[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[TECH] Candidate Numbering Authorities

Following is a description of how Candidate Numbering Authorities
(CNA's) might work, which will be a topic of discussion at next
Thursday's Board teleconference.  Feedback is welcome at any time.

The description includes how other entities such as vendors and
researchers may interface with CNA's.  It attempts to provide CNA's
with a certain amount of flexibility to integrate candidate numbers
into their current process with minimal interference, and in
accordance with their own approach to vulnerability disclosure.  It
attempts to identify and restrict abuse by CNA's, researchers, and
vendors.

One of the main challenges in expanding the CNA model is the amount of
communication that must be managed across multiple entities.
Sometimes this has already been a challenge with "just" MITRE as a
single CNA interfacing with individual researchers.  It will get more
complicated when there are multiple vendors involved, if disputes
occur, if one entity is not responsive, etc.

As described below, each CNA needs to define a policy regarding how
they handle vulnerability information.  I hope to provide an example
CNA policy before the teleconference.

- Steve


-------------------------------
Candidate Numbering Authorities
-------------------------------

Candidate Numbering Authorities (CNA's) are organizations that
distribute CVE candidate numbers to researchers and information
technology (IT) vendors for inclusion in first-time public
announcements of new vulnerabilities, without direct involvement or
consultation by MITRE.  On an as-needed basis, MITRE provides a CNA
with a pool of candidate numbers for the CNA to assign.

CNA's can help the CVE Initiative in the following ways:

- when they function as intermediaries between a vulnerability
  researcher and the affected vendor, they can provide a candidate
  number without notifying MITRE of the vulnerability, which reduces
  the risk of accidental disclosure of vulnerability information

- they increase the scope and visibility of CVE candidates by
  providing additional access points for researchers and vendors to
  obtain candidate numbers

- they can utilize existing working relationships with researchers and
  vendors, which the affected parties may not have formed with MITRE

- if they are already an integral part of the normal process by which
  vulnerabilities are disclosed, their participation prevents the
  addition of another party (i.e. MITRE) from interfering with that
  process

- their participation relieves MITRE of some potentially
  labor-intensive tasks, allowing it to dedicate resources to other
  aspects of CVE that need attention.


------------------------
Requirements to be a CNA
------------------------

A CNA must be one of:

  - an affected software vendor with a significant user base and an
    established security advisory capability, as determined by MITRE

  - an established third party that typically acts as a neutral
    interface between researchers and vendors, as determined by MITRE

  - MITRE

The CNA must also satisfy the following requirements:

  - it must be an established distribution point for first-time
    vulnerability announcements, as determined by MITRE

  - it must have a member of the Editorial Board who performs
    technical tasks

  - it must only assign candidates to security issues that will be
    made public


---------
CNA Tasks
---------

All CNA's must:

  - publish a policy regarding how researchers and vendors may obtain
    a candidate number, including:

    - researcher expectations: what tasks the researcher is expected
      to complete (e.g.  analysis, vendor notification, writing
      advisories), what qualifications (if any) the researcher must
      have, how much detail is expected, etc.

    - information actions: what actions the CNA will take on the
      information (e.g. by forwarding it to a vendor, how the CNA will
      protect the information)

    - response time: how quickly the CNA will respond to a request for
      a candidate

  - apply documented CVE content decisions consistently (with
    exceptions made for technical subtleties or incomplete
    documentation)

  - coordinate the exchange of candidate numbers across all involved
    parties (vendor, researcher, response team, etc.)

  - notify MITRE when candidates have been publicly announced

  - recommend best practices in vulnerability disclosure to both
    researcher and vendor, since it directly increases the accuracy of
    CVE



----------------------------------
Communications from CNA's to MITRE
----------------------------------

The following types of communication occur from CNA's to MITRE:

  - request a pool of candidate numbers

  - announce the publication of a new candidate, which allows MITRE to
    update the candidate information on the CVE web site

  - consultation regarding CVE content decisions

  - suspected researcher abuses

  - detection of duplicate candidates

The primary method of communication is expected to be email, through
the getcans@mitre.org address.


