[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: On the topic of MITRE/Board transparency

Brian, thank you for bringing this to our attention.  
Chris, thanks for the reply.

As Brian emphasized, this is a very significant issue.  Considering the 
prominence of other current Congressional and TLA investigations that 
involve internet security, this appears to be a momentous issue for CVE.

I do have a few questions, for Mitre and Brian:

1) Why was the board never notified directly by Mitre?  That letter is 
from March 31.

2) Why has Mitre not responded to Congress yet?  The due date was 
2017-04-13 at the latest.

3) When do you anticipate responding to Congress?

4) Has Mitre received anything like this before from any US government 
agency?

5) Brian, can you provide the name of the CNA who brought this to your 
attention, and the circumstances?


Regards,
Ken Williams


> From: owner-cve-editorial-board-list@lists.mitre.org 
> [mailto:owner-cve-
> editorial-board-list@lists.mitre.org] On Behalf Of Coffin, Chris
> Sent: Thursday, May 11, 2017 11:52 AM
> To: jericho <jericho@attrition.org>
> Cc: cve-editorial-board-list 
> <cve-editorial-board-list@lists.mitre.org>
> Subject: RE: On the topic of MITRE/Board transparency
> 
> Brian,
> 
> Congress sent an inquiry to both MITRE and DHS regarding CVE. This
> request is a matter of public record. We assume the responses from 
> both
> MITRE and DHS will also be a matter of public record. MITRE has not 
> yet
> transmitted its response to Congress. Once the response is 
> transmitted,
> should Congress make it public, all members of the general public will
> be able to review it, including any member of the Board.
> 
> More importantly, MITRE looks forward to working with our colleagues 
> to
> sustain the tremendous progress the program has made over the past 15
> months: implementing a federated program structure including a new
> governance and operational model; building upon and improving the CNA
> rules and implementation of them; recruitment of new CNAs; improving
> CVE-in-a-Box artifacts; improving data exchange; expanding
> internationally; and continuing bimonthly collaborative sessions and
> working groups with our Board colleagues, the CNAs, and the greater 
> CVE
> community.
> 
> Thank you for your ongoing feedback and please keep providing it.
> 
> Regards,
> 
> The CVE Team
> 
> -----Original Message-----
> From: owner-cve-editorial-board-list@lists.mitre.org 
> [mailto:owner-cve-
> editorial-board-list@lists.mitre.org] On Behalf Of jericho
> Sent: Thursday, May 11, 2017 1:55 AM
> To: cve-editorial-board-list 
> <cve-editorial-board-list@lists.mitre.org>
> Subject: On the topic of MITRE/Board transparency
> Importance: High
> 
> MITRE,
> 
> My last mail regarding the Google/robots.txt issue demonstrates that
> MITRE is not as transparent as they should be with the board. This is
> hardly the first time such an issue has come up. Like the "3000+
> rejected" notice we received yesterday, that many had a problem with,
> and NVD spoke up about, there have been previous incidents:
> 
> Very Important Message for the Editorial Board [1]
> 
>     The world has changed significantly since CVE was released in 
> 1999,
> and
>     we are moving out rapidly to satisfy the needs of security
> researchers
>     who need ready access to vulnerability IDs. To that end, MITRE 
> will
>     begin a pilot program to address rapid-response CVE-IDs on Monday,
> 21
>     March 2016. We wish to underscore that this is in no way an 
> attempt
> to
>     circumvent the Editorial Board but is rather an experimental step
>     toward the federated vulnerability ID methodology that the 
> community
>     has been discussing over the past several years. We will work
> closely
>     with the Board to evaluate the results of the pilot and to work
>     together to develop a long-term solution that continues to expand
>     coverage moving forward.
> 
>     Details of the pilot program are provided in the Press Release
> below,
>     which will be published to the CVE-ANNOUNCE email list and to the
> CVE
>     web site later today. It is important to note that this approach 
> was
>     chosen to avoid any conflict with the existing CVE process as it 
> is
>     currently operating, and that the IDs issued under the federated
> scheme
>     during the pilot will not be analyzed and incorporated into the 
> CVE
>     list or feeds. There will be no effect on external operations; all
>     in-scope vulnerabilities will be handled as they are now.
> 
> If we recall, this decision was not brought to the board at all. Once
> the Board learned of it, there was immediate question and criticism 
> [2].
> Only after that did MITRE first say they would like to discuss the
> issue/change with the board [3].
> 
> In that spirit, after showing two times where MITRE was clearly not
