[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CNA requirements


Regarding the specific question concerning points of contact, I address 
it a bit in the draft CNA roster document:


Periodically, each CNA will update their public, primary, and alternate 
contact points. The primary and alternate contacts should be 
individuals, whereas the public should probably be a mail alias that 
sends messages to queues or multiple individuals. This gives us a way 
to get into the generic email queue and also reach past that queue to 
get to the real people behind it.

For projects where there is not a generic queue and contact is only 
with individuals, we could still request multiple contacts and keep 
that list updated periodically. If there is only one individual, if 
that person falls off the face of the Earth and they don’t give you an 
alternate or replacement, they should be disqualified from being a CNA. 
Providing active points of contact should be a requirement for being a 
CNA, I believe.




On 5/16/16, 19:43, "owner-cve-editorial-board-list@lists.mitre.org on 
behalf of Kurt Seifried" 
<owner-cve-editorial-board-list@lists.mitre.org on behalf of 
kseifried@redhat.com> wrote:

>So I'm looking at the CNA requirements for DWF CNA's, obviously most 
>pretty much directly applies. But one thing I have run into in other 
>situations is single point of contact, and the person leaves/etc. I'm 
>thinking for the case of a lot of smaller Open Source projects you 
>usually have a main developer so I think a single
> point of contact being a problem is moot here (since without them the 
> project won't get updates, let alone CVEs). I was wondering what 
> other people thought? 
>Kurt Seifried -- Red Hat -- Product Security -- Cloud
>PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
>Red Hat Product Security contact: secalert@redhat.com

Page Last Updated or Reviewed: May 31, 2016