[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CNA requirements

On Tue, 17 May 2016, Art Manion wrote:

: On 2016-05-17 10:54, Waltermire, David A. (Fed) wrote:
: > IMHO, I believe we need to address this in a way that supports a 
non-hierarchical, graph of communications between CNAs. This models 
what happens in the real world. It should be possible for any CNA to 
find any other CNA, get their contact info, and then reach out to them 
to coordinate on a CVE assignment. Relying on parent CNAs does not make 
this work.
: How about:  A CNA must have a working email and phone contact with 
: parent CNA and MITRE.  Responsibility of the CNA to keep it a working 
: contact, don't specify that it's two contacts.  Perhaps all CNA 
: go on a mailing list.  CNAs are required to maintain certain public 
: information (that could be presented on their site, parent CNA, 

MITRE is quasi-gov, CNAs are not.

I will not publish my phone number for 'CNA duties', because none of 
are that urgent. An alternate email address, IM contact, or a private 
phone # held with MITRE with clearly defined rules for contact (e.g. 
"between these hours on these days" or "only via SMS") maybe.

Page Last Updated or Reviewed: May 31, 2016