OVAL Definition Lifecycle

There are several stages to the process of creating release versions of OVAL definitions:

1. Initial Submission

Draft definitions and information about how to check for vulnerabilities, configuration issues, and patches are generated by MITRE, or submitted to MITRE by the community via the OVAL Discussion List. An initial review is then conducted by members of MITRE's OVAL Repository team.

2. Rough Draft Definition Production

The OVAL Repository team uses the information from the submissions to create a "Draft Definition" based upon the OVAL Schema format, which is then reviewed by the OVAL Editor. Rough draft definitions may also be submitted to MITRE by OVAL Board members or by members of the community, based upon the definition "Submission Guidelines" and the official OVAL Schema. All drafts are reviewed by the OVAL content team and the OVAL Editor, prior to posting for public debate.

3. Rough Draft Discussion and Debate

Rough draft definitions are assigned an OVAL ID number and posted with the status of "Draft" in the OVAL Definitions section of the OVAL Web site. Posted drafts are discussed by the security community and the OVAL Board on the Community Forum. On occasion, the OVAL Board may also discuss issues separately on the Board email list with summaries of those discussions made available on the Community Forum list. This public discussion period will last as long as issues of substance are being debated. Discussions are moderated by the OVAL Editor. Archives of all discussion lists are available on the OVAL Web site.

The Stages of an OVAL Definition

4. Interim Definition Creation

Once discussion about a definition has matured, the OVAL content team will develop an "Interim Definition." This definition will take into account the debate on the Community Forum, Board members' opinions of the Draft Definition, and the results of any evaluations of the draft by Board members or others. The OVAL Editor will review interim definitions before they are posted on the site.

5. Interim Definition Discussion

Definitions with the status of "Interim" will be posted on the OVAL Definition pages. The OVAL Board will then review the Interim Definition, and notification of interim status will also be made on the Community Forum. The interim stage will last for two weeks unless substantive issues are raised that require further discussion, research, or testing. Discussion of these issues will be moderated by the OVAL Editor.

6. "Version 1" Release of an Accepted Definition

Once a definition has passed the interim stage, it will be posted with "Version 1 Accepted Definition" status on the OVAL Definition pages. A summary of the discussion surrounding the creation of the definition and/or a link to archived threads from the Community Forum will also be provided, to give context and credit for contributions.

7. Ongoing Definition Review

All accepted OVAL definitions will remain open for discussion and refinement on the Community Forum and by the OVAL Board. If relevant parts of the OVAL schema change, or as new information about the vulnerability, configuration issue, or patch comes to light, the released version will be marked as "Under Review" and an updated definition will be prepared for interim status and discussion.

Page Last Updated: October 16, 2007