/optional?

I think we always strive for more. We're in the process of defining what the baseline is right now and that's formative work to be sure, but the end is never the end. As we figure out how to raise the bar we should have our sights set on the next challenge.

[darakian]

I'll add a persona for consideration which I'll dub a Vuln management type person. This person's task is to ingest vulnerability information and ensure that the appropriate parties in their organization/platform/sphere of influence are notified. The basic questions in front of this person are

1. Is the vuln described in the advisory real?
2. Is the vuln described in the advisory in scope with respect to software identification?
3. Is the vuln described in the advisory in scope with respect to software versions?

It is also helpful if the advisory tells you what to do about the advisory, but an implicit base case is always available. Stop using it.
Question 1 is fundamentally a question of truth and I don't believe it can be automated away. Question 2 could be automated away if we can raise the bar on software naming. Question 3 can be automated away if we can raise the bar on version representation.