You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am writing this to capture what came up from a CVE QWG discussion on Best Practices for CVE . @andrewpollock has raised some questions I think falls in the SPWG lane. Quoting Andrew's concerns - here.
These may already be discussed/addressed in SPWG and expected to be part of the newer documentation. But I want to make sure it is documented here and SPWG is aware of these concerns. I am happy to facilitate this discussion as time and resources permit.
What is the intention of a CVE record?
What is the utility of a CVE record that conveys a defaultStatus of
"unknown"?
Who is a CVE record for?
Basically, I'm asking about how fitness for purpose is determined.
More broadly, what is the purpose of the CVE Program (given it's ultimately
a collection of CVE records)
Who are its customers?
What are their needs?
How is the CVE Program's success at meeting their needs being evaluated?
I can refer myself to the CVE Program's mission statement: "Identify,
define, and catalog publicly disclosed cybersecurity vulnerabilities."
This statement doesn't seem to be touching on the "for who?" or "and then
what?" or really, the "why?"
The text was updated successfully, but these errors were encountered:
I am writing this to capture what came up from a CVE QWG discussion on Best Practices for CVE . @andrewpollock has raised some questions I think falls in the SPWG lane. Quoting Andrew's concerns - here.
These may already be discussed/addressed in SPWG and expected to be part of the newer documentation. But I want to make sure it is documented here and SPWG is aware of these concerns. I am happy to facilitate this discussion as time and resources permit.
The text was updated successfully, but these errors were encountered: