[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: On the topic of MITRE/Board transparency

On Thu, 11 May 2017, Coffin, Chris wrote:

: Congress sent an inquiry to both MITRE and DHS regarding CVE. This 
: request is a matter of public record. We assume the responses from 

You know what they say about "assume", yes?

MITRE didn't bring the original "public record" to the list. A CNA 
it, and asked me questions about it, to which I had no answers. This is 
how things work in 2017.

: MITRE and DHS will also be a matter of public record. MITRE has not 
: transmitted its response to Congress. Once the response is 
: should Congress make it public, all members of the general public 
: be able to review it, including any member of the Board.

Yep, that doesn't work for me. See below.

: More importantly, MITRE looks forward to working with our colleagues 
: sustain the tremendous progress the program has made over the past 15 

You look forward to working with us... when you didn't bring the letter 
the board? Even though Congress' letter is public, you still hide 
this notion that your response, whenever you get around to it, may or 
not be public?

Please, re-read my subject line. In the interest of transparency, you 
your response to the list shortly after you send it to congress. No 
no "but", no equivocation.

: months: implementing a federated program structure including a new 

Oh stop. "Federated program" only brings up a single thing in my mind; 
when MITRE tried to circumvent the board and create some new standard 
made all of us collectively question you. We saw it via news articles, 
almost 24 hours later, the 'update' articles said it was shuttered 
industry questioning. This is so disrespctful to the board.

: governance and operational model; building upon and improving the CNA 
: rules and implementation of them; recruitment of new CNAs; improving 

The same rules I have called out repeatedly, on and off list. The 
CNA rules that MITRE continually violates. This isn't about you keeping 
CNAs in line... for a month now, it has been about keeping MITRE in 
with following the CNA rules, specifically around abstraction.

This mail makes it clear I should stop mailing MITRE off-list. Every 
single mail I send that points out MITRE breaking their own rules, 
questioning assignments, questioning your policies... every single one 
MUST be on list, for the public record. It's pretty clear to me that 
is keen on ignoring all of that and putting on a pretty public face.

: CVE-in-a-Box artifacts; improving data exchange; expanding 

It's curious you say "CVE-in-a-Box"!

I sent FOIA requests to DHS on that specific term in 2015. They replied 
few months ago saying "no records" available. So... you brought it up 
list. What does that term even mean? Why didn't you share that with the 
board? Why didn't you share it with DHS, which I was under the 
you did? If you DID bring it up with DHS in some capacity, why is DHS 
"withholding" that on a FOIA request? That is illegal of course... so 
answer is of particular interest to me. Since we're on board list, 
is public, I expect full disclosure here. Transparency and all, which 
the entire nature of this thread.

: internationally; and continuing bimonthly collaborative sessions and 
: working groups with our Board colleagues, the CNAs, and the greater 
: community.

All the while, getting dissenting opinions from the board in varying 
degrees, and completely ignoring some of those concerns.

: Thank you for your ongoing feedback and please keep providing it.

Oh, your pretty government-funded words are so expected. And I will. 
not in the channels you expect me to. CVE, as run by MITRE, has become 
such a complete disgrace to the industry. The lack of respect you show 
"stakeholders" is incredible.


Page Last Updated or Reviewed: May 15, 2017