[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CNA requirements

Why can't we make it one of the rules for a CNA?

 There must be two points of contact identified at all times either to 
MITRE or the parent CNA. If a listed point of contact leaves the 
company, the company is required to notify the appropriate parent CNA 
of the POC change.

Kent Landfield
+1.817.637.8026 

> On May 17, 2016, at 7:33 AM, Adinolfi, Daniel R <dadinolfi@mitre.org> 
> wrote:
> 
> Kurt,
> 
> Regarding the specific question concerning points of contact, I 
> address it a bit in the draft CNA roster document:
> 
> http://cveproject.github.io/docs/cna/DRAFT%20-%20Review%20and%20Update%20of%20CNA%20Roster.docx
> 
> Periodically, each CNA will update their public, primary, and 
> alternate contact points. The primary and alternate contacts should 
> be individuals, whereas the public should probably be a mail alias 
> that sends messages to queues or multiple individuals. This gives us 
> a way to get into the generic email queue and also reach past that 
> queue to get to the real people behind it.
> 
> For projects where there is not a generic queue and contact is only 
> with individuals, we could still request multiple contacts and keep 
> that list updated periodically. If there is only one individual, if 
> that person falls off the face of the Earth and they don’t give you 
> an alternate or replacement, they should be disqualified from being a 
> CNA. Providing active points of contact should be a requirement for 
> being a CNA, I believe.
> 
> Thoughts?
> 
> Thanks.
> 
> -Dan
> 
>> On 5/16/16, 19:43, "owner-cve-editorial-board-list@lists.mitre.org 
>> on behalf of Kurt Seifried" 
>> <owner-cve-editorial-board-list@lists.mitre.org on behalf of 
>> kseifried@redhat.com> wrote:
>> 
>> So I'm looking at the CNA requirements for DWF CNA's, obviously most 
>> of 
>> 
>> 
>> https://cve.mitre.org/cve/cna.html
>> 
>> 
>> pretty much directly applies. But one thing I have run into in other 
>> situations is single point of contact, and the person leaves/etc. 
>> I'm thinking for the case of a lot of smaller Open Source projects 
>> you usually have a main developer so I think a single
>> point of contact being a problem is moot here (since without them 
>> the project won't get updates, let alone CVEs). I was wondering what 
>> other people thought? 
>> 
>> --
>> Kurt Seifried -- Red Hat -- Product Security -- Cloud
>> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
>> Red Hat Product Security contact: secalert@redhat.com
>
Page Last Updated or Reviewed: May 17, 2016