Re: procedure for penalizing or revoking CNA status?

[jericho <jericho@attrition.org>]

It's been 337 days, and there is no progress on this. Before anyone else 
on the board starts whining, there have been a series of mails between me 
and CVE during this time, challenging a specific CNA for violating policy. 
MITRE has chosen to send one email to the CNA (so they said) and nothing 
else, without follow-up, without responding to MY follow-up to them when 
the CNA has continually broken protocol since the initial complaint.

I am replying now because a 2nd CNA is clearly not following policy in 
assignments (specifically related to assignment, nothing else). Since 
MITRE will not really challenge a CNA after hundreds of mistakes over a 
near one-year period, I can't assume they will take action on this. Not 
going to bring up the 2nd CNA, until the first is resolved, who is much 
more egregious.

Thus, I take it to the board for input. We're here to guide and give input 
to the CVE process, right? I believe that is the purpose of the editorial 
board, on paper. Personally, I think the purpose stops there as far as 
MITRE is concerned... on paper.

If any of you actually give a shit, which I know half of this list does 
not, as the position on the board and position of CNA is self-serving 
based on past actions. For you assholes, your position is secure, stop 
reading here! For the rest, that may actually care, please read on.

On Fri, 10 Oct 2014, Steven M. Christey wrote:

: On Thu, 25 Sep 2014, jericho wrote:
: 
: Some context for CNA-related errors: traditionally, we've had approximately a
: 0.5% REJECT rate for CVEs overall, but that percentage has gone up in recent

The initial complaint that sparked this email was not based on a REJECT 
situation. It was based on a CNA using the wrong CVE assignment almost 
every day for a three months, then it tapered off where they only used it 
a few times a week, as they found fewer products affected.

I contacted the CNA many times telling them it was an incorrect 
assignment, quoted the CVE that specifically said it was for a specific 
vendor (not the CNA), and asked them to assign a new one. They didn't. 
Months later, I brought MITRE into the loop, and they tell me they sent an 
email to the CNA. Yet, it didn't stop... almost nine months later, that 
CNA is still writing current advisories on a vulnerability, using the CVE 
that was assigned for a different vendor (because this is implementation 
based, meaning each vendor who screws up gets their own CVE).

I specifically asked about revoking their CNA status after they showed 
months of not caring about CVE standards. I showed that I had already 
contacted them months prior, asking them to follow protocol, to issue a 
new CVE. It is quite clear, the CNA does not care, and MITRE does not 
care. This is no surprise, because the CNA/CVE game is a great 
public-facing "we care" piece, when that is anything but the truth.

: years, although I don't track these stats regularly or precisely (yet).  
: While I personally dislike REJECTs, the 0.5% rate doesn't indicate a 
: systemic problem.  But since the raw number of CVE assignments has also 
: risen along with the rate, the raw number of REJECTs has increased 
: noticeably.  REJECTs, for us and I believe for many CVE consumers, can 
: cause confusion and be time-consuming to resolve.

Yep, masturbate over an issue and statistics that are fascinating any 
other time, but entirely irrelevant to this converation. MITRE's presence 
on oss-sec shows that assignment-masturbation is the only thing of real 
interest to them. Kurt continues to be the super-CNA (my term) and 
continues to be absent from this editorial board for some reason... why? 
Half this tinpot board should be scrapped in favor of him. The fact no one 
has nominated him, or referenced him in his CNA activity is telling.

: We do not have any formal procedures for warning, penalizing, and/or 
: revoking CNA status, but we agree that we should develop some.  One 

Wow, 16 years later, this is really the first time a CNA has demonstrated 
they don't understand policy? (I call bullshit)

Rhetorical question, because many have demonstrated that. Just that 
several of them do it infrequently, so it is easier to work around them, 
add a tech note, and let them flounder in their shitty security response 
efforts. I find one that clearly doesn't give a shit, point it out, harass 
MITRE, and nothing is done. Now, I find another not following protocol (to 
a much lesser degree at least!), and I have no choice but to call out this 
entire charade. If you won't fix the real bastard in the group, no way you 
fix the lesser demon.

: issue is that things have gotten much more complex, and what might 
: appear to be a CNA error could in fact be due to limitations of the CNA 
: process, many of which were discussed in the early days of CVE, if I 

Stop making excuses for them, jesus. You are already shiedling the CNAs 
from very simple, very clear policy. WHY?

Don't answer that, MITRE and I both know the answer to that question. If 
anyone on the board doesn't know it... please resign, immediately. You 
aren't an active paricipant in this game.

: recall correctly. When developing procedures, we also need to ensure 
: that any disciplinary measures - when necessary - are not out of balance 
: with the offense.

Uh... hello? You say "you should develop some", while shielding shitty 
CNAs immediately, then further back it up with some hypothetical about 
disciplinary measures?

Are you guys fucking daft? YOU CONTROL CVE. You are the overlords of this 
failing effort. You are considered the industry standard on this. Wo(man) 
up and take the reins here already. If a CNA is working against the 
long-stated purpose of CVE, about assigning a unique identifer to a 
vulnerability, why would you flake for over half a year, then say "oh god 
we don't want to step on the fucking dandelions here"? In doing so, you 
are working AGAINST your stated goal. The 1+ million government grant that 
funds CVE, that most of the board pays for via taxes, is not being used 
properly.

: However, we also need to be clear on what is causing the errors.  The errors

No, we do not. Because I outlined that very clearly, several times. CVE 
issued an implementation-based identifier to one company, that implemented 
a protocol wrong. Months later, a CNA said "derp, the CVE clearly says 
this is only applicaple to $NOTUS, but let's use that ID anyway!" I called 
them out pretty quick (why didn't MITRE notice this again?), explained why 
they should not use the identifier, asked that they issue or request a new 
ID for their own company, which has a metric shit-ton of products. They 
continue issuing the bad ID, I correct them again. They continue issuing 
the bad ID, I correct them and loop MITRE in. MITRE says they sent a mail 
clarifying, the CNA continues issuing the bad ID months later.

