[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: New CNA - Booz Allen Hamilton



Chris,

It’s hard to say.  I’ve pondered this too.  In some instances, it may be because they feel the vulnerability attached to their name/brand becomes more visible. 

In other cases, they may think the vuln was a one-off and didn’t want to bother.  Or it was just one more thing to manage.

 

Lenovo has worked hard to become a leader in the area of security by following best practices and being transparent.  We believe being a CNA strengthens our message about the importance of security and vuln disclosure.  I would like for our suppliers to buy into this thinking as well. 

 

 

 

Regards,

 

http://lenovocentral.lenovo.com/marketing/branding/email_signature/images/gradient.gif

Beverly M Finch, PMP
PSIRT Program Manager

Product Security Office

7001 Development Drive

Office 3N-C1

Morrisville, NC  27560

Phone+1 919 294 5873
Emailbeverlyfinch@lenovo.com

Lenovo.com 
Twitter | Facebook | Instagram | Blogs | Forums

DifferentBetter-Pink

 

 

From: Coffin, Chris [mailto:ccoffin@mitre.org]
Sent: Wednesday, November 8, 2017 11:44 AM
To: Beverly Finch; Waltermire, David A. (Fed); Millar, Thomas
Cc: cve-editorial-board-list
Subject: RE: New CNA - Booz Allen Hamilton

 

Beverly,

 

In the cases where these vendors were not willing to request a CVE ID, do you have an recollection as to why? It would be interesting to know a bit more about those situations if possible. It might be that they are also unwilling to be a CNA for the same or similar reasoning.

 

Regards,

 

Chris

 

From: Beverly Finch [mailto:beverlyfinch@lenovo.com]
Sent: Tuesday, November 7, 2017 7:52 AM
To: Waltermire, David A. (Fed) <david.waltermire@nist.gov>; Millar, Thomas <Thomas.Millar@hq.dhs.gov>; jericho <jericho@attrition.org>; Coffin, Chris <ccoffin@mitre.org>
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: RE: New CNA - Booz Allen Hamilton

 

All,

Can we target suppliers like Infineon, Realtek, Sierra Wireless, Dolby for instance?

We’ve had vulns published for their products and all were not willing to request CVE. In the case of Infineon, someone else (US-CERT?) assigned the CVE.

 

 

 

 

Regards,

 

http://lenovocentral.lenovo.com/marketing/branding/email_signature/images/gradient.gif

Beverly M Finch, PMP
PSIRT Program Manager

Product Security Office

7001 Development Drive

Office 3N-C1

Morrisville, NC  27560

Phone+1 919 294 5873
Emailbeverlyfinch@lenovo.com

Lenovo.com 
Twitter | Facebook | Instagram | Blogs | Forums

DifferentBetter-Pink

 

 

From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Waltermire, David A. (Fed)
Sent: Monday, November 6, 2017 9:44 PM
To: Millar, Thomas; jericho; Coffin, Chris
Cc: cve-editorial-board-list
Subject: RE: New CNA - Booz Allen Hamilton

 

Tom,

The primary reason we are seeing new CNAs is because Dan is out advertising that the CVE program is looking for new CNAs. I am not calling Dan out by saying this. He is doing what he has been told to do. I believe we should be spending MITRE resources, which have limits, to work with the board to improve the structure and overall governance of the CVE program. 

I am not suggesting we plateau the aquisition of CNAs, but instead that we not actively seek them out. If new CNAs come to the program on their own, I am good with bringing them in. We can then use the time saved to focus resources on making federation a reality and working out how the federated model can be better governed. In my view, working on these things is critical to the long term success of CVE. We are not making progress as quickly as I had hoped. This is a good time to consider what we can do differently to reprioritize.

 

Do you agree that working out federation and governance for the program is a priority? If not, what do you see as the biggest priorities?

 

Regards,

Dave



-------- Original Message --------
From: owner-cve-editorial-board-list@lists.mitre.org on behalf of "Millar, Thomas" <Thomas.Millar@hq.dhs.gov>
Date: Mon, November 06, 2017 5:00 PM -0500
To: jericho <jericho@attrition.org>, "Coffin, Chris" <ccoffin@mitre.org>
CC: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: RE: New CNA - Booz Allen Hamilton

The big NIST contract with BAH ended some years ago, iirc.

Grep for "booz" through the CERT KB turns up one mention, a possible heap overflow due to an upstream product. Nothing in NVD.

https://na01.safelinks.protection.outlook.com/?url="">

Looking through job listings they do hire a ton of pen testers so I'd presume they want to be able to assign for vulnerabilities they find in the course of gigs. However, stating "we can even assign a CVE to anything we find" - as a feature of their service offerings - might be problematic.

All that said, I personally tend to agree with Kurt. At this point in time, I would not expect to see the rate of new CNAs plateau - and I would prefer to run into these issues now, and learn and adapt from them more quickly, than drag this painful transformation out and risk losing momentum.


-----Original Message-----
From:
owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of jericho
Sent: Monday, November 6, 2017 16:46
To: Coffin, Chris <ccoffin@mitre.org>
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: RE: New CNA - Booz Allen Hamilton
Importance: High

On Mon, 6 Nov 2017, Coffin, Chris wrote:

: In this case, BAH was interested and was willing to participate in the
: program as a CNA for their own products. They are also willing to fill
: the gaps where other CNAs do not provide coverage. Our understanding
: from the discussion was that this CNA falls into the category of a large
: and established organization that should be part of the CVE program,
: especially if they are reaching out to us to participate. It was the
: smaller research organizations that were the issue, right?

In the interest of transparency, and because I don't know if this represents a conflict or not, or is tangentially related... but could NIST/NVD clarify BAH's current role in the NVD process?

For those not aware, for several years NIST would out-source the NVD meta-data generation (e.g. CPE, CVSS scoring) to junior BAH consultants. I don't know how long that went on, if it is still does, or if they changed vendors over the year.

I had asked both MITRE and NVD many years back about their involvement in the context of "when they find an error in a CVE, who do they report to"
and I don't recall getting a real answer other than what in my memory was bureaucratic speak for "don't worry, it's handled".

.b


Page Last Updated or Reviewed: November 13, 2017