[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Juniper to be added to the official list of CNAs

Actually on the board call this was brought up and I actually brought up your concerns, we all agreed that they weren't blockers and that also with documentation/oversight/feedback this is most likely a manageable problem. We were then asked if anyone still objected strongly or if we were ok with Juniper being made a CNA and it was unanimous in favor. 

Which does bring up one note, voting on phone calls is probably sub optimal due to timezones/etc, we should probably use the private list so that everyone has time to reply and it's recorded more easily if someone does bring up specific concerns/etc.  

On Thu, Apr 21, 2016 at 11:04 PM, jericho <jericho@attrition.org> wrote:
On Wed, 20 Apr 2016, Common Vulnerabilities & Exposures wrote:

: Brian -
: to their own opinions, all opinions must be considered.  For example,
: the note to the private Board list yesterday regarding Juniper was
: intended to provide all Board members with an opportunity to privately
: voice opinions in a candid fashion that they may have been uncomfortable
: voicing in public.  In this context, it is the person who posts the

:  We understand and appreciate your objections to Juniper.  Juniper is
: not being rewarded for anything.  Rather, they are being brought online
: as a new CNA so that we can expand the CVE capability consistent with
: the stated objective of our Board colleagues to scale the capability
: under a federated approach to increase coverage.  We were delighted to

So to sum this up:

MITRE made a unilateral decision to make Juniper a CNA, six days after a
board member expressed concerns over their handling of CVE assignments,
and gave board membrs an opportunity to bring up concerns without stating
taht concerns had already been brought up, and that Juniper already had a
history of not following CNA guidelines. That the board members could
bring up concerns in private, with no indication or direction they could
also share the concerns publicly.

Again, remind us what the purpose of the board is exactly, if we're not
directing decisions. More importantly, when we do give input, even
proactively, it is apparently not considered nor brought up when
announcing MITRE's decisions that are made without any board input
whatsoever. I ask because the purpose of the board as seen by the public,
the board members, and MITRE seem to be at odds. Clearing this up would be
helpful for everyone involved.


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Page Last Updated or Reviewed: April 25, 2016