[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CNA Rules Announcement

Well that’s one way to raise operational revenue… ;-) 


I’d think what is needed here is a little experience with the rules.  I agree there are a few places where work is needed but this seems a reasonable start.  Kurt, this is good input for MITRE. I hope we can get others to take a look at what needs to be changed and/or clarified to assure its usefulness.  I view this document as simply a stake-in-the-ground to get us started towards more consistency, while giving us a base to improve from.



Kent Landfield



From: <owner-cve-cna-list@lists.mitre.org> on behalf of Kurt Seifried <kseifried@redhat.com>
Date: Friday, October 7, 2016 at 11:52 AM
To: "Coffin, Chris" <ccoffin@mitre.org>
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>, cve-cna-list <cve-cna-list@lists.mitre.org>
Subject: Re: CNA Rules Announcement


Regarding the 


Examples of remediation and sanctions include, but are not limited to:

·         The development of training, guidance, or implementation materials for use by the CNAs;

·         Retraining of CNA staff;

·         Additional process documentation and reporting from a CNA;

·         Reduction of the number of CVE IDs a CNA has available to assign at a time;

·         Rejection of submissions; and

·         Revocation of CNA status.


Can I for example impose monetary fines? I think this section needs a LOT more work before it is adopted officially.


On Fri, Oct 7, 2016 at 9:14 AM, Coffin, Chris <ccoffin@mitre.org> wrote:



On Monday, October 10th, all CNAs should be assigning CVE IDs based on the new CNA rules listed here:




As you use these new rules, please feel free to share any feedback you might have with the rest of the CNA community and MITRE. We would like to understand what is working and what isn’t so that the rules evolve to meet the needs of the program and so that additional guidance and training can be developed based on what we collectively learn.  You can share your feedback through the cve-cna-list mailing list or directly to MITRE through the CVE Web Form.




It was noted by an early reviewer that the Rules document does not provide explicit guidance on how to notify the primary or root CNA regarding publications. Appendix B provides the format but does not mention the method, and this will be corrected soon. There are currently two acceptable methods of sending requests for publication. The first would be to use the above web form and select the option “Notify CVE about a publication.” This option works well if you are publishing one or maybe a handful of CVE IDs, but may not work well if publishing a large amount of CVE IDs. The second method would be to create a file as outlined in Appendix B and to email that file to us. We prefer that you use the cve@mitre.org address at the moment, though this could change in the future.


We intend to collect and broadly share feedback over the next 3-6 months so that these rules remain effective and current.  If this time frame must be accelerated based on the conditions on the ground, then it will be based on the feedback we receive.


Thank you to those that offered feedback during the drafting of the document. We look forward to working with the CNAs to help get these rules implemented and to work out any kinks.


Please let us know if you think it isn’t time to implement these new rules.  We think it is based on the feedback to-date coupled with the board call yesterday.



Chris Coffin

The CVE Team




Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: 

Page Last Updated or Reviewed: October 07, 2016