[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
On the topic of MITRE/Board transparency
MITRE,
My last mail regarding the Google/robots.txt issue demonstrates that MITRE
is not as transparent as they should be with the board. This is hardly the
first time such an issue has come up. Like the "3000+ rejected" notice we
received yesterday, that many had a problem with, and NVD spoke up about,
there have been previous incidents:
Very Important Message for the Editorial Board [1]
The world has changed significantly since CVE was released in 1999,
and
we are moving out rapidly to satisfy the needs of security
researchers
who need ready access to vulnerability IDs. To that end, MITRE will
begin a pilot program to address rapid-response CVE-IDs on Monday, 21
March 2016. We wish to underscore that this is in no way an attempt
to
circumvent the Editorial Board but is rather an experimental step
toward the federated vulnerability ID methodology that the community
has been discussing over the past several years. We will work closely
with the Board to evaluate the results of the pilot and to work
together to develop a long-term solution that continues to expand
coverage moving forward.
Details of the pilot program are provided in the Press Release below,
which will be published to the CVE-ANNOUNCE email list and to the CVE
web site later today. It is important to note that this approach was
chosen to avoid any conflict with the existing CVE process as it is
currently operating, and that the IDs issued under the federated
scheme
during the pilot will not be analyzed and incorporated into the CVE
list or feeds. There will be no effect on external operations; all
in-scope vulnerabilities will be handled as they are now.
If we recall, this decision was not brought to the board at all. Once the
Board learned of it, there was immediate question and criticism [2]. Only
after that did MITRE first say they would like to discuss the issue/change
with the board [3].
In that spirit, after showing two times where MITRE was clearly not
transparent, the first on an annoyance and the second on an
industry-impacting change, I would like to bring to the Board's attention
another. This one may be more critical than any we have seen.
On 2017-04-10, in one of my *many* mails to CVE that are done outside of
the board list, usually challenging them on breaking their own policies,
auditing the declining quality of CVE assignments, or similar issues, I
brought up a 'small' point in one of those emails. The relevant bit can be
found at the end of this email.
The important part is that I called MITRE out for what is arguably the
biggest event in CVE's history as far as "no confidence" and concern over
the management of CVE. The fact that I had to hear about it from a CNA is
interesting, as this should have been brought to the board's attention
immediately by MITRE. When I brought it up in email, I told them that i
expected a mail to the board with MITRE's statement two days later.
Instead, MITRE opted NOT to bring it to the board's attention. Instead,
they replied to my very long mail that took over an hour to write,
detailing numerous examples to back my statements showing that CVE was
failing to adhere to their own abstraction rules, as well as other rules,
by saying:
First, you bring up a number of things in your message which are all
important and all should be discussed fully and transparently. We
encourage you to share this message with the Board so we can discuss
it
with the whole Board's input. We can also forward it along, if you're
prefer to begin the conversation.
We encourage you to share this message with the Board so we can
discuss
it with the whole Board's input.
Since I clearly stated "I expect a mail to the Board and CNA list no later
than Wednesday about this", note both the board *and* CNA list, their
deferral to have me bring it up on list is unacceptable. Especially given
the severity of the topic. I waited several weeks for them to bring it up
on their own, and they did not.
Quite simply, this is a lack of transparency in a tax-payer funded,
government run initiative that impacts the entire IT industry. This is not
acceptable, and we all deserve better.
So I am formally requesting, on list, that all correspondence between
MITRE and Congress be sent to the list as well. Any correspondence is
subject to FOIA and is not privileged, like many other aspects of MITRE's
management of CVE (e.g. exact budgets, salaries, expenditures). Given your
past claims of wanting to be transparent, this is your chance to restore
some faith in that claim.
Brian
[1] https://cve.mitre.org/data/board/archives/2016-03/msg00017.html
[2] https://cve.mitre.org/data/board/archives/2016-03/msg00016.html
https://cve.mitre.org/data/board/archives/2016-03/msg00015.html
[3] https://cve.mitre.org/data/board/archives/2016-03/msg00019.html
---------- Forwarded message ----------
From: jericho <jericho@attrition.org>
To: "Adinolfi, Daniel R" <dadinolfi@mitre.org>
Cc: "Coffin, Chris" <ccoffin@mitre.org>,
Common Vulnerabilities & Exposures <cve@mitre.org>
Date: Mon, 10 Apr 2017 02:37:13 -0500 (CDT)
[..]
https://energycommerce.house.gov/news-center/letters/letters-dhs-and-mitre-regarding-performance-critical-cyber-database
Congress is investigating MITRE and the deficiency. That is pretty big
news, and I missed this completely until a CNA brought this to my
attention. They sat on it for three days before they told me and started
asking question.
Think about the above please.
And now that it has been brought up, I expect a mail to the Board and CNA
list no later than Wednesday about this. The Board deserves an official
reply from MITRE addressing these concerns. At least one CNA is concerned
about this, and unwilling to take their concerns to MITRE directly. We all
deserve to know what is going on.
[..]