RE: Juniper to be added to the official list of CNAs

[jericho <jericho@attrition.org>]

This was originally posted to the 'private' Editorial board list. I am 
moving this thread to the public list as well, because it involves the 
industry at large. The private list should only be used for matters 
related to the board, such as voting on new members, not for discussing 
industry-wide issues. Also, please note that the move to private list 
has 
happened more in the last 60 days than it has in the last 6 - 18 
months. 
This is not acceptable to the industry.



Joe,

On Tue, 19 Apr 2016, Common Vulnerabilities & Exposures wrote:

First, can MITRE quit posting as "Common Vulnerabilities & Exposures 
<cve@mitre.org>" please? There are more than 10 MITRE employees on the 
Editorial Board list, that are not members of the Board. I am happy to 
enumerate them if there is any question about that fact. This specific 
response came after you (Joe) joined the fray too, and your title:

  Joe Sain
  CVE Communications and Outreach Lead

So I have to assume this is you. If I am wrong, it only makes my point 
for 
me.

We need accountability in the face of all the criticism MITRE has 
received 
the last year. It is not ethical, or appropriate that anyone there hide 
behind the CVE name. Or "cve-id-change" (one post historically) or 
"CVE-assign" (one post historically). This isn't conducive to trust.

>From here out, I suggest that MITRE only reply to board traffic from 
>an 
individual, even if it is a general 'CVE' policy proposal. The board 
list 
is for discussion of ideas. If the final, voted-on, decision comes from 
a 
generic CVE address, I can see that as a proper use of an alias, maybe.

: Juniper, as a new CNA, will become better over time as they practice 
: being a CNA.  Another member suggested that all CNA-related documents 
be 

Wait... they failed to follow CNA guidelines *before* they were a CNA. 
Meaning, they asked for assignments from MITRE, who issued them. And 
Juniper published advisories that were problematic, and didn't follow 
CVE 
abstraction. MITRE is rewarding them for that behavior, by giving them 
full CNA status, saying "they will learn"?

I am officially objecting to this policy and precedent. This is 
absolutely 
the wrong move, and not going to help the mess that is CVE. Worse, you 
did 
so six days after a formal complaint about Juniper, from an active 
board 
member? And... worser(?), you did it 7+ months after I specifically 
asked, 
and hounded MITRE on, providing official CNA guidance documentation. 
This 
is clearly an effort of MITRE to produce more CNAs to help alleviate 
the 
assignment workload, while ignoring many Editorial Board members saying 
we 
need more CNAs over the last three years. Bandaids aren't going to work 
at 
this point, and this is a perfect represenation of such a bandaid. 
Taking 
our advice three years later, without proper documentation, is a 
step-by-step recipe for more problems.

Remind me, why are we, the board, here? To expand on this... I have 
been 
the only one that I am aware of, policing several CNAs that are not 
following the old legacy guidelines re: abstraction. I have probably 
filed 
more complaints to MITRE on CNAs than anyone else. If that isn't the 
case, 
please introduce me to whoever is doing it more than I am. I'd like to 
compare notes. Why? Because I only mail once out of every ~ 25 
instances 
of a CNA not following rules. e.g. IBM jumped the CNA shark a year or 
two 
ago. When I pointed it out repeatedly, and showed they continually gave 
the wrong assignments for known/public issues, the response from MITRE 
was 
"you are right, we MIGHT contact them". To this day, I don't know if 
MITRE 
contacted IBM, but I do know they kept using the same offending 
assignment 
three months after that mail thread. I have to assume MITRE ignored the 
rogue CNA, and ignored the complaints from a board member.

At some point, MITRE needs to address these issues publicly. The reason 
people are not happy with this situation, and DHS should be fully aware 
of, is that most of the solutions were handed to MITRE on a silver 
platter 
all along. Every step of the way, MITRE ignored them. 

: posted publicly so that all CNAs understand better what the CNA 
: requirements are. This is a good idea and we have established a 
GitHub 
: site for these documents at: http://cveproject.github.io/docs/.  The 

I'm sorry, GitHub is generally accepted to be at github.com. Why did 
MITRE 
choose to use github.io, a "GitHub pages" domain that was converted in 
2013, that has some fruity integration with github.com (meaning the UX 
is 
is lacking)? Why wasn't that discussed with the board? Why was that 
site 
chosen AFTER the DWF initiative specifically chose GitHub.com due to 
prevalence and adoption? Every single belated reaction from MITRE to 
the 
CVE problems are answered by the textbook definition of "worst 
solution". 
When those decisions are questioned, MITRE goes quiet... both on list, 
and 
off list. I have the emails to prove that if you have any doubt.

Could MITRE form a team to figure this out, and work toward providing a 
more friendly and intuitive experience for board members bringing up 
problems? If you start a random crappy hosted RedMine tracker to track 
these issues, I will scream.