---------------------------------
Other Tasks for Third Party CNA's
---------------------------------

Third party CNA's must also perform the following tasks:

  - maintain awareness of all vendors, including vendor CNA's, who
    utilize candidate numbers

  - verify that the reported vulnerability has not already been
    assigned a CVE or candidate number

  - where possible, track abuses of the candidate reservation process
    by researchers

  - they should not publish CVE candidate numbers in a manner which
    might provide them with any economic or political advantage over
    their competitors

Note: possible researcher abuses are identified in a separate section.

A third party might gain a competitive advantage by providing
candidate numbers to a limited audience (outside of the researcher and
vendor) before giving it wide distribution.  The last duty in this
section is intended to prevent this sort of abuse.


----------------------------
Other Tasks for Vendor CNA's
----------------------------

Vendor CNA's must also perform the following tasks:

  - clearly advertise security point of contact

  - provide the candidate to other affected parties, e.g. other
    vendors, researchers, or response teams

  - include candidate numbers in their own advisories

  - only use their pool of candidates for vulnerabilities in their own
    products

  - apply CVE content decisions to determine when to assign
    candidates, even if those content decisions are  contrary to the
    vendor's own criteria

  - provide candidates for a security-related issue that will not be
    documented in a security advisory (e.g. because the issue does not
    meet the vendor's minimum risk level for releasing an advisory)

  - when an issue has already been published and assigned a candidate,
    the vendor must use that candidate



---------------
Vendor Liaisons
---------------

A vendor liaison works with CNA's to obtain or verify CVE candidates
in the liaison's own products.  The liaison is not an Editorial Board
member, nor is it a CNA, as it may not have the need or capability to
satisfy the CNA requirements.

Liaisons may include candidate numbers in their own advisories, or
work with CNA's to provide candidate numbers to researchers.



---------------------------
Researcher Responsibilities
---------------------------

The researcher must:

  - obtain candidates for a vulnerability report from only one CNA

  - obtain the candidate from the vendor, if the vendor is a CNA

  - understand the CNA's policy for researchers

  - provide the CNA with enough details for the CNA to apply CVE
    content decisions

  - coordinate the exchange of the candidate number across all
    involved parties (vendor, CNA's, response teams, other observers)

  - include the candidate number in advisory

  - publish through known reliable channels (vendor or response team),
    or known public channels with peer review (Bugtraq or NTBugtraq)

  - notify MITRE (getcans@mitre.org) when the security issue has been
    published

  - update the advisory if the candidate becomes an official entry
    (this excludes copies of the advisory that are not under the
    researcher's control)


----------------------------------------------
Inclusion of Candidates in Security Advisories
----------------------------------------------

The security advisory must include the CVE candidate number(s).

The advisory should include the following description of candidates:

  The Common Vulnerabilities and Exposures (CVE) project has assigned
  the name CAN-YYYY-NNNN to this issue. This is a candidate for
  inclusion in the CVE list (http://cve.mitre.org), which standardizes
  names for security problems.

If there are multiple candidates, the advisory should include the
following description:

  The Common Vulnerabilities and Exposures (CVE) project has assigned
  the following names to these issues:
      CAN-YYYY-NNNN - short, unique description
      CAN-YYYY-MMMM - short, unique description

If description requires too much space in the advisory, then use a URL
to the web page identifying the candidate:

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-YYYY-NNNN


------------------------------
Possible Abuses by Researchers
------------------------------

The following activities by researchers would constitute abuse of the
candidate reservation process.

- The researcher's disclosure process frequently results in duplicate
  candidates

- Issues discovered by the researcher are discovered to be false or so
  error-prone as to cause their associated candidates to be rejected
  by the Editorial Board

- The researcher "hoards" candidates, or asks multiple CNA's for
  candidates for the same issue

- The researcher does not publish the candidate in accepted public
  forums


------------
MITRE Duties
------------

As the provider of candidate pools to CNA's, MITRE must:

  - provide guidance to CNA's with respect to CVE content decisions

  - notify CNA's of outstanding (unpublished) candidates

  - notify CNA's of known abuses


MITRE should also:

  - notify vendor CNA's, liaisons, and researchers when candidates
    have been rejected or accepted as CVE entries
Page Last Updated or Reviewed: May 22, 2007