[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

On the topic of MITRE/Board transparency


My last mail regarding the Google/robots.txt issue demonstrates that MITRE is not as transparent as they should be with the board. This is hardly the first time such an issue has come up. Like the "3000+ rejected" notice we received yesterday, that many had a problem with, and NVD spoke up about, there have been previous incidents:

Very Important Message for the Editorial Board [1]

   The world has changed significantly since CVE was released in 1999, 
   we are moving out rapidly to satisfy the needs of security 
   who need ready access to vulnerability IDs. To that end, MITRE will
   begin a pilot program to address rapid-response CVE-IDs on Monday, 21
   March 2016. We wish to underscore that this is in no way an attempt 
   circumvent the Editorial Board but is rather an experimental step
   toward the federated vulnerability ID methodology that the community
   has been discussing over the past several years. We will work closely
   with the Board to evaluate the results of the pilot and to work
   together to develop a long-term solution that continues to expand
   coverage moving forward.

   Details of the pilot program are provided in the Press Release below,
   which will be published to the CVE-ANNOUNCE email list and to the CVE
   web site later today. It is important to note that this approach was
   chosen to avoid any conflict with the existing CVE process as it is
   currently operating, and that the IDs issued under the federated 
   during the pilot will not be analyzed and incorporated into the CVE
   list or feeds. There will be no effect on external operations; all
   in-scope vulnerabilities will be handled as they are now.

If we recall, this decision was not brought to the board at all. Once the Board learned of it, there was immediate question and criticism [2]. Only after that did MITRE first say they would like to discuss the issue/change with the board [3].

In that spirit, after showing two times where MITRE was clearly not transparent, the first on an annoyance and the second on an industry-impacting change, I would like to bring to the Board's attention another. This one may be more critical than any we have seen.

On 2017-04-10, in one of my *many* mails to CVE that are done outside of the board list, usually challenging them on breaking their own policies, auditing the declining quality of CVE assignments, or similar issues, I brought up a 'small' point in one of those emails. The relevant bit can be found at the end of this email.

The important part is that I called MITRE out for what is arguably the biggest event in CVE's history as far as "no confidence" and concern over the management of CVE. The fact that I had to hear about it from a CNA is interesting, as this should have been brought to the board's attention immediately by MITRE. When I brought it up in email, I told them that i expected a mail to the board with MITRE's statement two days later.

Instead, MITRE opted NOT to bring it to the board's attention. Instead, they replied to my very long mail that took over an hour to write, detailing numerous examples to back my statements showing that CVE was failing to adhere to their own abstraction rules, as well as other rules, by saying:

   First, you bring up a number of things in your message which are all
   important and all should be discussed fully and transparently. We
   encourage you to share this message with the Board so we can discuss 
   with the whole Board's input. We can also forward it along, if you're
   prefer to begin the conversation.

   We encourage you to share this message with the Board so we can 
   it with the whole Board's input.

Since I clearly stated "I expect a mail to the Board and CNA list no later than Wednesday about this", note both the board *and* CNA list, their deferral to have me bring it up on list is unacceptable. Especially given the severity of the topic. I waited several weeks for them to bring it up on their own, and they did not.

Quite simply, this is a lack of transparency in a tax-payer funded, government run initiative that impacts the entire IT industry. This is not acceptable, and we all deserve better.

So I am formally requesting, on list, that all correspondence between MITRE and Congress be sent to the list as well. Any correspondence is subject to FOIA and is not privileged, like many other aspects of MITRE's management of CVE (e.g. exact budgets, salaries, expenditures). Given your past claims of wanting to be transparent, this is your chance to restore some faith in that claim.


[1] https://cve.mitre.org/data/board/archives/2016-03/msg00017.html
[2] https://cve.mitre.org/data/board/archives/2016-03/msg00016.html
[3] https://cve.mitre.org/data/board/archives/2016-03/msg00019.html

---------- Forwarded message ----------
From: jericho <jericho@attrition.org>
To: "Adinolfi, Daniel R" <dadinolfi@mitre.org>
Cc: "Coffin, Chris" <ccoffin@mitre.org>,
    Common Vulnerabilities & Exposures <cve@mitre.org>
Date: Mon, 10 Apr 2017 02:37:13 -0500 (CDT)



Congress is investigating MITRE and the deficiency. That is pretty big news, and I missed this completely until a CNA brought this to my attention. They sat on it for three days before they told me and started asking question.

Think about the above please.

And now that it has been brought up, I expect a mail to the Board and CNA list no later than Wednesday about this. The Board deserves an official reply from MITRE addressing these concerns. At least one CNA is concerned about this, and unwilling to take their concerns to MITRE directly. We all deserve to know what is going on.


Page Last Updated or Reviewed: May 15, 2017