Re: procedure for penalizing or revoking CNA status?

[jericho <jericho@attrition.org>]

On Tue, 1 Sep 2015, Art Manion wrote:

: CERT/CC has experienced at least one, possibly two CNAs that do not 
: assign CVE IDs in a timely or correct manner, per the CVE content 
: decision/abstraction rules.  We see this when:

So.. CERT/CC sees a variety of problems that I do not, because I am not a 
CNA. I can only imagine that non-vendor CNAs run into problems with 
vendors like this, and I hope they speak up.

: I don't know how much of the board bylaws are written down anywhere, but 
: maybe we should consider some basic governance/voting procedures.  Even 
: if we don't right away agree on everything that goes in to decisions to 
: add/remove CNAs, we could have a procedure along the lines of:

That is the reason that I asked about current CNA guidelines. What is 
shared with them, what is firmly written as rules, what is written as 
guidelines?

Also, when they break said rules or guidelines, what next?

: Document the evidence and vote on the mailing list.  Also, it's common 
: for group members to lose voting privileges (or even membership) due to 
: lack of participation.

So because a few asked me off list, since I was vague... let me share a 
tad more detail.

#1 The primary CNA I referenced in my mail is IBM. If their CNA status 
isn't revoked, I will have serious issues with the process. An editorial 
board member mailed them about improper assignments, and they said they 
would look into it. More than three months later, no change. I mailed 
MITRE directly, who said they would contact IBM and later said they did. 
No change. I mailed IBM again a month+ later reminding them, no change. We 
have a CNA that has been issuing the same wrong CVE ID to the same issue, 
for over six months, across almost *50 ADVISORIES*, without changing their 
policy. This is implicit, unexcusable, and intentional abuse of the CNA 
process. They should be revoked right now, no question, end of story.

#2 There are three other CNAs that have clearly demonstrated they don't 
understand the assignment process. One of them, a big database company 
that rhymes with "Asshole" (but spelled 'ORACLE'), breaks from CNA policy 
differently than others. I am not the only one who have had issues with 
their assignment SNAFUs.

#3 Two more CNAs have just come to my attention through some pretty 
interesting digging into disclosures, showing that they issue an ID based 
on disclosure date, not reported date, consistently. This goes against CNA 
policy I hope, as it definitely goes against CVE's actual assignment 
policy. This causes us to get vulnerability assignments for the wrong 
year, and seriously messes with any meaningful metrics and statistics.

I would, again, like to know the explicit guidelines given to a CNA for 
assignment, along with the documented policy for handling a CNA that is 
not following said policy. MITRE is the overlord in this game, and they 
control who has the ability to make assignments. This isn't a time to 
'play nice'. In fact, it is specifically a time to play rough, because any 
of these major companies that get their CNA status suspended or revoked, 
will be the black sheep in the media and our industry. The onus will be on 
them to make things right.

This is a proper time for MITRE to be a bully of sorts, and ensure the 
kids are playing by the rules.

: I realize adding more formal rules/bylaws increases the governance 
: overhead, but it may be necessary to move that direction.  A couple 
: documents about board membership were circulated in April.  Would an 
: active board member volunteer to draft something about CNA requirements?

Stop there. It's 2015, and CNA assignment issues have been at play for at 
least five years, likely longer. I have to assume that there are 
guidelines already and they aren't quickly available on the web. If not, 
the bigger question is why? When MITRE was approached about this earlier 
this year, that should have been a great impetus to draft such rules and 
make them public.

.b