[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: New CNA - Booz Allen Hamilton



On Mon, 6 Nov 2017, Coffin, Chris wrote:

: In this case, BAH was interested and was willing to participate in 
the 
: program as a CNA for their own products. They are also willing to 
fill 
: the gaps where other CNAs do not provide coverage. Our understanding 
: from the discussion was that this CNA falls into the category of a 
large 
: and established organization that should be part of the CVE program, 
: especially if they are reaching out to us to participate. It was the 
: smaller research organizations that were the issue, right?

In the interest of transparency, and because I don't know if this 
represents a conflict or not, or is tangentially related... but could 
NIST/NVD clarify BAH's current role in the NVD process?

For those not aware, for several years NIST would out-source the NVD 
meta-data generation (e.g. CPE, CVSS scoring) to junior BAH 
consultants. I 
don't know how long that went on, if it is still does, or if they 
changed 
vendors over the year.

I had asked both MITRE and NVD many years back about their involvement 
in 
the context of "when they find an error in a CVE, who do they report 
to" 
and I don't recall getting a real answer other than what in my memory 
was 
bureaucratic speak for "don't worry, it's handled".

.b


Page Last Updated or Reviewed: November 06, 2017