|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
procedure for penalizing or revoking CNA status?
- To: cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
- Subject: procedure for penalizing or revoking CNA status?
- From: jericho <jericho@attrition.org>
- Date: Thu, 25 Sep 2014 23:59:33 -0500
- Delivered-To: coley@rcf-smtp.mitre.org
- Delivery-Date: Fri Sep 26 01:01:04 2014
- List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)
For the rest of the board, there has been an increasing reason to better monitor and restict CVE assignment. Both from researchers requesting them, and from CNAs who don't understand CVE or the abstraction process. If this is unfamiliar to you, you aren't watching CVE closely. That said, I have had separate conversations off-the-record with CVE about this issue, but feel it is time to bring it up formally. There are several CNAs who continually assign IDs against current policy, against current documented standards. This is the first time that a CVE was issued, and rightfully blamed CNA failure for the duplication. First, I applaud CVE in issuing this description. It helps to show the complexity of the project, and using third-parties for assignment. Second, this is public and visible evidence that some CNAs cannot be trusted to do their job. Once or twice, no problem. However, generally speaking I know this is a much bigger problem. There needs to be some set of guidelines that keeps a CNA in check, and ultimately strips them of that duty if they cannot abide by the rules. If such guidelines are not in place from a CVE standpoint, they need to be implemented ASAP. If they exist, they should be shared with the editorial board at the least, if not posted publicly so the industry can better help regulate this. CVE is a government funded project, but done for the community with *significant* buy-in and effort by the community. ====================================================== Name: CVE-2014-3659 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3659 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20140514 Category: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-7169. Reason: This candidate is a reservation duplicate of CVE-2014-7169 because the CNA for this ID did not follow multiple procedures that are intended to minimize duplicate CVE assignments. Notes: All CVE users should
- Prev by Date: CVE ID syntax change press release and web site are public
- Prev by thread: CVE ID syntax change press release and web site are public
- Index(es):