[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Question about robots.txt

On Thu, 11 May 2017, Coffin, Chris wrote:

: > That said, after Kurt's mail in December of 2015... in the last ~ 
30 - 
: 60 days, I noticed that MITRE finally changed that. Google is now 
: indexing and caching the CVE pages.
: 
: We made the change to allow indexing back in Feb of 2016, which was a 
: few months after Kurt had pointed out the issue. We apologize to all 
for 

Something I cannot prove, because I don't screenshot my daily "missing 
CVE" searches as far as Google results go. But I would swear this is 
not 
the case. We'll have to agree you have your official statement, and I 
have 
my 'anecdotal' evidence as someone who searches on new/missing CVE IDs 
every day.

: not replying to the original thread at that time. Dan also mentioned 
the 
: same in a response to you back in April of this year 
: 
(http://common-vulnerabilities-and-exposures-cve-board.1128451.n5.nabble.com/Re-CVENEW-New-CVE-CANs-2017-04-23-19-00-count-1-td722.html#a727).

You see, I don't have to read that. Kurt mailed in Dec 2015, you say 
Dan 
replied to me in April 2017. Use your numbers. My point stands about 
MITRE's promise of following up.

: > Just like you didn't ask us about the 3k+ RESERVED fiasco that got 
several of us talking about this morning, figuring out how we'd handle 
it. When NVD spoke up, we all collectively said "hell yeah!"
: >
: > The fact that NVD called you out, and has since said they will be 
'ignoring' those IDs, is also very significant in CVE history. This is 
the first *real* break that NVD has had from CVE ever. There have been 
other breaks the last year+, but they were more pedantic and favored 
NVD > over MITRE/CVE, based on the time of entries becoming public 
(e.g. NVD published before MITRE did).
: 
: We are not absolutely certain what concern you have in the case of 
the 
: RESERVED CVE IDs moving to REJECT status. Please let us know if the 
: following explanation does not clear up your concerns.

If you are not "absolutely certain" of anything in this thread, after 
NIST's response, after my previous mails, and after "VDB 101" levels of 
understanding of our profession, let's just drop it. I stopped engaging 
with vulnerability tourists years ago for the most parts. The few times 
I 
do are on this list or in blogs. This reply makes it clear I need to 
treat 
MITRE as the 'blog' kind.

: We have had multiple conversations during Board conference calls 

See prior mails. Until you show me a) a majority of the board was on 
call 
and b) the entire transcript of the call was made available to the 
board, 
this is exclusionary. No middle ground there.

: regarding the fact that there are many RESERVED CVE IDs within the 
: current CVE list, and there was a general consensus that they should 
be 

So when I have 5 or 6 board members in chat that say "MITRE did wrong", 
we 
can also consider that a general consensus? 

: cleaned up (i.e., REJECT or populate). As you are probably aware, 
there 
: are multiple reasons that a CVE ID might be stuck in a RESERVED 
status. 

Quit patronizing me you ass. After all of the emails I send to MITRE 
calling out your bad assignments, duplicates, etc? You really think I 
am 
"probably" aware of RESERVED status? What, did you miss the prior 
public 
work where I called that out many times? Did you miss that being a 
cornerstone of some commercial VDBs offerings? Did you not see the 
T-shirt? (seriously)

: As a first step in tackling the larger cleanup effort, we began 
: contacting CNAs in March of this year to determine what CVE IDs they 
had 
: not used from their previously assigned CVE ID blocks. All but a 
couple 

Did you CC the CNA list? If not, why not? I have a pretty solid case 
history of bringing CNA issues to you directly. It is clear that some 
of 
us have a vested interest in this and were proactive in coming to you 
with 
issues. Did you forget to include those same people in said 
discussions, 
publicly or privately?

: of CNAs responded and pointed out which CVE IDs were not used. In 
every 
: case, the CVE ID in question moved from a status of RESERVED to a 
status 
: of REJECT. The CVE IDs in question were moved to REJECT status 
earlier 
: today.

Derp, yes. You made that very clear. Half a dozen of us privately said 
"what the...", and NIST spoke up on list *quickly*. As they should 
have, 
and I am happy they did, since it saved me one more email.

The patronizing tone of this email is somewhere between enraging and 
laughable. 

: You are correct and Dave at NIST had sent a message in regards to 
this 

You think?! It was on list, I was citing public record. You don't have 
to 
tell me I am correct.

: first step and he was not clear on exactly what the end result would 
be. 

If you couldn't read between the lines of his mail... again, MITRE 
isn't 
qualified to run CVE. You are clearly too far removed from your 
"stakeholders".

: Dave and I spoke on the phone, we cleared up the gaps in 
understanding, 
: and even decided to hold off for a day to give the NIST NVD folks a 
bit 
: more time to analyze the impact.

We saw the email about the one day push. And... can we go back to my 
mail? 
I really don't know how to say this any more simply, I thought the 
original mail was clear.

- The Board got ONE DAY warning. 
- NIST spoke up and said "whoa wait".
- We now see you had a phone call on the back of the NIST mail
- You pushed the 3k release by ONE day
- You told the public via a CVE mail that few in our industry read
- I said that wasn't sufficient for public warning

Then you send a patronizing mail "innocently" (ignorantly) questioning 
me 
on all of this. Not sure where this attempt at gaslighting is coming 
from, 
other than you forget who the board is. The concern and questions are 
legitimate, speak directly to "stakeholders", and are of critical 
interest/impact to the CVE offering as affects the industry.

: Dave can correct me if I'm wrong, but we didn't interpret the comment 
: "ignored by the NVD" to mean that the NVD team would not publish the 
: REJECT CVE entries. Our interpretation is that the NVD team does not 
see 
: a need to analyze the entries and will simply publish them as is, 
with 
: no significant effort on their part.

Seriously? This is the biggest argument to stop these back-alley phone 
conversations and to keep things on list, where we see a record of what 
was said. This is how NIST replied to the board, in all the glory:

   We have been able to confirm that the rejected CVEs will be ignored 
by 
   the NVD. Thanks for being flexible by pushing this back a day.

You did not "interpret" the comment "ingored by the NVD" to mean they 
would not publish the REJECT CVE entries?

Well guess what. Several of us explicitly read that statement to mean 
they 
would ignore them... completely. As in, "don't exist, at all".

As in, other solutions are now involving Dev to figure out how to 
handle 
3k+ new entries, on top of many hundreds of existing, to deliver to 
their 
customers. These are customers who turned their back on CVE, but still 
have an "irrational compliance requirement" (a common term from 
customers) 
to ensure that they can explain EVERY single CVE ID that comes up. So 
mature VDBs have to handle these REJECTSs, pass it on to clients in a 
format they can easily process, and in turn offer to auditors.

By the way, my continued use of "stakeholders" in parens? This is it. 
MITRE doesn't have the first clue what a stakeholder is, other than the 
very first tier they push the data to. It's 2017, this isn't your 
father's 
/ Christey's CVE. It hasn't been for a long time.

.b
Page Last Updated or Reviewed: May 15, 2017