RE: Juniper to be added to the official list of CNAs

[Common Vulnerabilities & Exposures <cve@mitre.org>]

Brian -

Thank you for your thoughtful reply.  The CVE Team will continue to 
post under the name CVE Team.  Where specific points of contact are 
necessary, the members of the Board will be provided those.  I am the 
MITRE CVE Project Lead, having assumed this role at the beginning of 
the year.  If accountability is the concern, my contact information is 
below.  I'm happy to field any questions, concerns and comments anyone 
may have on behalf of the CVE Team.
 
Your opinion regarding what should be posted to public versus private 
lists is valid, but there are others who may have different opinions 
that are equally valid.  Since all Board members are equal and entitled 
to their own opinions, all opinions must be considered.  For example, 
the note to the private Board list yesterday regarding Juniper was 
intended to provide all Board members with an opportunity to privately 
voice opinions in a candid fashion that they may have been 
uncomfortable voicing in public.  In this context, it is the person who 
posts the opinion who is best able to determine whether they want their 
opinion posted publicly, and is not up to anyone but them to make that 
decision if the original intent of a private list is to be honored.  
Using the private list does not preclude in any way public discussions, 
and in many ways can accelerate the tempo and quality of such 
discussions.  As we collectively rework the roles and interactions of 
CNAs and the broader issue set around the CVE capability, there will 
likely be occasions where private discussions are required to better 
serve what is discussed publicly.
 
We understand and appreciate your objections to Juniper.  Juniper is 
not being rewarded for anything.  Rather, they are being brought online 
as a new CNA so that we can expand the CVE capability consistent with 
the stated objective of our Board colleagues to scale the capability 
under a federated approach to increase coverage.  We were delighted to 
hear Juniper's enthusiasm to be active, flexible participants in 
charting the way forward.  They are best positioned to do this as a 
CNA, as is Intel.  It gives them a real stake in the outcomes we 
collectively wish to achieve.  This is the CVE Team's opinion that we 
look forward to discussing with our Board colleagues.  More broadly, 
the CVE Team understands the issues with CNAs; such issues have not 
been ignored and our goal is to actively address them with the Board.  
In the past, the CVE Team has not effectively communicated with the 
Board in terms of frequency, content and follow-through.  We 
acknowledge this, apologize for it, and intend to make this right going 
forward.  We voiced this at the 30 March discussion and look forward to 
the Board call tomorrow to continue the positive trajectory in dealing 
with the dozens of issues that will arise as we collectively work to 
scale the capability.  We have adopted the "fail fast" mentality.  That 
mentality applies to more than just the DWF pilot.
 
I am unsure what "fruity integration" means in the context of GitHub.  
We committed to the Board to get our documents up on GitHub at the 30 
March discussion.  That is done.  We use the site for other non-CVE 
projects and have had good experience with it.  We use github.io as a 
simple way to present the mark down expressed documentation.  Is there 
a specific issue that underpins "fruity integration" that you are able 
to make us aware of? If you prefer not to work within the github.io 
presentation layer, you may access the documents in the "cna" and 
"content" directories at: https://github.com/CVEProject/docs.
 
The CVE Team is receptive to any means the Board determines is 
appropriate for effective collaboration.  At the 30 March meeting, 
GitHub was suggested and we agreed.  We are entirely open to other 
suggestions and have some of our own.  For example, Google Docs may be 
a good place to develop first version documents prior to releasing them 
on GitHub for public review and comment as this allows a smaller group 
of very knowledgeable experts to establish something that makes sense 
based on our collective experience, thereby minimizing the transaction 
costs when we engage the public.  In certain cases, this may be an 
appropriate approach while in others it may not be.  The Board is best 
suited to decide these matters on a case-by-case basis.
 
The CVE Team has the following objectives:  1) effectively communicate 
with CVE stakeholders; 2) improve operational efficiency; and 3) scale 
the CVE capability.  All of our team members believe in and are 
accountable for achieving these objectives, which were established in 
February 2016.  We fully understand that the answers to many of the 
issues that must be addressed are not resident within our knowledge 
base.  We reached out to the Board to schedule the 30 March meeting and 
greatly appreciate their willingness to meet every two weeks on an 
ongoing basis to better identify issues, structure the decisions 
required to resolve the issues, and make concrete decisions to move the 
capability forward.
 
Regards
 
The CVE Team
___________________
Chris Levendis
MITRE
Homeland Security Systems Engineering and 
Development Institute (HS SEDI)
(MITRE) 703-983-2801
(Cell)    703-298-8593
clevendis@mitre.org

-----Original Message-----
From: jericho [mailto:jericho@attrition.org] 
Sent: Wednesday, April 20, 2016 2:16 AM
To: Common Vulnerabilities & Exposures <cve@mitre.org>
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: RE: Juniper to be added to the official list of CNAs
Importance: High


This was originally posted to the 'private' Editorial board list. I am 
moving this thread to the public list as well, because it involves the 
industry at large. The private list should only be used for matters 
related to the board, such as voting on new members, not for discussing 
industry-wide issues. Also, please note that the move to private list 
has happened more in the last 60 days than it has in the last 6 - 18 
months. 
This is not acceptable to the industry.