[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CNA requirements


Since we seem to not all agree on what a mature security process is, we 
should probably take a moment to define it. How would you (or others on 
the Board; please chime in) define or describe a "mature" security 
process? I'm guessing that there could be many definitions of such a 
thing, and if CVE would like to see their CNAs have a mature process, 
we will need to have a stick to measure "mature" against. 

What does a mature process look like? How much does the process depend 
on the organization and how they do software/hardware dev and QA, 
handle PR issues, support their customers, etc? Or should our 
definition be a standard, regardless of the organizational details? Are 
we just measuring how they respond to vulnerabilities in their 
products, or should we measure beyond that part of their operational 

One of the working groups coming out of recent Editorial Board meetings 
is working on creating standards/guidelines for CVE submissions as part 
of the bigger community of practice discussion. Should we include this 
discussion in that working group as well?


P.S. SGI does exist. Their CNA contact is Michael O'Connor, and they 
can be reached publicly at security-info@sgi.com. 

On 5/28/16, 02:45, "owner-cve-editorial-board-list@lists.mitre.org on 
behalf of jericho" <owner-cve-editorial-board-list@lists.mitre.org on 
behalf of jericho@attrition.org> wrote:

>On Tue, 17 May 2016, Kurt Seifried wrote:
>: On Tue, May 17, 2016 at 8:54 AM, Waltermire, David A. (Fed) <
>: david.waltermire@nist.gov> wrote:
>: > IMHO, I believe we need to address this in a way that supports a
>: > non-hierarchical, graph of communications between CNAs. This 
>models what
>: > happens in the real world. It should be possible for any CNA to 
>find any
>: > other CNA, get their contact info, and then reach out to them to 
>: > on a CVE assignment. Relying on parent CNAs does not make this 
>And this is where we get into a meta-discussion...
>: So I've been thinking about this a bit and looking back at some 
>: situations in the last 5000 or so CVE's I've assigned and some 
>: are obvious:
>: 1) Being a CNA requires you to have a mature security process, if 
>Patently false. 
>- Apple is a CNA, they do not have a mature security process.
>- IBM is a CNA, they have a convoluted disgusting security process. 
>  Lisa and Scott, but it's true! Also, why isn't IBM on the board?)
>- Oracle is a CNA, they do not have a mature security process.
>- SGI is a CNA, they ... uh, don't exist?
>That said, your outline on defining CNA requirements is great and 
>=) Just don't equivocate here.

Page Last Updated or Reviewed: June 01, 2016