policy, feelings, and the reality (was Re: nomination for ...)

[jericho <jericho@attrition.org>]

On Wed, 14 Oct 2015, Pascal Meunier wrote:

: as a repudiation of Brian's methods, and an unwillingness to respond to 
: trolling;  it should not be interpreted as apathy.

Yet, that is exactly what it is. You may not like my methods, but very 
few people are doing anything to change CVE and try to motivate MITRE to 
improve.

I am curious if you/Purdue and Andy/Cisco want to also speak up as to why 
it is so crucial we follow this documented procedure, when the board has 
gone 15 years without many other procedures that should have been 
documented, and never were? Would you also like to give your respective 
organization's official opinion on MITRE not following their own 
documented policy in several regards in the last 90 days? Perhaps Steve 
Christey can explain why it was more important to quote that policy to me 
than work on the extensive backlog of CVE requests in their queue, some 
older than 50 days now. 

For those who know me, they know I am pretty keen on following documented 
policy and standards. I also recognize when they should be lobbied for 
change, or ignored. However, since many other requests (most polite even!) 
have fallen on deaf (apathetic?) ears, this is a testament to my method. 
My second email prompted a few people to reply, and it prompted MITRE to 
start the discussion per their policy. Oh, by the way, the idea of 
bringing Kurt on the board was brought up privately at least twice to 
MITRE, to at least two people, in the last few years. That didn't work, 
but per policy, shouldn't it have started the process?

Meanwhile, other policies that should have existed a decade ago still 
don't exist, legitimate questions aimed at trying to better understand the 
MITRE process are unanswered, CNAs are still issuing advisories that do 
not follow CVE procedures unchecked, one CNA is selectively issuing CVEs 
for some vulnerabilities and not assigning for others (Andy, want to look 
into that for us?), and more.

I'm really sorry I hurt your feelings, but personally I would rather see 
things change for the better first. When MITRE is back to operating at the 
previous capacity they were 9 months ago, or even better, 3 years ago, 
then I vote we have a group hug and worry about the rest. The entire 
industry has been going downhill quickly as evident by the number of 
organizations compromised every day that we hear about. Vulnerabilities 
are not slowing down, despite claims otherwise based on some horrible 
analysis of CVE numbers in recent years, and a significant chunk of our 
industry is using security products that are based on the CVE dataset and 
compete to see which of them has the 'best' coverage of one of the worst 
vulnerability databases. Is it any wonder our industry can't protect 
clients? Personally, I joined this board with some hesitation because I 
read the archives first, and saw what I was getting into. But I joined to 
try to make a difference and help CVE improve as a whole. The archives, 
and dialogue since joining, make it very clear I am in the minority.

If you feel differently, I would love to get your opinion on why CVE has 
just over 4,100 live IDs for 2015 compared to the 10,743 disclosed 
vulnerabilities I am aware of. Do you feel that MITRE is doing a 
sufficient job? Do you feel the board is doing a good job in helping guide 
MITRE, give valuable input, ask questions to learn more about the process, 
and generally improve how things are going?

Honest questions.