[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New CNA - Booz Allen Hamilton

Disclaimer I'm not speaking for MITRE (obviously), just my opinion.

I understand the concerns, but we have process/methods to deal with "rogue" CNAs (e.g. feedback loops, and not publishing their stuff, other forms of censure, some of which I'm experienced with =) and more to the point we can't wait for perfect docs/process to happen, which also won't happen without operational experience. If I had to guess I'm more concerned about the unknown problems we'll encounter, vs. the ones we think we will (and have some idea to handle). I'm also not convinced even having a rogue CNA is that bad, e.g. I already had to flip a piel of DWF assignments from PUBLIC to REJECT because of bad reference URLs and whatnot. While not ideal, it's not the end of the world. Having a perfect CVE system isn't going to happen, and we can't take it from where it is (people still actively hate CVE for past sins) to "good enough" without moving/making changes. 

On Mon, Nov 6, 2017 at 2:14 PM, Landfield, Kent <Kent_Landfield@mcafee.com> wrote:

Why do we have Board calls if what is discussed on the calls are just ignored?  I personally feel there were serious issues discussed with these types of CNAs but yet here we are with the Board comments totally ignored and the focus of the discussion now a CNA? We specifically discussed BAH and multiple Board Members had issues. 


I personally do NOT want a slew of beltway bandits lining up with “me-too” requests. This type of CNA is NOT helpful to CVE, as discussed on the Board call.


But that’s ok, no one will listen yet again to the thoughts and comments of Board members.




From: <owner-cve-editorial-board-list@lists.mitre.org> on behalf of "Adinolfi, Daniel R" <dadinolfi@mitre.org>
Date: Monday, November 6, 2017 at 1:13 PM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: New CNA - Booz Allen Hamilton




Booz Allen Hamilton is now a CNA. Their scope is all Booz Allen Hamilton products as well as vulnerabilities in third-party software discovered by Booz Allen Hamilton that are not covered by another CNA.


Note, though we discussed the concerns related to too many new CNAs being on-boarded during last week's Board meeting, BAH was in the queue and had requested their participation many weeks ago.


Their public contact point is CVE@bah.com.






Daniel Adinolfi, CISSP

Lead Cybersecurity Engineer, The MITRE Corporation

CVE Numbering Authority (CNA) Coordinator

Email: <dadinolfi@mitre.org>  Phone: 781-271-5774





Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Page Last Updated or Reviewed: November 06, 2017