[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New CNA - Booz Allen Hamilton

Please list any of their products where they have published an advisory in the past.



Kent Landfield





From: "Coffin, Chris" <ccoffin@mitre.org>
Date: Monday, November 6, 2017 at 3:32 PM
To: Kent Landfield <Kent_Landfield@McAfee.com>
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: RE: New CNA - Booz Allen Hamilton




I apologize if there was any confusion or misunderstanding around this topic.


In this case, BAH was interested and was willing to participate in the program as a CNA for their own products. They are also willing to fill the gaps where other CNAs do not provide coverage. Our understanding from the discussion was that this CNA falls into the category of a large and established organization that should be part of the CVE program, especially if they are reaching out to us to participate. It was the smaller research organizations that were the issue, right?


If we run into any significant scope concerns with any of our CNAs, we can definitely address those when they appear. The concerns regarding the addition of new CNAs to the program were noted and we will put a hold on any outreach activities temporarily. As we discussed, we will focus on building the base, i.e., identifying and developing Root CNAs. We can continue this discussion in the next Strategic Planning WG call and list.






From: Landfield, Kent [mailto:Kent_Landfield@McAfee.com]
Sent: Monday, November 6, 2017 3:14 PM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>; Coffin, Chris <ccoffin@mitre.org>
Subject: Re: New CNA - Booz Allen Hamilton


Why do we have Board calls if what is discussed on the calls are just ignored?  I personally feel there were serious issues discussed with these types of CNAs but yet here we are with the Board comments totally ignored and the focus of the discussion now a CNA? We specifically discussed BAH and multiple Board Members had issues. 


I personally do NOT want a slew of beltway bandits lining up with “me-too” requests. This type of CNA is NOT helpful to CVE, as discussed on the Board call.


But that’s ok, no one will listen yet again to the thoughts and comments of Board members.



Kent Landfield





From: <owner-cve-editorial-board-list@lists.mitre.org> on behalf of "Adinolfi, Daniel R" <dadinolfi@mitre.org>
Date: Monday, November 6, 2017 at 1:13 PM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: New CNA - Booz Allen Hamilton




Booz Allen Hamilton is now a CNA. Their scope is all Booz Allen Hamilton products as well as vulnerabilities in third-party software discovered by Booz Allen Hamilton that are not covered by another CNA.


Note, though we discussed the concerns related to too many new CNAs being on-boarded during last week's Board meeting, BAH was in the queue and had requested their participation many weeks ago.


Their public contact point is CVE@bah.com.






Daniel Adinolfi, CISSP

Lead Cybersecurity Engineer, The MITRE Corporation

CVE Numbering Authority (CNA) Coordinator

Email: <dadinolfi@mitre.org>  Phone: 781-271-5774




Page Last Updated or Reviewed: November 13, 2017