|
|
On Wed, 27 Apr 2016, Art Manion wrote:
: Speaking of consequences, what if Juniper doesn't follow the rules?
: Withdraw their CNA status? Then who is going to issue CVE IDs for
: Juniper vulnerabilities? If a CNA assigns incorrectly, reject their
: assignments. If the CNA actually wants their CVE IDs to count, they'll
: shape up. If they don't, de-list them. And yes, this does sound like
: laissez-faire. The current model doesn't scale.
And I have spoken to this point as well. We don't just need rules, we need
a clear path on how MITRE will deal with them if they aren't following
rules. Unless MITRE decided to keep me out of the loop after I reported
CNAs not following rules many times, then I don't believe MITRE has been
following up with them much at all. Or perhaps for a fraction of my
complaints.
I can't imagine MITRE will actually revoke a CNA, because it goes against
their selfish interests (CVE is part of a multi-million dollar contract
they enjoy every year). That is a grim reality we need to remember as we
discuss this problem. I only bring it up because many of us had proposed
that MITRE bring on more CNAs several years ago, and that was met with
silence or opposition (usually in private). Now that they are being called
to task, it seems greenlighting new CNAs could be their answer, even if
the vendor has a history of bad assignments and board members object.
In fact, every CNA, current or proposed, should be audited once a year, to
ensure they are following assignment guidelines. What seems minor and
pedestrian on the surface to many (e.g. assigning a 2016 ID to a 2015
issue), can also snowball in huge ways, as seen in the 2016 Verizon DBIR
report (pg13, 'Vulnerabilities' section) where the methodology is not
defined, and they may be using the year of the ID to attribute disclosure
attributes. Even if they don't, *many* others have historically done just
that when generating yearly vuln totals based on CVE data. These stats are
about the only you see in any media, industry or mainstream. Because CVE
didn't think that 'disclosure date' was important to track in 1999, means
almost every vulnerability stat today is absurd and wrong.