[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Juniper to be added to the official list of CNAs

The CVE Team discussed the valid concerns raised by you during 
yesterday's Board call and held the announcement of Juniper becoming a 
CNA until we had the opportunity to have this discussion with our Board 
colleagues.  While the members agreed that mistakes are made with 
Juniper and other CNAs, it was the opinion of the Board that bringing 
on Juniper serves the needs of the community better than by not doing 
so.  The Board was specifically asked if they objected to bringing 
Juniper on as a CNA.  No members on the call objected.

The Board is a critical advisory function.  As a Board member, you 
raised concerns about Juniper.  The CVE Team listened to those concerns 
and raised them with the Board at our first opportunity to do so where 
a discussion could be held and we could efficiently work through the 
discussion.  Per Kurt Seifried's good suggestion this morning, we're 
happy to move to the private Board list to poll the Board on decisions 
like these in the future.

Thank you for bringing up your concerns.  We appreciate it.


The CVE Team

-----Original Message-----
From: jericho [mailto:jericho@attrition.org] 
Sent: Friday, April 22, 2016 1:05 AM
To: Common Vulnerabilities & Exposures <cve@mitre.org>
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: RE: Juniper to be added to the official list of CNAs
Importance: High

On Wed, 20 Apr 2016, Common Vulnerabilities & Exposures wrote:

: Brian -
: to their own opinions, all opinions must be considered.  For example,
: the note to the private Board list yesterday regarding Juniper was
: intended to provide all Board members with an opportunity to privately
: voice opinions in a candid fashion that they may have been 
: voicing in public.  In this context, it is the person who posts the 

:  We understand and appreciate your objections to Juniper.  Juniper is
: not being rewarded for anything.  Rather, they are being brought 
: as a new CNA so that we can expand the CVE capability consistent with
: the stated objective of our Board colleagues to scale the capability
: under a federated approach to increase coverage.  We were delighted 

So to sum this up:

MITRE made a unilateral decision to make Juniper a CNA, six days after 
a board member expressed concerns over their handling of CVE 
assignments, and gave board membrs an opportunity to bring up concerns 
without stating taht concerns had already been brought up, and that 
Juniper already had a history of not following CNA guidelines. That the 
board members could bring up concerns in private, with no indication or 
direction they could also share the concerns publicly.

Again, remind us what the purpose of the board is exactly, if we're not 
directing decisions. More importantly, when we do give input, even 
proactively, it is apparently not considered nor brought up when 
announcing MITRE's decisions that are made without any board input 
whatsoever. I ask because the purpose of the board as seen by the 
public, the board members, and MITRE seem to be at odds. Clearing this 
up would be helpful for everyone involved.

Page Last Updated or Reviewed: April 25, 2016