[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: procedure for penalizing or revoking CNA status?

The message below, quoted in its entirety, has now been publicly archived at:


- Steve

> -----Original Message-----
> From: jericho [mailto:jericho@attrition.org]
> Sent: Saturday, August 29, 2015 1:53 AM
> To: Christey, Steven M. <coley@mitre.org>
> Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
> Subject: Re: procedure for penalizing or revoking CNA status?
> Importance: High
> It's been 337 days, and there is no progress on this. Before anyone else
> on the board starts whining, there have been a series of mails between me
> and CVE during this time, challenging a specific CNA for violating policy.
> MITRE has chosen to send one email to the CNA (so they said) and nothing
> else, without follow-up, without responding to MY follow-up to them when
> the CNA has continually broken protocol since the initial complaint.
> I am replying now because a 2nd CNA is clearly not following policy in
> assignments (specifically related to assignment, nothing else). Since
> MITRE will not really challenge a CNA after hundreds of mistakes over a
> near one-year period, I can't assume they will take action on this. Not
> going to bring up the 2nd CNA, until the first is resolved, who is much
> more egregious.
> Thus, I take it to the board for input. We're here to guide and give input
> to the CVE process, right? I believe that is the purpose of the editorial
> board, on paper. Personally, I think the purpose stops there as far as
> MITRE is concerned... on paper.
> If any of you actually give a shit, which I know half of this list does
> not, as the position on the board and position of CNA is self-serving
> based on past actions. For you assholes, your position is secure, stop
> reading here! For the rest, that may actually care, please read on.
> On Fri, 10 Oct 2014, Steven M. Christey wrote:
> : On Thu, 25 Sep 2014, jericho wrote:
> :
> : Some context for CNA-related errors: traditionally, we've had approximately a
> : 0.5% REJECT rate for CVEs overall, but that percentage has gone up in recent
> The initial complaint that sparked this email was not based on a REJECT
> situation. It was based on a CNA using the wrong CVE assignment almost
> every day for a three months, then it tapered off where they only used it
> a few times a week, as they found fewer products affected.
> I contacted the CNA many times telling them it was an incorrect
> assignment, quoted the CVE that specifically said it was for a specific
> vendor (not the CNA), and asked them to assign a new one. They didn't.
> Months later, I brought MITRE into the loop, and they tell me they sent an
> email to the CNA. Yet, it didn't stop... almost nine months later, that
> CNA is still writing current advisories on a vulnerability, using the CVE
> that was assigned for a different vendor (because this is implementation
> based, meaning each vendor who screws up gets their own CVE).
> I specifically asked about revoking their CNA status after they showed
> months of not caring about CVE standards. I showed that I had already
> contacted them months prior, asking them to follow protocol, to issue a
> new CVE. It is quite clear, the CNA does not care, and MITRE does not
> care. This is no surprise, because the CNA/CVE game is a great
> public-facing "we care" piece, when that is anything but the truth.
> : years, although I don't track these stats regularly or precisely (yet).
> : While I personally dislike REJECTs, the 0.5% rate doesn't indicate a
> : systemic problem.  But since the raw number of CVE assignments has also
> : risen along with the rate, the raw number of REJECTs has increased
> : noticeably.  REJECTs, for us and I believe for many CVE consumers, can
> : cause confusion and be time-consuming to resolve.
> Yep, masturbate over an issue and statistics that are fascinating any
> other time, but entirely irrelevant to this converation. MITRE's presence
> on oss-sec shows that assignment-masturbation is the only thing of real
> interest to them. Kurt continues to be the super-CNA (my term) and
> continues to be absent from this editorial board for some reason... why?
> Half this tinpot board should be scrapped in favor of him. The fact no one
> has nominated him, or referenced him in his CNA activity is telling.