> transparent, the first on an annoyance and the second on an industry-
> impacting change, I would like to bring to the Board's attention
> another. This one may be more critical than any we have seen.
> 
> On 2017-04-10, in one of my *many* mails to CVE that are done outside 
> of
> the board list, usually challenging them on breaking their own 
> policies,
> auditing the declining quality of CVE assignments, or similar issues, 
> I
> brought up a 'small' point in one of those emails. The relevant bit 
> can
> be found at the end of this email.
> 
> The important part is that I called MITRE out for what is arguably the
> biggest event in CVE's history as far as "no confidence" and concern
> over the management of CVE. The fact that I had to hear about it from 
> a
> CNA is interesting, as this should have been brought to the board's
> attention immediately by MITRE. When I brought it up in email, I told
> them that i expected a mail to the board with MITRE's statement two 
> days
> later.
> 
> Instead, MITRE opted NOT to bring it to the board's attention. 
> Instead,
> they replied to my very long mail that took over an hour to write,
> detailing numerous examples to back my statements showing that CVE was
> failing to adhere to their own abstraction rules, as well as other
> rules, by saying:
> 
>     First, you bring up a number of things in your message which are 
> all
>     important and all should be discussed fully and transparently. We
>     encourage you to share this message with the Board so we can 
> discuss
> it
>     with the whole Board's input. We can also forward it along, if
> you're
>     prefer to begin the conversation.
> 
>     We encourage you to share this message with the Board so we can
> discuss
>     it with the whole Board's input.
> 
> Since I clearly stated "I expect a mail to the Board and CNA list no
> later than Wednesday about this", note both the board *and* CNA list,
> their deferral to have me bring it up on list is unacceptable.
> Especially given the severity of the topic. I waited several weeks for
> them to bring it up on their own, and they did not.
> 
> Quite simply, this is a lack of transparency in a tax-payer funded,
> government run initiative that impacts the entire IT industry. This is
> not acceptable, and we all deserve better.
> 
> So I am formally requesting, on list, that all correspondence between
> MITRE and Congress be sent to the list as well. Any correspondence is
> subject to FOIA and is not privileged, like many other aspects of
> MITRE's management of CVE (e.g. exact budgets, salaries, 
> expenditures).
> Given your past claims of wanting to be transparent, this is your 
> chance
> to restore some faith in that claim.
> 
> Brian
> 
> [1] https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__cve.mitre.org_data_board_archives_2016-
> 2D03_msg00017.html&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=aCoKdNwykRoiEMq0lnqIgVHWqNXhzNq-xnn2GpdBWys&e=
> [2] https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__cve.mitre.org_data_board_archives_2016-
> 2D03_msg00016.html&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=JWjMmLx-L61CmWQl1cCnUj67YkHR1kncbOGKFFnynDE&e=
>      https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__cve.mitre.org_data_board_archives_2016-
> 2D03_msg00015.html&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=00xbdZ9B_E4GFpS4YFnao3gaCt1huNh5U4KxYoOAfAU&e=
> [3] https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__cve.mitre.org_data_board_archives_2016-
> 2D03_msg00019.html&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=ml4hx2EOzFBfqSbQJDHj4pX6woTKkC7QHXUd7xY0qwU&e=
> 
> ---------- Forwarded message ----------
> From: jericho <jericho@attrition.org>
> To: "Adinolfi, Daniel R" <dadinolfi@mitre.org>
> Cc: "Coffin, Chris" <ccoffin@mitre.org>,
>      Common Vulnerabilities & Exposures <cve@mitre.org>
> Date: Mon, 10 Apr 2017 02:37:13 -0500 (CDT)
> 
> [..]
> 
> https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__energycommerce.house.gov_news-2Dcenter_letters_letters-2Ddhs-2Dand-
> 2Dmitre-2Dregarding-2Dperformance-2Dcritical-2Dcyber-
> 2Ddatabase&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=l-J7rV1ZzoHVAw6bGtMV7K-riNINXXRdzizOrIxsUcA&e=
> 
> Congress is investigating MITRE and the deficiency. That is pretty big
> news, and I missed this completely until a CNA brought this to my
> attention. They sat on it for three days before they told me and 
> started
> asking question.
> 
> Think about the above please.
> 
> And now that it has been brought up, I expect a mail to the Board and
> CNA list no later than Wednesday about this. The Board deserves an
> official reply from MITRE addressing these concerns. At least one CNA 
> is
> concerned about this, and unwilling to take their concerns to MITRE
> directly. We all deserve to know what is going on.
> 
> [..]
Page Last Updated or Reviewed: May 15, 2017