cvemitre.org
Date: Thu Mar 27 2003 - 16:17:12 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Welcome to the latest edition of the CVE-Announce e-newsletter. This
email newsletter is designed to bring recent news about CVE, such as
new versions, upcoming conferences, new Web site features, etc. right
to your emailbox. Common Vulnerabilities and Exposures (CVE) is a list
or dictionary that provides common names for publicly known
information security vulnerabilities and exposures. CVE content
results from the collaborative efforts of the CVE Editorial Board,
which is comprised of leading representatives from the information
security community. Details on subscribing (and unsubscribing) to the
email newsletter are at the end.

Comments: cvemitre.org

-------------------------------------------------------
CVE-Announce e-newsletter/March 27, 2003
-------------------------------------------------------

FEATURE STORY:

New User Documentation Added to the CVE Web Site

Four new pages have been added to the CVE Web site to better help our
users understand the processes and procedures involved in managing the
CVE Initiative and maintaining the CVE List and candidates. This new
documentation includes the following pages:

"CVE Candidates Explained" - Describes what a CVE "candidate" is; the
two ways new security issues become candidates; how long it takes for
candidates to become official CVE entries; how candidates are affected
by CVE "content decisions"; and how to find out when new candidates
are added to the CVE site.

"How We Build the CVE List" - Explains that building the CVE List is
divided into three stages: the initial submission stage, the candidate
stage, and the entry stage; discusses deletions in the CVE List and
the candidates; and provides an illustrated example of growth in the
CVE List over time. This page also notes that MITRE is solely
responsible for the submission stage but is dependent on its data
sources for the submissions, and that the CVE Editorial Board shares
the responsibility for the candidate and entry stages though the entry
stage is primarily managed by MITRE as part of normal CVE maintenance.

"Candidate Numbering Authorities" - Includes an introduction to the
candidate reservation process; defines Candidate Numbering Authorities
(CNAs); provides the requirements for being a CNA; describes CNA
tasks; explains the communication requirements from the CNA to MITRE;
defines the role of vendor liaisons; and explains the researcher's
responsibilities in the process.

"CVE Content Decisions" - Explains that there are two major types of
CVE content decisions, Inclusion, which specifies whether a
vulnerability or exposure should go into CVE, and Abstraction, which
specifies at what level of abstraction (i.e., level of detail) a
vulnerability should be described. This page also gives examples of
the two of the most commonly used CDs: "CD:SF-LOC: multiple security
flaws in the same executable, but possibly in different lines of
code," and "CD:SF-EXEC: multiple executables exhibiting the same
problem."

Portions of this new information are in direct response to user
feedback and suggestions about the CVE List, the CVE Web site, and the
CVE Initiative in general. Please send comments and suggestions to
cvemitre.org.

LINKS:

CVE Candidates Explained page -
http://cve.mitre.org/about/candidates.html

How We Build the CVE List page -
http://cve.mitre.org/about/list.html

Candidate Numbering Authorities page -
http://cve.mitre.org/cve/cna.html

CVE Content Decisions page -
http://cve.mitre.org/cve/contentdecisions.html

-------------------------------------------------------------
Also in this issue:

* Network Box Corporation Makes CVE Compatibility Declaration

* Application Security, Inc. Makes CVE Compatibility Declaration

* MandrakeSoft S.A. Makes CVE Compatibility Declaration

* TraceSecurity, Inc. Makes CVE Compatibility Declaration

* CVE to Present Paper at "RSA Conference 2002"

* CVE Included in Article about OVAL in "IEEE Software" Magazine

* CVE Listed in "Business 2.0" Magazine's "Security Technology Web Guide"

* CVE Mentioned in "SPARC Product Directory" News Article about
  Harris' New STAT Scanner Incorporating the FedCIRC Vulnerabilities
  List

* CVE Referenced in "California Computer News Magazine" Article about
  Computer Worm

* CVE Mentioned in "Information Security Magazine" Article about More
  Granular Security Alerts

* CVE Exhibits at MISTI's "InfoSec World 2003"

Read these stories and more news at http://cve.mitre.org/news

-------------------------------------------------------------
Subscribe to "CVE-Data-Update" for Technical Updates

Intended for technical users of CVE such as vulnerability database
maintainers or those who require timely notification of new
candidates, the "CVE-Data-Update" e-newsletter provides subscribers
with reports of new CVE entries and/or candidates and other detailed
technical information regarding CVE. Subscribe now at
http://cve.mitre.org/signup/register.html .

---------------------------------------------------------------
Details + Credits

Managing Editor: Steve Christey, Information Security Technical
Center. Writer: Bob Roberge, Corporate Communications. The MITRE
Corporation (www.mitre.org) maintains CVE and provides impartial
technical guidance to the CVE Editorial Board on all matters related
to ongoing development of CVE.

To unsubscribe from the CVE-Announce e-newsletter, open a new email
message and copy the following text to the BODY of the message
"SIGNOFF CVE-Announce-list", then send the message to:
listservlists.mitre.org. To subscribe, send an email message to
listservlists.mitre.org with the following text in the BODY of the
message: "SUBSCRIBE CVE-Announce-List".

For more information about CVE, visit the CVE Web site at
http://cve.mitre.org or send an email to cvemitre.org.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]