[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CNA Rules Announcement



Brian,

> Just to be clear, does this mean MITRE has reached out to all of the 
> current CNAs and informed them of the new rules?

Yes... The rules have been sent through all appropriate channels, and 
they are also included in this email thread via the cve-cna-list.

> How should we approach CNAs that are violating these rules, via a 
> long-term string of violations regarding an assignment.

We are trying to create a set of rules and a structure for them that 
works within the overall federated model. The idea is that the Primary 
CAN would be the ultimate authority, and could impose sanctions on any 
lower level CNAs. Similarly, root CNAs could impose sanctions on any 
sub-CNAs underneath them. This structure is discussed in section 1.3 of 
the current document.

> what is the best course of action since contacting them doesn't seem 
> to help?

The rules are obviously brand new and there will likely be some growing 
pains, but we will work these through the CNA channels as they are 
defined in the new rules. If there is failure to communicate regarding 
the new rules going forward, then the CNA(s) within those channels will 
need to decide how to proceed.

As for the specific issue you mention, we discussed this one recently 
and I believe that there are changes in the works (i.e., it shouldn't 
be an issue much longer). 

Chris

-----Original Message-----
From: jericho [mailto:jericho@attrition.org] 
Sent: Friday, October 07, 2016 1:54 PM
To: Coffin, Chris <ccoffin@mitre.org>
Cc: cve-editorial-board-list 
<cve-editorial-board-list@lists.mitre.org>; cve-cna-list 
<cve-cna-list@lists.mitre.org>
Subject: Re: CNA Rules Announcement
Importance: High


Chris,

On Fri, 7 Oct 2016, Coffin, Chris wrote:

: On Monday, October 10th, all CNAs should be assigning CVE IDs based 
on the new CNA rules listed here:
: 
: <http://cveproject.github.io/docs/cna/CNA%20Rules%20v1.1.docx>

Just to be clear, does this mean MITRE has reached out to all of the 
current CNAs and informed them of the new rules?

: As you use these new rules, please feel free to share any feedback you
: might have with the rest of the CNA community and MITRE. We would like
: to understand what is working and what isn't so that the rules evolve 
to
: meet the needs of the program and so that additional guidance and
: training can be developed based on what we collectively learn.  You 
can
: share your feedback through the cve-cna-list mailing list or directly 
to
: MITRE through the CVE Web Form.

How should we approach CNAs that are violating these rules, via a 
long-term string of violations regarding an assignment. For example, 
IBM has been using CVE-2014-8730 for their products despite the early 
change in the entry from MITRE specifically designating it for F5 
products only. 
I have contacted IBM half a dozen times over the last year or more 
pointing out examples of this. Their most recent mis-use of this CVE 
was on Sep 19 
(http://www-01.ibm.com/support/docview.wss?uid=swg21390112). 
Moving forward, if they continue to mis-use 2014-8730, what is the best 
course of action since contacting them doesn't seem to help?

Thanks,

Brian


Page Last Updated or Reviewed: October 10, 2016