I've been thinking about this a lot recently, mostly because I'll hopefully start minting CNA's in not to long a period.
Some thoughts:
1) What exactly is a "mature" security process?
2) What exactly is a "mature" CVE process?
for #1 I think ideally it's "vendor accept security bugs (or finds them internally) and fixes them, ideally with some notification mechanism (e.g. ChangeLog, labeling commits, security errata, etc.). I would say the utter minimum here is accepting bugs and documenting them in some public format, e.g. in a bug tracker. Ideally they would then provide some response/guidance (e.g. a patch, or "we're not going to fix it because..") so people can make an informed decision. In general most projects have this capability by virtue of hosting on a platform that has a bug tracking capability (e.g. GitHub).
for #2 the core of a CVE is a CVE # attached to a security vulnerability, so what is the minimum here? Description wise the:
[Vendor name] [product name] version [version info] is vulnerable to a [flaw type] in the [component] resulting [some impact].
is good, worst case we can live without the exact vuln type (e.g. CVE-2016-1000002, it's trivial to verify, and i have no idea what the underlying vuln actually is), and without an exact impact (e.g. quite a few kernel bugs are not proven to be exploitable, but we can all agree they need to be CVE'd up and fixed) and we can live without exact vulnerability information (e.g. someone may be pen testing something and not know exactly what version it is). Obviously the more information the better.
So for #2 all I care about is that the CNA do "quality" CVE assignments that are correct (in terms of SPLIT/MERGE, it's an actual vuln, etc.). Again at a minimum this information will allow people to make some decisions (do we stop using this software worst case?) and so on.
So as for things like "vendor replies to emails" I honestly don't care from a CNA/CVE point of view, as long as the vendor CNA does proper CVEs. This is especially true in the Open Source world, I know one guy that is responsible for a library we all use, he gets 700+ emails a day and guess what? He won't be replying to yours unless it's super awesome.
So for myself I think the DWF CNA requirements basically boils down to "Do they issue correct CVE's and push the data back upstream?" in other words if it walks, talks and looks like a duck, close enough for me.
-- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert@redhat.com