[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Juniper to be added to the official list of CNAs

On Wed, 20 Apr 2016, Common Vulnerabilities & Exposures wrote:

: Brian -
: to their own opinions, all opinions must be considered.  For example, 
: the note to the private Board list yesterday regarding Juniper was 
: intended to provide all Board members with an opportunity to 
: voice opinions in a candid fashion that they may have been 
: voicing in public.  In this context, it is the person who posts the 

:  We understand and appreciate your objections to Juniper.  Juniper is 
: not being rewarded for anything.  Rather, they are being brought 
: as a new CNA so that we can expand the CVE capability consistent with 
: the stated objective of our Board colleagues to scale the capability 
: under a federated approach to increase coverage.  We were delighted 

So to sum this up:

MITRE made a unilateral decision to make Juniper a CNA, six days after 
board member expressed concerns over their handling of CVE assignments, 
and gave board membrs an opportunity to bring up concerns without 
taht concerns had already been brought up, and that Juniper already had 
history of not following CNA guidelines. That the board members could 
bring up concerns in private, with no indication or direction they 
also share the concerns publicly.

Again, remind us what the purpose of the board is exactly, if we're not 
directing decisions. More importantly, when we do give input, even 
proactively, it is apparently not considered nor brought up when 
announcing MITRE's decisions that are made without any board input 
whatsoever. I ask because the purpose of the board as seen by the 
the board members, and MITRE seem to be at odds. Clearing this up would 
helpful for everyone involved.

Page Last Updated or Reviewed: April 22, 2016