[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: procedure for penalizing or revoking CNA status?

Thank you for the comments and suggestions, Art and Brian.

We are actively working on documented rules for CNAs, including conditions and mechanisms for revocation, and will have a document for Board review shortly.

> * vote by the board, requiring a quorum and majority (or more, 2/3 majority?)

This actually get to the heart of a real issue with the Board.  Getting participation and votes has been difficult the last few times we've had reason to do so. There are always the few who participate and attend calls, but there are a lot of people on the Board as has been noted before. Along with the CNA document, we are also actively working on an updated version of "what it means to be a Board member and what is required of you."

Steve

-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Art Manion
Sent: Tuesday, September 01, 2015 10:04 PM
To: Christey, Steven M. <coley@mitre.org>; jericho <jericho@attrition.org>
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: procedure for penalizing or revoking CNA status?

>> -----Original Message-----
>> From: jericho [mailto:jericho@attrition.org]
>> Sent: Saturday, August 29, 2015 1:53 AM
>> To: Christey, Steven M. <coley@mitre.org>
>> Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
>> Subject: Re: procedure for penalizing or revoking CNA status?

>> It's been 337 days, and there is no progress on this. Before anyone else
>> on the board starts whining, there have been a series of mails between me
>> and CVE during this time, challenging a specific CNA for violating policy.
>> MITRE has chosen to send one email to the CNA (so they said) and nothing
>> else, without follow-up, without responding to MY follow-up to them when
>> the CNA has continually broken protocol since the initial complaint.
>>
>> I am replying now because a 2nd CNA is clearly not following policy in
>> assignments (specifically related to assignment, nothing else). Since
>> MITRE will not really challenge a CNA after hundreds of mistakes over a
>> near one-year period, I can't assume they will take action on this. Not
>> going to bring up the 2nd CNA, until the first is resolved, who is much
>> more egregious.
>>
>> Thus, I take it to the board for input. We're here to guide and give input
>> to the CVE process, right? I believe that is the purpose of the editorial
>> board, on paper. Personally, I think the purpose stops there as far as
>> MITRE is concerned... on paper.
...

CERT/CC has experienced at least one, possibly two CNAs that do not
assign CVE IDs in a timely or correct manner, per the CVE content
decision/abstraction rules.  We see this when:

1. Researchers ask us for CVE IDs and say that the CNA who should be
assigning -- the vendor of the vulnerable component -- has not assigned
an ID.

2. We're coordinating a disclosure that isn't public yet and the CNA who
should be assigning (vendor) doesn't take action.  Now what?  Do we
assign?  Let disclosure happen and ping MITRE?  We make a judgement call
for each case, and I have informed MITRE about one CNA that we've
observed problems with.

I don't know how much of the board bylaws are written down anywhere, but
maybe we should consider some basic governance/voting procedures.  Even
if we don't right away agree on everything that goes in to decisions to
add/remove CNAs, we could have a procedure along the lines of:

* period of time to present evidence (in support of adding or removing)

* vote by the board, requiring a quorum and majority (or more, 2/3
majority?)

Document the evidence and vote on the mailing list.  Also, it's common
for group members to lose voting privileges (or even membership) due to
lack of participation.

I realize adding more formal rules/bylaws increases the governance
overhead, but it may be necessary to move that direction.  A couple
documents about board membership were circulated in April.  Would an
active board member volunteer to draft something about CNA requirements?


Regards,


 - Art
Page Last Updated or Reviewed: September 14, 2015