[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: procedure for penalizing or revoking CNA status?

>> -----Original Message-----
>> From: jericho [mailto:jericho@attrition.org]
>> Sent: Saturday, August 29, 2015 1:53 AM
>> To: Christey, Steven M. <coley@mitre.org>
>> Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
>> Subject: Re: procedure for penalizing or revoking CNA status?

>> It's been 337 days, and there is no progress on this. Before anyone else
>> on the board starts whining, there have been a series of mails between me
>> and CVE during this time, challenging a specific CNA for violating policy.
>> MITRE has chosen to send one email to the CNA (so they said) and nothing
>> else, without follow-up, without responding to MY follow-up to them when
>> the CNA has continually broken protocol since the initial complaint.
>> I am replying now because a 2nd CNA is clearly not following policy in
>> assignments (specifically related to assignment, nothing else). Since
>> MITRE will not really challenge a CNA after hundreds of mistakes over a
>> near one-year period, I can't assume they will take action on this. Not
>> going to bring up the 2nd CNA, until the first is resolved, who is much
>> more egregious.
>> Thus, I take it to the board for input. We're here to guide and give input
>> to the CVE process, right? I believe that is the purpose of the editorial
>> board, on paper. Personally, I think the purpose stops there as far as
>> MITRE is concerned... on paper.

CERT/CC has experienced at least one, possibly two CNAs that do not
assign CVE IDs in a timely or correct manner, per the CVE content
decision/abstraction rules.  We see this when:

1. Researchers ask us for CVE IDs and say that the CNA who should be
assigning -- the vendor of the vulnerable component -- has not assigned
an ID.

2. We're coordinating a disclosure that isn't public yet and the CNA who
should be assigning (vendor) doesn't take action.  Now what?  Do we
assign?  Let disclosure happen and ping MITRE?  We make a judgement call
for each case, and I have informed MITRE about one CNA that we've
observed problems with.

I don't know how much of the board bylaws are written down anywhere, but
maybe we should consider some basic governance/voting procedures.  Even
if we don't right away agree on everything that goes in to decisions to
add/remove CNAs, we could have a procedure along the lines of:

* period of time to present evidence (in support of adding or removing)

* vote by the board, requiring a quorum and majority (or more, 2/3

Document the evidence and vote on the mailing list.  Also, it's common
for group members to lose voting privileges (or even membership) due to
lack of participation.

I realize adding more formal rules/bylaws increases the governance
overhead, but it may be necessary to move that direction.  A couple
documents about board membership were circulated in April.  Would an
active board member volunteer to draft something about CNA requirements?


 - Art

Page Last Updated or Reviewed: September 14, 2015