[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CNA requirements
- To: Kurt Seifried <kseifried@redhat.com>, cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
- Subject: Re: CNA requirements
- From: "Adinolfi, Daniel R" <dadinolfi@mitre.org>
- Date: Tue, 17 May 2016 12:33:47 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=mitre.org;
- Delivery-date: Tue May 17 13:00:05 2016
- In-reply-to: <CANO=Ty0PsrLPV_a8+0bTc8wdQB8NDPLnZc+koSRUTHWV4-DrzA@mail.gmail.com>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <CANO=Ty0PsrLPV_a8+0bTc8wdQB8NDPLnZc+koSRUTHWV4-DrzA@mail.gmail.com>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticmetadata: 43da9c421be74aed97248473db21fd15
- Spamdiagnosticoutput: 1:23
- Spamdiagnosticoutput: 1:2
- Thread-index: AQHRr81RiL0V1zztI023t1uxL9+yoZ+8zhYA
- Thread-topic: CNA requirements
- User-agent: Microsoft-MacOutlook/f.16.0.160506
Kurt, Regarding the specific question concerning points of contact, I address it a bit in the draft CNA roster document: http://cveproject.github.io/docs/cna/DRAFT%20-%20Review%20and%20Update%20of%20CNA%20Roster.docx Periodically, each CNA will update their public, primary, and alternate contact points. The primary and alternate contacts should be individuals, whereas the public should probably be a mail alias that sends messages to queues or multiple individuals. This gives us a way to get into the generic email queue and also reach past that queue to get to the real people behind it. For projects where there is not a generic queue and contact is only with individuals, we could still request multiple contacts and keep that list updated periodically. If there is only one individual, if that person falls off the face of the Earth and they don’t give you an alternate or replacement, they should be disqualified from being a CNA. Providing active points of contact should be a requirement for being a CNA, I believe. Thoughts? Thanks. -Dan On 5/16/16, 19:43, "owner-cve-editorial-board-list@lists.mitre.org on behalf of Kurt Seifried" <owner-cve-editorial-board-list@lists.mitre.org on behalf of kseifried@redhat.com> wrote: >So I'm looking at the CNA requirements for DWF CNA's, obviously most >of > > >https://cve.mitre.org/cve/cna.html > > >pretty much directly applies. But one thing I have run into in other >situations is single point of contact, and the person leaves/etc. I'm >thinking for the case of a lot of smaller Open Source projects you >usually have a main developer so I think a single > point of contact being a problem is moot here (since without them the > project won't get updates, let alone CVEs). I was wondering what > other people thought? > >-- >Kurt Seifried -- Red Hat -- Product Security -- Cloud >PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 >Red Hat Product Security contact: secalert@redhat.com > > > > >
- Follow-Ups:
- Re: CNA requirements
- From: Kent Landfield <bitwatcher@gmail.com>
- Re: CNA requirements
- From: jericho <jericho@attrition.org>
- Re: CNA requirements
- References:
- CNA requirements
- From: Kurt Seifried <kseifried@redhat.com>
- CNA requirements
- Prev by Date: Also an update for the Linux CNAs
- Next by Date: Re: CNA requirements
- Previous by thread: CNA requirements
- Next by thread: Re: CNA requirements
- Index(es):
