[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CNA requirements

To: Kurt Seifried <kseifried@redhat.com>, cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: CNA requirements
From: "Adinolfi, Daniel R" <dadinolfi@mitre.org>
Date: Tue, 17 May 2016 12:33:47 +0000
Accept-language: en-US
Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=mitre.org;
Delivery-date: Tue May 17 13:00:05 2016
In-reply-to: <CANO=Ty0PsrLPV_a8+0bTc8wdQB8NDPLnZc+koSRUTHWV4-DrzA@mail.gmail.com>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <CANO=Ty0PsrLPV_a8+0bTc8wdQB8NDPLnZc+koSRUTHWV4-DrzA@mail.gmail.com>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: NSPM
Spamdiagnosticmetadata: 43da9c421be74aed97248473db21fd15
Spamdiagnosticoutput: 1:23
Spamdiagnosticoutput: 1:2
Thread-index: AQHRr81RiL0V1zztI023t1uxL9+yoZ+8zhYA
Thread-topic: CNA requirements
User-agent: Microsoft-MacOutlook/f.16.0.160506

Kurt,

Regarding the specific question concerning points of contact, I address 
it a bit in the draft CNA roster document:

http://cveproject.github.io/docs/cna/DRAFT%20-%20Review%20and%20Update%20of%20CNA%20Roster.docx

Periodically, each CNA will update their public, primary, and alternate 
contact points. The primary and alternate contacts should be 
individuals, whereas the public should probably be a mail alias that 
sends messages to queues or multiple individuals. This gives us a way 
to get into the generic email queue and also reach past that queue to 
get to the real people behind it.

For projects where there is not a generic queue and contact is only 
with individuals, we could still request multiple contacts and keep 
that list updated periodically. If there is only one individual, if 
that person falls off the face of the Earth and they don’t give you an 
alternate or replacement, they should be disqualified from being a CNA. 
Providing active points of contact should be a requirement for being a 
CNA, I believe.

Thoughts?

Thanks.

-Dan

On 5/16/16, 19:43, "owner-cve-editorial-board-list@lists.mitre.org on 
behalf of Kurt Seifried" 
<owner-cve-editorial-board-list@lists.mitre.org on behalf of 
kseifried@redhat.com> wrote:

>So I'm looking at the CNA requirements for DWF CNA's, obviously most 
>of 
>
>
>https://cve.mitre.org/cve/cna.html
>
>
>pretty much directly applies. But one thing I have run into in other 
>situations is single point of contact, and the person leaves/etc. I'm 
>thinking for the case of a lot of smaller Open Source projects you 
>usually have a main developer so I think a single
> point of contact being a problem is moot here (since without them the 
> project won't get updates, let alone CVEs). I was wondering what 
> other people thought? 
>
>--
>Kurt Seifried -- Red Hat -- Product Security -- Cloud
>PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
>Red Hat Product Security contact: secalert@redhat.com
>
>
>
>
>

Follow-Ups:
- Re: CNA requirements
  - From: Kent Landfield <bitwatcher@gmail.com>
- Re: CNA requirements
  - From: jericho <jericho@attrition.org>

References:
- CNA requirements
  - From: Kurt Seifried <kseifried@redhat.com>

Prev by Date: Also an update for the Linux CNAs
Next by Date: Re: CNA requirements
Previous by thread: CNA requirements
Next by thread: Re: CNA requirements
Index(es):
- Date
- Thread