[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SLA concerns for DWG CNAs (and probably other CNAs)



So for existing CNA's under MITRE there aren't a lot of rules around timeliness and disclosure and related areas of operations. Some CNAs are timely, some are slow, some release info, some don't, etc. So first I want to make sure we cover the right areas with SLAs, step 2 will be determining what values to use. So if you think something is missing please let me know!

My main concerns around SLAs are:

1) timely responses to requests
2) correctness of CVEs assigned (SPLIT/MERGE, is it a vuln, covered, etc.)
3) use of CVEs and release of information privately (e.g. for embargoed issues)
4) use of CVEs and release of information for restricted publishing (e.g. for coordinated handling/restricted use) - not a priority for me but something I want to at least consider
5) use of CVEs and release of information for public publishing (e.g. for after the embargo lifts, or or issues that are not embargoed at all)
6) pushing data back to your parent CNA and ultimately to the DWF once the entry is assigned (marked as RESERVED) and once it goes public (PUBLIC) and if it changes (e.g. REJECT/REPLACED_BY, whatever). 

The timelines will be a spectrum as will the information disclosed/released (e.g. for embargo vs public release), I don't know what the answers/SLAs are yet but first I want to make sure we cover what the problem space is.

One note: I had considered an SLA around CNA activity, e.g. "you must assign X CVE's per month/year or lose CNA status" but I think that is not a good metric, and could result in messy gaming of the system.

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Page Last Updated or Reviewed: August 29, 2016