[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
RE: Juniper to be added to the official list of CNAs
On Wed, 20 Apr 2016, Common Vulnerabilities & Exposures wrote:
: Brian -
:
: to their own opinions, all opinions must be considered. For example,
: the note to the private Board list yesterday regarding Juniper was
: intended to provide all Board members with an opportunity to
privately
: voice opinions in a candid fashion that they may have been
uncomfortable
: voicing in public. In this context, it is the person who posts the
: We understand and appreciate your objections to Juniper. Juniper is
: not being rewarded for anything. Rather, they are being brought
online
: as a new CNA so that we can expand the CVE capability consistent with
: the stated objective of our Board colleagues to scale the capability
: under a federated approach to increase coverage. We were delighted
to
So to sum this up:
MITRE made a unilateral decision to make Juniper a CNA, six days after
a
board member expressed concerns over their handling of CVE assignments,
and gave board membrs an opportunity to bring up concerns without
stating
taht concerns had already been brought up, and that Juniper already had
a
history of not following CNA guidelines. That the board members could
bring up concerns in private, with no indication or direction they
could
also share the concerns publicly.
Again, remind us what the purpose of the board is exactly, if we're not
directing decisions. More importantly, when we do give input, even
proactively, it is apparently not considered nor brought up when
announcing MITRE's decisions that are made without any board input
whatsoever. I ask because the purpose of the board as seen by the
public,
the board members, and MITRE seem to be at odds. Clearing this up would
be
helpful for everyone involved.