|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CNA requirements
- To: "Adinolfi, Daniel R" <dadinolfi@mitre.org>
- Subject: Re: CNA requirements
- From: jericho <jericho@attrition.org>
- Date: Sat, 28 May 2016 01:36:50 -0500
- Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=attrition.org;
- Cc: Kurt Seifried <kseifried@redhat.com>, cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
- Importance: high
- In-reply-to: <B867A247-039F-443C-B1DD-724DFCEF7978@mitre.org>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <CANO=Ty0PsrLPV_a8+0bTc8wdQB8NDPLnZc+koSRUTHWV4-DrzA@mail.gmail.com> <B867A247-039F-443C-B1DD-724DFCEF7978@mitre.org>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 43da9c421be74aed97248473db21fd15
- Spamdiagnosticoutput: 1:2
- User-agent: Alpine 2.00 (LNX 1167 2008-08-23)
belated... On Tue, 17 May 2016, Adinolfi, Daniel R wrote: : Regarding the specific question concerning points of contact, I address it a bit in the draft CNA roster document: : : http://cveproject.github.io/docs/cna/DRAFT%20-%20Review%20and%20Update%20of%20CNA%20Roster.docx : : Periodically, each CNA will update their public, primary, and alternate : contact points. The primary and alternate contacts should be : individuals, whereas the public should probably be a mail alias that : sends messages to queues or multiple individuals. This gives us a way to : get into the generic email queue and also reach past that queue to get : to the real people behind it. : : For projects where there is not a generic queue and contact is only with : individuals, we could still request multiple contacts and keep that list : updated periodically. If there is only one individual, if that person : falls off the face of the Earth and they don?t give you an alternate or : replacement, they should be disqualified from being a CNA. Providing : active points of contact should be a requirement for being a CNA, I : believe. If the org is giving us a single person, yes. This is spot on. If the PoC is a an alias that goes to many people, no. Also, pretty sure I brought this up in previous threads, but I will say it again. Before we require CNAs to periodically do anything, MITRE absolutely MUST periodically send out current CNA guidelines. MITRE must absolutely periodically call out the CNAs failing to assign per the guidelines, which is happening more and more. I'm getting really tired of policing the CNAs, and I only send mails maybe 1 out of 50 times that I see them breaking policy. Yes, it's that bad.
- References:
- CNA requirements
- From: Kurt Seifried <kseifried@redhat.com>
- Re: CNA requirements
- From: "Adinolfi, Daniel R" <dadinolfi@mitre.org>
- CNA requirements
- Prev by Date: DWF Mailing lists
- Next by Date: RE: CNA requirements
- Previous by thread: RE: CNA requirements
- Next by thread: Also an update for the Linux CNAs
- Index(es):