RE: On the topic of MITRE/Board transparency

["Coffin, Chris" <ccoffin@mitre.org>]

Brian,

Congress sent an inquiry to both MITRE and DHS regarding CVE. This 
request is a matter of public record. We assume the responses from both 
MITRE and DHS will also be a matter of public record. MITRE has not yet 
transmitted its response to Congress. Once the response is transmitted, 
should Congress make it public, all members of the general public will 
be able to review it, including any member of the Board. 
 
More importantly, MITRE looks forward to working with our colleagues to 
sustain the tremendous progress the program has made over the past 15 
months: implementing a federated program structure including a new 
governance and operational model; building upon and improving the CNA 
rules and implementation of them; recruitment of new CNAs; improving 
CVE-in-a-Box artifacts; improving data exchange; expanding 
internationally; and continuing bimonthly collaborative sessions and 
working groups with our Board colleagues, the CNAs, and the greater CVE 
community. 
 
Thank you for your ongoing feedback and please keep providing it.

Regards,

The CVE Team

-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org 
[mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of 
jericho
Sent: Thursday, May 11, 2017 1:55 AM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: On the topic of MITRE/Board transparency
Importance: High

MITRE,

My last mail regarding the Google/robots.txt issue demonstrates that 
MITRE is not as transparent as they should be with the board. This is 
hardly the first time such an issue has come up. Like the "3000+ 
rejected" notice we received yesterday, that many had a problem with, 
and NVD spoke up about, there have been previous incidents:

Very Important Message for the Editorial Board [1]

    The world has changed significantly since CVE was released in 1999, 
and
    we are moving out rapidly to satisfy the needs of security 
researchers
    who need ready access to vulnerability IDs. To that end, MITRE will
    begin a pilot program to address rapid-response CVE-IDs on Monday, 
21
    March 2016. We wish to underscore that this is in no way an attempt 
to
    circumvent the Editorial Board but is rather an experimental step
    toward the federated vulnerability ID methodology that the community
    has been discussing over the past several years. We will work 
closely
    with the Board to evaluate the results of the pilot and to work
    together to develop a long-term solution that continues to expand
    coverage moving forward.

    Details of the pilot program are provided in the Press Release 
below,
    which will be published to the CVE-ANNOUNCE email list and to the 
CVE
    web site later today. It is important to note that this approach was
    chosen to avoid any conflict with the existing CVE process as it is
    currently operating, and that the IDs issued under the federated 
scheme
    during the pilot will not be analyzed and incorporated into the CVE
    list or feeds. There will be no effect on external operations; all
    in-scope vulnerabilities will be handled as they are now.

If we recall, this decision was not brought to the board at all. Once 
the Board learned of it, there was immediate question and criticism 
[2]. Only after that did MITRE first say they would like to discuss the 
issue/change with the board [3].

In that spirit, after showing two times where MITRE was clearly not 
transparent, the first on an annoyance and the second on an 
industry-impacting change, I would like to bring to the Board's 
attention another. This one may be more critical than any we have seen.

On 2017-04-10, in one of my *many* mails to CVE that are done outside 
of the board list, usually challenging them on breaking their own 
policies, auditing the declining quality of CVE assignments, or similar 
issues, I brought up a 'small' point in one of those emails. The 
relevant bit can be found at the end of this email.

The important part is that I called MITRE out for what is arguably the 
biggest event in CVE's history as far as "no confidence" and concern 
over the management of CVE. The fact that I had to hear about it from a 
CNA is interesting, as this should have been brought to the board's 
attention immediately by MITRE. When I brought it up in email, I told 
them that i expected a mail to the board with MITRE's statement two 
days later.

Instead, MITRE opted NOT to bring it to the board's attention. Instead, 
they replied to my very long mail that took over an hour to write, 
detailing numerous examples to back my statements showing that CVE was 
failing to adhere to their own abstraction rules, as well as other 
rules, by saying:

    First, you bring up a number of things in your message which are all
    important and all should be discussed fully and transparently. We
    encourage you to share this message with the Board so we can 
discuss it
    with the whole Board's input. We can also forward it along, if 
you're
    prefer to begin the conversation.

    We encourage you to share this message with the Board so we can 
discuss
    it with the whole Board's input.

Since I clearly stated "I expect a mail to the Board and CNA list no 
later than Wednesday about this", note both the board *and* CNA list, 
their deferral to have me bring it up on list is unacceptable. 
Especially given the severity of the topic. I waited several weeks for 
them to bring it up on their own, and they did not.

Quite simply, this is a lack of transparency in a tax-payer funded, 
government run initiative that impacts the entire IT industry. This is 
not acceptable, and we all deserve better.

So I am formally requesting, on list, that all correspondence between 
MITRE and Congress be sent to the list as well. Any correspondence is 
subject to FOIA and is not privileged, like many other aspects of 
MITRE's management of CVE (e.g. exact budgets, salaries, expenditures). 
Given your past claims of wanting to be transparent, this is your 
chance to restore some faith in that claim.

Brian

[1] https://cve.mitre.org/data/board/archives/2016-03/msg00017.html
[2] https://cve.mitre.org/data/board/archives/2016-03/msg00016.html
     https://cve.mitre.org/data/board/archives/2016-03/msg00015.html
[3] https://cve.mitre.org/data/board/archives/2016-03/msg00019.html

---------- Forwarded message ----------
From: jericho <jericho@attrition.org>
To: "Adinolfi, Daniel R" <dadinolfi@mitre.org>
Cc: "Coffin, Chris" <ccoffin@mitre.org>,
     Common Vulnerabilities & Exposures <cve@mitre.org>
Date: Mon, 10 Apr 2017 02:37:13 -0500 (CDT)

[..]

https://energycommerce.house.gov/news-center/letters/letters-dhs-and-mitre-regarding-performance-critical-cyber-database

Congress is investigating MITRE and the deficiency. That is pretty big 
news, and I missed this completely until a CNA brought this to my 
attention. They sat on it for three days before they told me and 
started asking question.

Think about the above please.

And now that it has been brought up, I expect a mail to the Board and 
CNA list no later than Wednesday about this. The Board deserves an 
official reply from MITRE addressing these concerns. At least one CNA 
is concerned about this, and unwilling to take their concerns to MITRE 
directly. We all deserve to know what is going on.

[..]