[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CNA requirements



IMHO, I believe we need to address this in a way that supports a 
non-hierarchical, graph of communications between CNAs. This models 
what happens in the real world. It should be possible for any CNA to 
find any other CNA, get their contact info, and then reach out to them 
to coordinate on a CVE assignment. Relying on parent CNAs does not make 
this work.

Regards,
Dave



> -----Original Message-----
> From: owner-cve-editorial-board-list@lists.mitre.org 
> [mailto:owner-cve-
> editorial-board-list@lists.mitre.org] On Behalf Of Kent Landfield
> Sent: Tuesday, May 17, 2016 9:41 AM
> To: Adinolfi, Daniel R <dadinolfi@mitre.org>
> Cc: Kurt Seifried <kseifried@redhat.com>; cve-editorial-board-list 
> <cve-
> editorial-board-list@lists.mitre.org>
> Subject: Re: CNA requirements
> 
> Why can't we make it one of the rules for a CNA?
> 
>  There must be two points of contact identified at all times either 
> to MITRE or
> the parent CNA. If a listed point of contact leaves the company, the 
> company
> is required to notify the appropriate parent CNA of the POC change.
> 
> Kent Landfield
> +1.817.637.8026
> 
> > On May 17, 2016, at 7:33 AM, Adinolfi, Daniel R 
> > <dadinolfi@mitre.org>
> wrote:
> >
> > Kurt,
> >
> > Regarding the specific question concerning points of contact, I 
> > address it a
> bit in the draft CNA roster document:
> >
> > http://cveproject.github.io/docs/cna/DRAFT%20-
> %20Review%20and%20Update
> > %20of%20CNA%20Roster.docx
> >
> > Periodically, each CNA will update their public, primary, and 
> > alternate
> contact points. The primary and alternate contacts should be 
> individuals,
> whereas the public should probably be a mail alias that sends 
> messages to
> queues or multiple individuals. This gives us a way to get into the 
> generic
> email queue and also reach past that queue to get to the real people 
> behind
> it.
> >
> > For projects where there is not a generic queue and contact is only 
> > with
> individuals, we could still request multiple contacts and keep that 
> list updated
> periodically. If there is only one individual, if that person falls 
> off the face of
> the Earth and they don’t give you an alternate or replacement, they 
> should
> be disqualified from being a CNA. Providing active points of contact 
> should be
> a requirement for being a CNA, I believe.
> >
> > Thoughts?
> >
> > Thanks.
> >
> > -Dan
> >
> >> On 5/16/16, 19:43, "owner-cve-editorial-board-list@lists.mitre.org 
> >> on
> behalf of Kurt Seifried" 
> <owner-cve-editorial-board-list@lists.mitre.org on
> behalf of kseifried@redhat.com> wrote:
> >>
> >> So I'm looking at the CNA requirements for DWF CNA's, obviously 
> >> most
> >> of
> >>
> >>
> >> https://cve.mitre.org/cve/cna.html
> >>
> >>
> >> pretty much directly applies. But one thing I have run into in 
> >> other
> >> situations is single point of contact, and the person leaves/etc. 
> >> I'm
> thinking for the case of a lot of smaller Open Source projects you 
> usually
> have a main developer so I think a single point of contact being a 
> problem is
> moot here (since without them the project won't get updates, let alone
> CVEs). I was wondering what other people thought?
> >>
> >> --
> >> Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995
> >> 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security
> >> contact: secalert@redhat.com
> >

Page Last Updated or Reviewed: May 31, 2016