> : We do not have any formal procedures for warning, penalizing, and/or
> : revoking CNA status, but we agree that we should develop some.  One
> Wow, 16 years later, this is really the first time a CNA has demonstrated
> they don't understand policy? (I call bullshit)
> Rhetorical question, because many have demonstrated that. Just that
> several of them do it infrequently, so it is easier to work around them,
> add a tech note, and let them flounder in their shitty security response
> efforts. I find one that clearly doesn't give a shit, point it out, harass
> MITRE, and nothing is done. Now, I find another not following protocol (to
> a much lesser degree at least!), and I have no choice but to call out this
> entire charade. If you won't fix the real bastard in the group, no way you
> fix the lesser demon.
> : issue is that things have gotten much more complex, and what might
> : appear to be a CNA error could in fact be due to limitations of the CNA
> : process, many of which were discussed in the early days of CVE, if I
> Stop making excuses for them, jesus. You are already shiedling the CNAs
> from very simple, very clear policy. WHY?
> Don't answer that, MITRE and I both know the answer to that question. If
> anyone on the board doesn't know it... please resign, immediately. You
> aren't an active paricipant in this game.
> : recall correctly. When developing procedures, we also need to ensure
> : that any disciplinary measures - when necessary - are not out of balance
> : with the offense.
> Uh... hello? You say "you should develop some", while shielding shitty
> CNAs immediately, then further back it up with some hypothetical about
> disciplinary measures?
> Are you guys fucking daft? YOU CONTROL CVE. You are the overlords of this
> failing effort. You are considered the industry standard on this. Wo(man)
> up and take the reins here already. If a CNA is working against the
> long-stated purpose of CVE, about assigning a unique identifer to a
> vulnerability, why would you flake for over half a year, then say "oh god
> we don't want to step on the fucking dandelions here"? In doing so, you
> are working AGAINST your stated goal. The 1+ million government grant that
> funds CVE, that most of the board pays for via taxes, is not being used
> properly.
> : However, we also need to be clear on what is causing the errors.  The errors
> No, we do not. Because I outlined that very clearly, several times. CVE
> issued an implementation-based identifier to one company, that implemented
> a protocol wrong. Months later, a CNA said "derp, the CVE clearly says
> this is only applicaple to $NOTUS, but let's use that ID anyway!" I called
> them out pretty quick (why didn't MITRE notice this again?), explained why
> they should not use the identifier, asked that they issue or request a new
> ID for their own company, which has a metric shit-ton of products. They
> continue issuing the bad ID, I correct them again. They continue issuing
> the bad ID, I correct them and loop MITRE in. MITRE says they sent a mail
> clarifying, the CNA continues issuing the bad ID months later.
> There is no issue on clarity here, as far as the CNA fucking up. The only
> issue on clarity is why MITRE doesn't give a shit, why they didn't
> follow-up on this properly, and why they didn't put their foot down.
> But hey, the answer is very obvious, and not one CVE/MITRE wants to admit.
> So... time to fess up. Explain why you were completely ineffectual in
> dealing with this, or just admit that you rely on the CNAs like crutches,
> because the base CVE effort is so hamstrung by their own beuracracy it
> isn't funny.
> At this point, and I have the emails proving it, there is no other choice.
> You get A or B.
> : that occur are rarely due to carelesness.  For example, we've learned that
> It isn't "carelesness". It is "we don't give a fuck" about the rules or
> process. We use our CNA status to appear we care about customers! And this
> CNA is an absolute trainwreck when it comes to security advisories. They
> are currently being used in discussions with the government to show how
> vulnerability disclosure "should not happen". Seriously... people who have
> a vested interest in our industry, and protecting vulnerability research,
> are using this company (a CNA) as an example of "how not to do shit". They
> are THAT bad. But hey, all you board members are experts, and clearly
> noticed this too.
> : over time, people's jobs (naturally) shift; and the original technical lead
> : for a CNA might move to a different role, and the replacement is not as
> : well-trained.  As another example, there are researchers who contact multiple
> This is a company that has been around longer than MITRE, doing 'computer
> shit' for many decades longer than CVE existed. They are the 'masters' of
> (shitty) documentation. It may suck, but they know all about documenting
> it! If this CNA can't convey the policy from one person to another, they
> shouldn't be a CNA. They are known for marching a dozen lawyers into a
> meeting where 'policy' is in question related to another company. So much
> so, it is a funny scene in a recent TV show.
