[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: New CNA - Booz Allen Hamilton

The big NIST contract with BAH ended some years ago, iirc.

Grep for "booz" through the CERT KB turns up one mention, a possible 
heap overflow due to an upstream product. Nothing in NVD.


Looking through job listings they do hire a ton of pen testers so I'd 
presume they want to be able to assign for vulnerabilities they find in 
the course of gigs. However, stating "we can even assign a CVE to 
anything we find" - as a feature of their service offerings - might be 

All that said, I personally tend to agree with Kurt. At this point in 
time, I would not expect to see the rate of new CNAs plateau - and I 
would prefer to run into these issues now, and learn and adapt from 
them more quickly, than drag this painful transformation out and risk 
losing momentum.

-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org 
[mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of 
Sent: Monday, November 6, 2017 16:46
To: Coffin, Chris <ccoffin@mitre.org>
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: RE: New CNA - Booz Allen Hamilton
Importance: High

On Mon, 6 Nov 2017, Coffin, Chris wrote:

: In this case, BAH was interested and was willing to participate in the
: program as a CNA for their own products. They are also willing to fill
: the gaps where other CNAs do not provide coverage. Our understanding
: from the discussion was that this CNA falls into the category of a 
: and established organization that should be part of the CVE program,
: especially if they are reaching out to us to participate. It was the
: smaller research organizations that were the issue, right?

In the interest of transparency, and because I don't know if this 
represents a conflict or not, or is tangentially related... but could 
NIST/NVD clarify BAH's current role in the NVD process?

For those not aware, for several years NIST would out-source the NVD 
meta-data generation (e.g. CPE, CVSS scoring) to junior BAH 
consultants. I don't know how long that went on, if it is still does, 
or if they changed vendors over the year.

I had asked both MITRE and NVD many years back about their involvement 
in the context of "when they find an error in a CVE, who do they report 
and I don't recall getting a real answer other than what in my memory 
was bureaucratic speak for "don't worry, it's handled".


Page Last Updated or Reviewed: November 07, 2017