|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CNA requirements
- To: Kurt Seifried <kseifried@redhat.com>
- Subject: Re: CNA requirements
- From: jericho <jericho@attrition.org>
- Date: Sat, 28 May 2016 01:45:43 -0500
- Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=attrition.org;
- Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
- Importance: high
- In-reply-to: <CANO=Ty1ehpxvY81jnVCpKkYw3DJ-i_7E4cq43nDAT4i5Hyxa7Q@mail.gmail.com>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <CANO=Ty0PsrLPV_a8+0bTc8wdQB8NDPLnZc+koSRUTHWV4-DrzA@mail.gmail.com> <B867A247-039F-443C-B1DD-724DFCEF7978@mitre.org> <FCE8BD10-195B-4C56-8B2A-B5DA654F3D41@gmail.com> <DM2PR09MB0365489807EE40CFDF0C3645F0480@DM2PR09MB0365.namprd09.prod.outlook.com> <CANO=Ty1ehpxvY81jnVCpKkYw3DJ-i_7E4cq43nDAT4i5Hyxa7Q@mail.gmail.com>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 43da9c421be74aed97248473db21fd15
- Spamdiagnosticoutput: 1:2
- User-agent: Alpine 2.00 (LNX 1167 2008-08-23)
On Tue, 17 May 2016, Kurt Seifried wrote: : On Tue, May 17, 2016 at 8:54 AM, Waltermire, David A. (Fed) < : david.waltermire@nist.gov> wrote: : : > IMHO, I believe we need to address this in a way that supports a : > non-hierarchical, graph of communications between CNAs. This models what : > happens in the real world. It should be possible for any CNA to find any : > other CNA, get their contact info, and then reach out to them to coordinate : > on a CVE assignment. Relying on parent CNAs does not make this work. And this is where we get into a meta-discussion... : So I've been thinking about this a bit and looking back at some : situations in the last 5000 or so CVE's I've assigned and some things : are obvious: : : 1) Being a CNA requires you to have a mature security process, if you Patently false. - Apple is a CNA, they do not have a mature security process. - IBM is a CNA, they have a convoluted disgusting security process. (Love Lisa and Scott, but it's true! Also, why isn't IBM on the board?) - Oracle is a CNA, they do not have a mature security process. - SGI is a CNA, they ... uh, don't exist? That said, your outline on defining CNA requirements is great and helpful. =) Just don't equivocate here.
- Follow-Ups:
- Re: CNA requirements
- From: "Adinolfi, Daniel R" <dadinolfi@mitre.org>
- Re: CNA requirements
- References:
- CNA requirements
- From: Kurt Seifried <kseifried@redhat.com>
- Re: CNA requirements
- From: "Adinolfi, Daniel R" <dadinolfi@mitre.org>
- Re: CNA requirements
- From: Kent Landfield <bitwatcher@gmail.com>
- RE: CNA requirements
- From: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>
- Re: CNA requirements
- From: Kurt Seifried <kseifried@redhat.com>
- CNA requirements
- Prev by Date: Re: CNA requirements
- Next by Date: Re: CNA requirements
- Previous by thread: Re: CNA requirements
- Next by thread: Re: CNA requirements
- Index(es):