There is no issue on clarity here, as far as the CNA fucking up. The only 
issue on clarity is why MITRE doesn't give a shit, why they didn't 
follow-up on this properly, and why they didn't put their foot down.

But hey, the answer is very obvious, and not one CVE/MITRE wants to admit. 
So... time to fess up. Explain why you were completely ineffectual in 
dealing with this, or just admit that you rely on the CNAs like crutches, 
because the base CVE effort is so hamstrung by their own beuracracy it 
isn't funny.

At this point, and I have the emails proving it, there is no other choice. 
You get A or B.

: that occur are rarely due to carelesness.  For example, we've learned that

It isn't "carelesness". It is "we don't give a fuck" about the rules or 
process. We use our CNA status to appear we care about customers! And this 
CNA is an absolute trainwreck when it comes to security advisories. They 
are currently being used in discussions with the government to show how 
vulnerability disclosure "should not happen". Seriously... people who have 
a vested interest in our industry, and protecting vulnerability research, 
are using this company (a CNA) as an example of "how not to do shit". They 
are THAT bad. But hey, all you board members are experts, and clearly 
noticed this too.

: over time, people's jobs (naturally) shift; and the original technical lead
: for a CNA might move to a different role, and the replacement is not as
: well-trained.  As another example, there are researchers who contact multiple

QUIT. MAKING. EXCUSES.

This is a company that has been around longer than MITRE, doing 'computer 
shit' for many decades longer than CVE existed. They are the 'masters' of 
(shitty) documentation. It may suck, but they know all about documenting 
it! If this CNA can't convey the policy from one person to another, they 
shouldn't be a CNA. They are known for marching a dozen lawyers into a 
meeting where 'policy' is in question related to another company. So much 
so, it is a funny scene in a recent TV show.

But hey, fuck that, it isn't relevant. You are making bullshit excuses 
trying to hide the fact that CVE/MITRE has no process to police a CNA. I 
called them out. I called them out again. I called them out a third time 
and brought CVE/MITRE in the loop. MITRE gets involved, supposedly. 
Crickets.

: CNAs for CVEs and effectively introduce duplicates that way (not maliciously,
: as far as I can tell); many researchers, especially those new to the industry,

In this case, Apathy is malicious. The CNA not caring, causing this 
confusion and headache, is born out of "we don't give a shit".

: don't really understand how CVE works, and are not necessarily diligent in

WE ARE NOT TALKING RESEARCHERS. 

This thread was about CNAs. Companies that signed in blood saying they 
were "CVE compliant", and THEN went the extra step to say "we can be a 
CNA!", or MITRE said "derp, you sound like a good CNA!"

: reading our fairly extensive documentation.  As a third example, the
: significant media attention and urgency given to some issues, along with
: non-coordinated disclosure, introduces room for error.  Incomplete

This is an entirely different argument. One that you do not want to have 
with me. If CVE monitored the media to a small degree, they could counter 
this problem rather trivially. But they don't, because they don't care.

MITRE is giving proactive excuses to media problems in assignment, while 
we're doing per-media-outlet breakdowns of vuln coverage, by day. How does 
this magic work?! I read a few security-centric news sites during lunch, 
to see what is making the news. Not rocket science here. You want a 
per-month breakdown of what vulnerabilities Threatpost covered last month? 
Got it. Fascinating shit, seriously, and that is why we track it. The kind 
of data that is interesting, but likely won't become a blog or paper for 
another year.

: *disclosure* coordination happened with both Heartbleed and Shellshock, and
: was a factor in the confusion - for which CVE was a symptom and not a cause

Shellshock 'disclosure' problems can be squarely dumped on the vendor, not 
the researcher. This has nothing to do with the thread or my points. Quit 
diverting the topic.

: In the coming months, we will improve our tracking for REJECTs and why 
: they happen; consult more closely with CNAs; and consult with the Board 
: on ways forward.

Bullshit. Asbolute, 100%, let-me-be-a-fluffer to the CVE board response. 
CVE, and you specifically, have done nothing to help resolve my problem 
while this CNA that continues to use the wrong ID for a vuln, after almost 
9 months. I've mailed them three times, you say you have mailed them once, 
and ignored my follow-up asking what the outcome was.

You are not doing what you promised. You are not guaranteeing the 
integrity of CVE. Nothing about this situation suggests that MITRE is 
doing the 'right thing'. Why not?

Bottom line... wake the fuck up, pretend you give a shit about 
vulnerability disclosure. MITRE has become so complacent it is disgusting. 
I mean hell, MITRE threw in the towel years ago as far as tracking 
vulnerabilities. Then desperately tried to 'care' with medical disclosures 
recently (with the sole purpose to chase more funding), while missing the 
obvious medical-related disclosures before, and during this pathetic push. 
It is abundantly clear MITRE is grasping at straws here.

The next two 'iterations' of CVE have been pitched to DHS yet they weren't 
communicated to the editorial board. Why not? What is our purpose here 
exactly, other than a token 'board' to make it look like MITRE cares about 
the community? Why weren't we consulted for input on those papers and 
proposals before being sent to DHS? Do you not think we're experts and 
can't give meaningful input? Or is it that you have long known the board 
is just a public-facing diversion?

This board is straight out of a dystopian novel, where the dictator has 
the board of 'yes men', which is largely what this pathetic board is made 
of. In this scenario, I know what my place is, based on about every 
Dystopian novel with this scenario.

"Thank you, but I'd rather die behind the chemical sheds."

Brian

p.s. FOIA is a bitch.