|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Juniper to be added to the official list of CNAs
- To: jericho <jericho@attrition.org>, Common Vulnerabilities & Exposures <cve@mitre.org>
- Subject: RE: Juniper to be added to the official list of CNAs
- From: Common Vulnerabilities & Exposures <cve@mitre.org>
- Date: Fri, 22 Apr 2016 14:22:17 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=mitre.org;
- Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
- Delivery-date: Fri Apr 22 16:41:56 2016
- In-reply-to: <alpine.LNX.2.00.1604212359250.20604@forced.attrition.org>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <SN1PR09MB1038669A179FB3EDF456083EB16C0@SN1PR09MB1038.namprd09.prod.outlook.com> <alpine.LNX.2.00.1604191209580.20604@forced.attrition.org> <SN1PR09MB1038D1AEBCAA4842A05DAEC5B16C0@SN1PR09MB1038.namprd09.prod.outlook.com> <alpine.LNX.2.00.1604200036000.20604@forced.attrition.org> <SN1PR09MB1038D42B5180250CE1C2E012B16D0@SN1PR09MB1038.namprd09.prod.outlook.com> <alpine.LNX.2.00.1604212359250.20604@forced.attrition.org>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:23
- Thread-index: AdGaXIneVgVxiFsJSayMND2vYNpdMAAA2T2AAAbnKmAAFCg9AAAePpeQAEPTfAAAE0J2IA==
- Thread-topic: Juniper to be added to the official list of CNAs
The CVE Team discussed the valid concerns raised by you during yesterday's Board call and held the announcement of Juniper becoming a CNA until we had the opportunity to have this discussion with our Board colleagues. While the members agreed that mistakes are made with Juniper and other CNAs, it was the opinion of the Board that bringing on Juniper serves the needs of the community better than by not doing so. The Board was specifically asked if they objected to bringing Juniper on as a CNA. No members on the call objected. The Board is a critical advisory function. As a Board member, you raised concerns about Juniper. The CVE Team listened to those concerns and raised them with the Board at our first opportunity to do so where a discussion could be held and we could efficiently work through the discussion. Per Kurt Seifried's good suggestion this morning, we're happy to move to the private Board list to poll the Board on decisions like these in the future. Thank you for bringing up your concerns. We appreciate it. Regards, The CVE Team -----Original Message----- From: jericho [mailto:jericho@attrition.org] Sent: Friday, April 22, 2016 1:05 AM To: Common Vulnerabilities & Exposures <cve@mitre.org> Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org> Subject: RE: Juniper to be added to the official list of CNAs Importance: High On Wed, 20 Apr 2016, Common Vulnerabilities & Exposures wrote: : Brian - : : to their own opinions, all opinions must be considered. For example, : the note to the private Board list yesterday regarding Juniper was : intended to provide all Board members with an opportunity to privately : voice opinions in a candid fashion that they may have been uncomfortable : voicing in public. In this context, it is the person who posts the : We understand and appreciate your objections to Juniper. Juniper is : not being rewarded for anything. Rather, they are being brought online : as a new CNA so that we can expand the CVE capability consistent with : the stated objective of our Board colleagues to scale the capability : under a federated approach to increase coverage. We were delighted to So to sum this up: MITRE made a unilateral decision to make Juniper a CNA, six days after a board member expressed concerns over their handling of CVE assignments, and gave board membrs an opportunity to bring up concerns without stating taht concerns had already been brought up, and that Juniper already had a history of not following CNA guidelines. That the board members could bring up concerns in private, with no indication or direction they could also share the concerns publicly. Again, remind us what the purpose of the board is exactly, if we're not directing decisions. More importantly, when we do give input, even proactively, it is apparently not considered nor brought up when announcing MITRE's decisions that are made without any board input whatsoever. I ask because the purpose of the board as seen by the public, the board members, and MITRE seem to be at odds. Clearing this up would be helpful for everyone involved.
- Follow-Ups:
- Re: Juniper to be added to the official list of CNAs
- From: Carsten Eiram <che@riskbasedsecurity.com>
- Re: Juniper to be added to the official list of CNAs
- References:
- RE: Juniper to be added to the official list of CNAs
- From: jericho <jericho@attrition.org>
- RE: Juniper to be added to the official list of CNAs
- From: Common Vulnerabilities & Exposures <cve@mitre.org>
- RE: Juniper to be added to the official list of CNAs
- From: jericho <jericho@attrition.org>
- RE: Juniper to be added to the official list of CNAs
- Prev by Date: Re: Juniper to be added to the official list of CNAs
- Next by Date: Re: Juniper to be added to the official list of CNAs
- Previous by thread: Re: Juniper to be added to the official list of CNAs
- Next by thread: Re: Juniper to be added to the official list of CNAs
- Index(es):