[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: On the topic of MITRE/Board transparency

On Thu, 11 May 2017, Coffin, Chris wrote:

: Congress sent an inquiry to both MITRE and DHS regarding CVE. This 
: request is a matter of public record. We assume the responses from 
both 

You know what they say about "assume", yes?

MITRE didn't bring the original "public record" to the list. A CNA 
found 
it, and asked me questions about it, to which I had no answers. This is 
how things work in 2017.

: MITRE and DHS will also be a matter of public record. MITRE has not 
yet 
: transmitted its response to Congress. Once the response is 
transmitted, 
: should Congress make it public, all members of the general public 
will 
: be able to review it, including any member of the Board.

Yep, that doesn't work for me. See below.

: More importantly, MITRE looks forward to working with our colleagues 
to 
: sustain the tremendous progress the program has made over the past 15 

You look forward to working with us... when you didn't bring the letter 
to 
the board? Even though Congress' letter is public, you still hide 
behind 
this notion that your response, whenever you get around to it, may or 
may 
not be public?

Please, re-read my subject line. In the interest of transparency, you 
post 
your response to the list shortly after you send it to congress. No 
"if", 
no "but", no equivocation.

: months: implementing a federated program structure including a new 

Oh stop. "Federated program" only brings up a single thing in my mind; 
when MITRE tried to circumvent the board and create some new standard 
that 
made all of us collectively question you. We saw it via news articles, 
and 
almost 24 hours later, the 'update' articles said it was shuttered 
after 
industry questioning. This is so disrespctful to the board.

: governance and operational model; building upon and improving the CNA 
: rules and implementation of them; recruitment of new CNAs; improving 

The same rules I have called out repeatedly, on and off list. The 
current 
CNA rules that MITRE continually violates. This isn't about you keeping 
CNAs in line... for a month now, it has been about keeping MITRE in 
line 
with following the CNA rules, specifically around abstraction.

This mail makes it clear I should stop mailing MITRE off-list. Every 
single mail I send that points out MITRE breaking their own rules, 
questioning assignments, questioning your policies... every single one 
MUST be on list, for the public record. It's pretty clear to me that 
MITRE 
is keen on ignoring all of that and putting on a pretty public face.

: CVE-in-a-Box artifacts; improving data exchange; expanding 

It's curious you say "CVE-in-a-Box"!

I sent FOIA requests to DHS on that specific term in 2015. They replied 
a 
few months ago saying "no records" available. So... you brought it up 
on 
list. What does that term even mean? Why didn't you share that with the 
board? Why didn't you share it with DHS, which I was under the 
impression 
you did? If you DID bring it up with DHS in some capacity, why is DHS 
uh.. 
"withholding" that on a FOIA request? That is illegal of course... so 
your 
answer is of particular interest to me. Since we're on board list, 
which 
is public, I expect full disclosure here. Transparency and all, which 
is 
the entire nature of this thread.

: internationally; and continuing bimonthly collaborative sessions and 
: working groups with our Board colleagues, the CNAs, and the greater 
CVE 
: community.

All the while, getting dissenting opinions from the board in varying 
degrees, and completely ignoring some of those concerns.

: Thank you for your ongoing feedback and please keep providing it.

Oh, your pretty government-funded words are so expected. And I will. 
Just 
not in the channels you expect me to. CVE, as run by MITRE, has become 
such a complete disgrace to the industry. The lack of respect you show 
to 
"stakeholders" is incredible.

.b
Page Last Updated or Reviewed: May 15, 2017