[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CNA requirements

On Tue, 31 May 2016, Adinolfi, Daniel R wrote:

: Since we seem to not all agree on what a mature security process is, 
we 
: should probably take a moment to define it. How would you (or others 
on 
: the Board; please chime in) define or describe a "mature" security 
: process? I'm guessing that there could be many definitions of such a 
: thing, and if CVE would like to see their CNAs have a mature process, 
we 
: will need to have a stick to measure "mature" against.

I think the first distinction is a 'mature' security process, and a 
'mature' CNA process. Very different things. In my list, those orgs 
fail 
on both accounts for a variety of reasons.

: What does a mature process look like? How much does the process 
depend 
: on the organization and how they do software/hardware dev and QA, 
handle 

For starters, actually answering security related mails. Any org that 
does 
not, should not be a CNA. That would immediately move Apple to the top 
of 
the list, as they have failed to answer several emails from myself and 
colleagues over the last year. Mine were related to bad CVE assignments 
(e.g. duplicates) and other CVE-related matters, that they ignored.

: of the bigger community of practice discussion. Should we include 
this 
: discussion in that working group as well?

Absolutely.

: P.S. SGI does exist. Their CNA contact is Michael O'Connor, and they 
can 
: be reached publicly at security-info@sgi.com.

Curious they are a CNA though, given their published advisories. =) 
Nothing from them in ages, and nothing from their parent company *ever* 
historically that I am aware of.
Page Last Updated or Reviewed: June 01, 2016