[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

procedure for penalizing or revoking CNA status?

To: cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Subject: procedure for penalizing or revoking CNA status?
From: jericho <jericho@attrition.org>
Date: Thu, 25 Sep 2014 23:59:33 -0500
Delivered-To: coley@rcf-smtp.mitre.org
Delivery-Date: Fri Sep 26 01:01:04 2014
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)

For the rest of the board, there has been an increasing reason to better 
monitor and restict CVE assignment. Both from researchers requesting them, 
and from CNAs who don't understand CVE or the abstraction process.

If this is unfamiliar to you, you aren't watching CVE closely.

That said, I have had separate conversations off-the-record with CVE about 
this issue, but feel it is time to bring it up formally. There are several 
CNAs who continually assign IDs against current policy, against current 
documented standards. This is the first time that a CVE was issued, and 
rightfully blamed CNA failure for the duplication.

First, I applaud CVE in issuing this description. It helps to show the 
complexity of the project, and using third-parties for assignment.

Second, this is public and visible evidence that some CNAs cannot be 
trusted to do their job. Once or twice, no problem. However, generally 
speaking I know this is a much bigger problem. There needs to be some set 
of guidelines that keeps a CNA in check, and ultimately strips them of 
that duty if they cannot abide by the rules.

If such guidelines are not in place from a CVE standpoint, they need to be 
implemented ASAP. If they exist, they should be shared with the editorial 
board at the least, if not posted publicly so the industry can better help 
regulate this. CVE is a government funded project, but done for the 
community with *significant* buy-in and effort by the community.


======================================================
Name: CVE-2014-3659
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3659
Final-Decision:
Interim-Decision:
Modified:
Proposed:
Assigned: 20140514
Category:

** REJECT **

DO NOT USE THIS CANDIDATE NUMBER.  ConsultIDs: CVE-2014-7169.  Reason:
This candidate is a reservation duplicate of CVE-2014-7169 because the
CNA for this ID did not follow multiple procedures that are intended
to minimize duplicate CVE assignments.  Notes: All CVE users should

Prev by Date: CVE ID syntax change press release and web site are public
Prev by thread: CVE ID syntax change press release and web site are public
Index(es):
- Date
- Thread