[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A note from GitHub about your repository

The artifact in question is their agreement with the CVE terms of use:


They were explicitly notified in the email, that they then had to reply to with "I accept" typed in. By removing the artifact I'd also have to revoke the CVE and REJECT it. I would also note that their email data is in a variety of other places like the cvelist git repo (in a branch), and in MITRE's backend database. 

As I said before GDPR has a variety of aspects, one of which is often referred to as "the right to be forgotten", but this is not absolute (my favourite example being the tax avoidance strategy =). If we acquiesce to this demand then the DWF cannot exist in GitHub.

What happens if I withdraw my consent for cve-assign@distributedweaknessfiling.org?

This is a major problem that we need to actually solve in some way. Part of it will be finding providers that are "Safe". 

On Wed, Oct 10, 2018 at 11:52 AM Lisa Olson <elolson@microsoft.com> wrote:

Hi Kurt,

Is the information that this person wants to be removed in the https://github.com/CVEProject repository? Is there a specific CVE that contains his/her email address?

Is there are strong reason for not removing this personal information? If the vulnerability has been fixed and documented by the CVE, why would we need to maintain the personal information.  Microsoft has taken the position that if someone wants their acknowledgement information removed, we will honor that request.


Is the repository that Morgan/GitHub will  be required to remove the https://github.com/CVEProject repository?


Sorry if my questions show my ignorance, just trying to catch up.




From: Kurt Seifried <kurt@seifried.org>
Sent: Wednesday, October 10, 2018 9:08 AM
To: Greg Ose (GitHub Staff) <support@github.com>
Cc: cve-editorial-board-list <cve-editorial-board-list@mitre.org>; miskander@github.com; Robert Schultheis <rschultheis@github.com>
Subject: Re: A note from GitHub about your repository



On Wed, Oct 10, 2018 at 9:50 AM Morgan (GitHub Support) <support@github.com> wrote:

Hi Kurt,

Thanks for your reply, and apologies for the delay in coming back to you.

We appreciate that you may have properly obtained consent from the user to public their information publicly; but at this time, the user has withdrawn that consent, as they are permitted to under GDPR.


This isn't entirely true. You can't for example call your local tax authority and tell them you're withdrawing consent from being processed. For a variety of business process and technology and legal reasons it is possible for this "right to be forgotten" to not universally apply.


We feel that it's in everyone's best interests to have you and the user connect to figure out what's an appropriate solution. Since you


I already did, I thought it was at an end and then they made this complaint. I think an appropriate solution is "you consented, TWICE, to publishing your email address publicly, you could have chosen NOT to give consent and used an alternate email address specifically for this purpose, as such we are not removing your data". 



already have the user's information, we'd recommend you reach out to them directly to discuss a resolution. Please be advised that, until you're able to work out an alternative with the user, we need you to remove the user's personal information, or we'll be required to remove the repository. We'll check back in a week to see if this has been resolved. If not, we will need to disable the repository. Please let us know if you have any other questions.


To the board: it looks like the CVE community will need to stop using GitHub until this is resolved as their current interpretation of GDPR essentially makes it impossible for the DWF to use the CVE data people submit (as they can revoke it, even after agreeing in a positive manner). I will be transitioning the DWF off of GitHub when I have time. I also suspect this means MITRE and others cannot use GitHub safely as well. 





Kurt Seifried

Kurt Seifried

Page Last Updated or Reviewed: October 11, 2018