[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CNA requirements

On Tue, 17 May 2016, Kurt Seifried wrote:

: On Tue, May 17, 2016 at 8:54 AM, Waltermire, David A. (Fed) <
: david.waltermire@nist.gov> wrote:
: > IMHO, I believe we need to address this in a way that supports a
: > non-hierarchical, graph of communications between CNAs. This models 
: > happens in the real world. It should be possible for any CNA to 
find any
: > other CNA, get their contact info, and then reach out to them to 
: > on a CVE assignment. Relying on parent CNAs does not make this work.

And this is where we get into a meta-discussion...

: So I've been thinking about this a bit and looking back at some 
: situations in the last 5000 or so CVE's I've assigned and some things 
: are obvious:
: 1) Being a CNA requires you to have a mature security process, if you 

Patently false. 

- Apple is a CNA, they do not have a mature security process.
- IBM is a CNA, they have a convoluted disgusting security process. 
  Lisa and Scott, but it's true! Also, why isn't IBM on the board?)
- Oracle is a CNA, they do not have a mature security process.
- SGI is a CNA, they ... uh, don't exist?

That said, your outline on defining CNA requirements is great and 
=) Just don't equivocate here.

Page Last Updated or Reviewed: May 31, 2016