[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New CNA - Booz Allen Hamilton

Out of curiosity, can someone link a vuln disclosure in one of their 
products? Or one of their research advisories?

I ask because a quick search suggests there are none, of either. 
adding CNAs that have little to no history of disclosures, in their own 
products or in others, seems odd to me. Especially if there was Board 
push-back on adding them in the first place.


On Mon, 6 Nov 2017, Kurt Seifried wrote:

: Disclaimer I'm not speaking for MITRE (obviously), just my opinion.
: I understand the concerns, but we have process/methods to deal with 
: CNAs (e.g. feedback loops, and not publishing their stuff, other 
forms of
: censure, some of which I'm experienced with =) and more to the point 
: can't wait for perfect docs/process to happen, which also won't happen
: without operational experience. If I had to guess I'm more concerned 
: the unknown problems we'll encounter, vs. the ones we think we will 
: have some idea to handle). I'm also not convinced even having a rogue 
: is that bad, e.g. I already had to flip a piel of DWF assignments from
: PUBLIC to REJECT because of bad reference URLs and whatnot. While not
: ideal, it's not the end of the world. Having a perfect CVE system 
: going to happen, and we can't take it from where it is (people still
: actively hate CVE for past sins) to "good enough" without 
: changes.
: On Mon, Nov 6, 2017 at 2:14 PM, Landfield, Kent 
: wrote:
: > Why do we have Board calls if what is discussed on the calls are 
: > ignored?  I personally feel there were serious issues discussed 
with these
: > types of CNAs but yet here we are with the Board comments totally 
: > and the focus of the discussion now a CNA? We specifically 
discussed BAH
: > and multiple Board Members had issues.
: >
: > *From: *<owner-cve-editorial-board-list@lists.mitre.org> on behalf 
: > "Adinolfi, Daniel R" <dadinolfi@mitre.org>
: > *Date: *Monday, November 6, 2017 at 1:13 PM
: > *To: *cve-editorial-board-list 
: > *Subject: *New CNA - Booz Allen Hamilton
: >
: > Booz Allen Hamilton is now a CNA. Their scope is all Booz Allen 
: > products as well as vulnerabilities in third-party software 
discovered by
: > Booz Allen Hamilton that are not covered by another CNA.
: >
: > Note, though we discussed the concerns related to too many new CNAs 
: > on-boarded during last week's Board meeting, BAH was in the queue 
and had
: > requested their participation many weeks ago.

Page Last Updated or Reviewed: November 06, 2017