Permalink
Fetching contributors…
Cannot retrieve contributors at this time
42 lines (38 sloc) 3.25 KB

CVE Automation Working Group (CAWG) Charter

Scope:

The CVE Automation Working Group is focused on identifying and advancing proposals for the collaborative design, development and deployment of automated capabilities that support the efficient management of the CVE Program. The following goals section includes current high-level goals for the CAWG. The operating principles section captures the principles that the SAWG uses as part of any effort. Last, the objectives section provides some of the measurable actions that the CAWG has currently targeted for assignment. All of the lists are subject to change as the CAWG evolves and as new items are identified. When a proposal is accepted, an CAWG project will be established. A project consists of one or more participants and will focus on a single proposal. Each CAWG project will include a separate charter, where needed, to provide an overview of the effort, define objectives, and describe the scope of activities to be performed by the project. In general, CAWG projects are initiated through a requirements project. Proposals, and the project(s) that are initiated based on them, should align with the goals, operating principles, and objectives described in this charter.

Goals:

  1. Realize greater efficiency in the creation, ingest, and publication of CVEs
  2. Implement CVE processing and publishing in near-real time
  3. Enable more effective management of CVEs, CNAs, and associated metadata
  4. Develop capabilities that help improve CVE coverage
  5. Make it easier to assign CVE IDs to any and all public vulnerabilities that conform to CNA rules.
  6. Improve the quality of CVE data and metadata
  7. Reduce the amount of human intervention needed to publish, consume, and use CVE data.
  8. Provide improved transparency throughout the CVE management process
  9. Achieve greater interoperability of CVE tools, repositories, and technologies
  10. Promote seamless integration with other enumerations (e.g. CWE, CAPEC) and internal processes
  11. Reduce the barriers for participation in the CVE Program. (e.g., costs, fees, time, effort, and technical expertise)

Operating Principles:

  1. Employ a decentralized approach to CVE management
  2. Use free and open source solutions where possible. Avoid solutions that require propriety, closed systems; are not plausibly scalable to support program growth; are labor intensive to manage; or are not compatible with CVE terms of use. Use of open source will provide for:
    • A license to use developed solutions that cannot be revoked
    • Wide availability of developed solutions for use by the CVE community
  3. Promote free and open standards and best practices for automated information exchange. Avoid standards that are not free and not open.
  4. Develop modular code and pluggable capabilities that can be readily reused or extended
  5. Use consistent terminology and naming conventions

Objectives:

  1. Document current roles, responsibilities, workflows, data formats, and protocols
  2. Define CVE user stories/use cases
  3. Design, develop, and deploy automated and enhanced CVE services (ingest, publication, processing)
  4. Design, develop, and deploy software tools for the development and management of CVE content/information
  5. Streamline existing processes and lay a foundation for future processes