[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Question about robots.txt

Some comments below. 

> : We have had multiple conversations during Board conference calls
> 
> See prior mails. Until you show me a) a majority of the board was on 
> call and
> b) the entire transcript of the call was made available to the board, 
> this is
> exclusionary. No middle ground there.

This has been brought up a few different times by various board 
members. The easiest way to address this is to post upcoming plans for 
CVE program changes to the board list to allow for feedback by ALL 
board members before the changes are made. It would also be good in the 
future to give a week or two notice, since some board members may be on 
vacation or otherwise occupied. In this way, the list is the actual 
place for discourse. The board calls then become supplemental for 
deeper conversation if individuals want it.

> 
> : regarding the fact that there are many RESERVED CVE IDs within the
> : current CVE list, and there was a general consensus that they 
> should be
> 
> So when I have 5 or 6 board members in chat that say "MITRE did 
> wrong", we
> can also consider that a general consensus?

A second benefit of using email lists for feedback is that consensus, 
the lack of sustained objection, is easily discernable by all involved.

> : As a first step in tackling the larger cleanup effort, we began
> : contacting CNAs in March of this year to determine what CVE IDs 
> they had
> : not used from their previously assigned CVE ID blocks. All but a 
> couple
> 
> Did you CC the CNA list? If not, why not? I have a pretty solid case 
> history of
> bringing CNA issues to you directly. It is clear that some of us have 
> a vested
> interest in this and were proactive in coming to you with issues. Did 
> you
> forget to include those same people in said discussions, publicly or 
> privately?

CCing the CNA list would be a good thing to do here. 

> 
> : first step and he was not clear on exactly what the end result 
> would be.

I wasn't clear. This highlights the need for more transparency and 
discussion of these things on the board list giving plenty of time to 
comment.

> We saw the email about the one day push. And... can we go back to my 
> mail?
> I really don't know how to say this any more simply, I thought the 
> original
> mail was clear.
> 
> - The Board got ONE DAY warning.
> - NIST spoke up and said "whoa wait".
> - We now see you had a phone call on the back of the NIST mail
> - You pushed the 3k release by ONE day
> - You told the public via a CVE mail that few in our industry read
> - I said that wasn't sufficient for public warning

See previous comments.

> 
> Then you send a patronizing mail "innocently" (ignorantly) 
> questioning me on
> all of this. Not sure where this attempt at gaslighting is coming 
> from, other
> than you forget who the board is. The concern and questions are 
> legitimate,
> speak directly to "stakeholders", and are of critical interest/impact 
> to the CVE
> offering as affects the industry.
> 
> : Dave can correct me if I'm wrong, but we didn't interpret the 
> comment
> : "ignored by the NVD" to mean that the NVD team would not publish the
> : REJECT CVE entries. Our interpretation is that the NVD team does 
> not see
> : a need to analyze the entries and will simply publish them as is, 
> with
> : no significant effort on their part.

Any CVE entries that are rejected are not analyzed. The entries do 
appear in our feeds.

> 
> Seriously? This is the biggest argument to stop these back-alley phone
> conversations and to keep things on list, where we see a record of 
> what was
> said. This is how NIST replied to the board, in all the glory:
> 
>    We have been able to confirm that the rejected CVEs will be 
> ignored by
>    the NVD. Thanks for being flexible by pushing this back a day.

I regret not being more clear and specific in my email. Allowing more 
time to discuss these types of issues will allow for more robust 
dialog, which is needed in these cases.

> 
> You did not "interpret" the comment "ingored by the NVD" to mean they
> would not publish the REJECT CVE entries?
> 
> Well guess what. Several of us explicitly read that statement to mean 
> they
> would ignore them... completely. As in, "don't exist, at all".
> 
> As in, other solutions are now involving Dev to figure out how to 
> handle
> 3k+ new entries, on top of many hundreds of existing, to deliver to
> 3k+ their
> customers. These are customers who turned their back on CVE, but 
> still have
> an "irrational compliance requirement" (a common term from customers) 
> to
> ensure that they can explain EVERY single CVE ID that comes up. So 
> mature
> VDBs have to handle these REJECTSs, pass it on to clients in a format 
> they can
> easily process, and in turn offer to auditors.

When making changes like the one being discussed, there is potential 
impact to the larger ecosystem of consumers. This impact is probably 
the most important reason why these issues need to be discussed with 
the board.

Regards,
Dave
Page Last Updated or Reviewed: May 16, 2017