> But hey, fuck that, it isn't relevant. You are making bullshit excuses
> trying to hide the fact that CVE/MITRE has no process to police a CNA. I
> called them out. I called them out again. I called them out a third time
> and brought CVE/MITRE in the loop. MITRE gets involved, supposedly.
> Crickets.
> : CNAs for CVEs and effectively introduce duplicates that way (not maliciously,
> : as far as I can tell); many researchers, especially those new to the industry,
> In this case, Apathy is malicious. The CNA not caring, causing this
> confusion and headache, is born out of "we don't give a shit".
> : don't really understand how CVE works, and are not necessarily diligent in
> This thread was about CNAs. Companies that signed in blood saying they
> were "CVE compliant", and THEN went the extra step to say "we can be a
> CNA!", or MITRE said "derp, you sound like a good CNA!"
> : reading our fairly extensive documentation.  As a third example, the
> : significant media attention and urgency given to some issues, along with
> : non-coordinated disclosure, introduces room for error.  Incomplete
> This is an entirely different argument. One that you do not want to have
> with me. If CVE monitored the media to a small degree, they could counter
> this problem rather trivially. But they don't, because they don't care.
> MITRE is giving proactive excuses to media problems in assignment, while
> we're doing per-media-outlet breakdowns of vuln coverage, by day. How does
> this magic work?! I read a few security-centric news sites during lunch,
> to see what is making the news. Not rocket science here. You want a
> per-month breakdown of what vulnerabilities Threatpost covered last month?
> Got it. Fascinating shit, seriously, and that is why we track it. The kind
> of data that is interesting, but likely won't become a blog or paper for
> another year.
> : *disclosure* coordination happened with both Heartbleed and Shellshock, and
> : was a factor in the confusion - for which CVE was a symptom and not a cause
> Shellshock 'disclosure' problems can be squarely dumped on the vendor, not
> the researcher. This has nothing to do with the thread or my points. Quit
> diverting the topic.
> : In the coming months, we will improve our tracking for REJECTs and why
> : they happen; consult more closely with CNAs; and consult with the Board
> : on ways forward.
> Bullshit. Asbolute, 100%, let-me-be-a-fluffer to the CVE board response.
> CVE, and you specifically, have done nothing to help resolve my problem
> while this CNA that continues to use the wrong ID for a vuln, after almost
> 9 months. I've mailed them three times, you say you have mailed them once,
> and ignored my follow-up asking what the outcome was.
> You are not doing what you promised. You are not guaranteeing the
> integrity of CVE. Nothing about this situation suggests that MITRE is
> doing the 'right thing'. Why not?
> Bottom line... wake the fuck up, pretend you give a shit about
> vulnerability disclosure. MITRE has become so complacent it is disgusting.
> I mean hell, MITRE threw in the towel years ago as far as tracking
> vulnerabilities. Then desperately tried to 'care' with medical disclosures
> recently (with the sole purpose to chase more funding), while missing the
> obvious medical-related disclosures before, and during this pathetic push.
> It is abundantly clear MITRE is grasping at straws here.
> The next two 'iterations' of CVE have been pitched to DHS yet they weren't
> communicated to the editorial board. Why not? What is our purpose here
> exactly, other than a token 'board' to make it look like MITRE cares about
> the community? Why weren't we consulted for input on those papers and
> proposals before being sent to DHS? Do you not think we're experts and
> can't give meaningful input? Or is it that you have long known the board
> is just a public-facing diversion?
> This board is straight out of a dystopian novel, where the dictator has
> the board of 'yes men', which is largely what this pathetic board is made
> of. In this scenario, I know what my place is, based on about every
> Dystopian novel with this scenario.
> "Thank you, but I'd rather die behind the chemical sheds."
> Brian
> p.s. FOIA is a bitch.

Page Last Updated or Reviewed: September 14, 2015