[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: HP's policy on CVE assignments

Just a note: it might be useful to go through the CNA docs and highlight some of the potentially undefined/problematic terms/phrases, e.g. "public disclosure" and so on is so that we can maybe define them better. 

On Tue, Apr 11, 2017 at 7:41 AM, Adinolfi, Daniel R <dadinolfi@mitre.org> wrote:


We are contacting HP to discuss their disclosure policy to verify that it is not in conflict with the CNA Rules.

Once we have spoken to HP and have a better understanding of the issues, we will report back to the Board.

Please let us know if there are any other questions or concerns about this issue.




Daniel Adinolfi, CISSP

Lead Cybersecurity Engineer, The MITRE Corporation

CVE Communications and CNA Coordinator

Email: <dadinolfi@mitre.org>  Phone: 781-271-5774




From: <owner-cve-editorial-board-list@lists.mitre.org> on behalf of jericho <jericho@attrition.org>
Date: Monday, April 10, 2017 at 22:59
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: HP's policy on CVE assignments


Can MITRE weigh in on this please? Pretty significant stance for a CNA to

take, saying they will selective assign based on how a solution is

delivered. I feel this goes against the spirit and purpose of CVE.


On Fri, 7 Apr 2017, jericho wrote:


: Caught this via Twitter. Thoughts?




Kurt Seifried

Page Last Updated or Reviewed: April 11, 2017