Re: Question about dual source vendors

[Pascal Meunier <pmeunier@cerias.purdue.edu>]

Wonderful, thank you.

Pascal

On 06/17/2016 12:54 PM, Kurt Seifried wrote:
> On Fri, Jun 17, 2016 at 10:18 AM, Pascal Meunier 
> <pmeunier@cerias.purdue.edu
>> wrote:
>
>> I very much like the idea of someone being able to get an identifier 
>> from
>> an alternate CNA, when the CNA nominally responsible for an area is
>> disfunctional or unwilling to perform, say due to a conflict of 
>> interest
>> like refusing to admit that an issue is a real concern or trying to 
>> delay
>> disclosure.  These conflicts of interests are quite possible when 
>> the CNA
>> is also the vendor, which seems to be the model going forward. There 
>> should
>> ideally be alternate, secondary or "backup" CVE issuers for all 
>> domains.
>>
>
> My understanding is that the "root" CNA of a federation (e.g. Open 
> Source
> -> DWF) should be the CVE issuer of last resort, with a final 
> backstop of
> MITRE as the "ultimate-root". So if a researcher can't get 
> satisfaction
> from the CNA or the DWF they can go to MITRE as the final option. One
> second order effect is that vendors may become more cooperative since
> researchers/reporters will now have a better course of action to 
> take. This
> is one of the reasons I added the TIMELINE data to the DWF data, I 
> want to
> start holding vendors more accountable and allow the public to have 
> more
> data to base security related decisions on.
>
>
>>
>> Pascal
>>
>> On 06/17/2016 11:32 AM, Andy Balinsky (balinsky) wrote:
>>
>>> Regarding "CNA shopping" Is this a problem, as long as only 1 CVE 
>>> gets
>>> issued?
>>> Andy
>>> On Jun 16, 2016, at 7:37 PM, Adinolfi, Daniel R <dadinolfi@mitre.org
>>> <mailto:dadinolfi@mitre.org>> wrote:
>>>
>>> Thinking through the issue:
>>>
>>> Ideally, the vendor would themselves be a CNA, covering their 
>>> products
>>> regardless of the type of licensing model.
>>>
>>> Not every company can be or wants to be a CNA, of course, so how do 
>>> we
>>> handle those?
>>>
>>> If there is another sector-based CNA (e.g., Healthcare systems) or a
>>> regional CNA (e.g., JPCERT), the company could work directly with 
>>> those
>>> CNAs, who will facilitate the CVE assignment and disclosure 
>>> regardless.
>>>
>>> If neither of these situations fit, it will depend on how DWF 
>>> manages
>>> their assignees. MITRE as a CNA has the advantage of being a 
>>> trusted third
>>> party for vulnerability disclosure. When closed-source software is
>>> involved, that trust can be important. If DWF creates that same 
>>> level of
>>> trust with closed-source vendors, they could also fulfill that 
>>> role. But
>>> this leads to some tricky scoping issues, and it could create 
>>> situations
>>> similar to "CNA shopping" or introduce other coordination issues.
>>>
>>> How do other folks feel about these scoping issues?
>>>
>>> Thanks.
>>>
>>> -Dan
>>>
>>>
>>> ________________________________
>>> From: owner-cve-editorial-board-list@lists.mitre.org<mailto:
>>> owner-cve-editorial-board-list@lists.mitre.org> <
>>> owner-cve-editorial-board-list@lists.mitre.org<mailto:
>>> owner-cve-editorial-board-list@lists.mitre.org>> on behalf of Kurt
>>> Seifried <kseifried@redhat.com<mailto:kseifried@redhat.com>>
>>> Sent: Thursday, June 16, 2016 7:13:58 PM
>>> To: cve-editorial-board-list
>>> Subject: Question about dual source vendors
>>>
>>> So increasingly we have "dual source" vendors, that is vendors with
>>> everything from fully OSI Open Source to completely closed source.
>>> Basically any large commercial vendor already (Microsoft, Oracle, 
>>> etc.) and
>>> a growing number of others (witness the proliferation of GitHub 
>>> projects).
>>>
>>> I am talking to one that is not a CNA, and they want to do CVEs for 
>>> both
>>> their Open Source, and their closed source. But there is no easy 
>>> way to do
>>> this currently other than ask cve-assign@mitre.org<mailto:
>>> cve-assign@mitre.org> directly (and it seems after they read the
>>> https://cve.mitre.org/cve/data_sources_product_coverage.html 
>>> document
>>> they were under the impression cve-assign@mitre.org<mailto:
>>> cve-assign@mitre.org> could NOT do it).
>>>
>>> I would like to propose that for vendors where Open Source is a 
>>> major
>>> part of what they ship, or the core of their commercial; product 
>>> that the
>>> DWF be able to take them under it's wing as it were.
>>>
>>> One hypothetical example that fits into this model would be a 
>>> company
>>> like Ansible (let's ignore the fact that Red Hat acquired it and as 
>>> such
>>> Ansible falls under the Red Hat CNA), Ansible currently has 
>>> "ansible" which
>>> is the Open Source core, and Ansible tower which is a currently 
>>> closed
>>> source management/dashboard. I think in a case like this it makes 
>>> sense to
>>> have a company like Ansible be a CNA under the DWF for both the 
>>> Open Source
>>> parts and the closed source parts.
>>>
>>> Thought/comments?
>>>
>>> --
>>> Kurt Seifried -- Red Hat -- Product Security -- Cloud
>>> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
>>> Red Hat Product Security contact: secalert@redhat.com<mailto:
>>> secalert@redhat.com>
>>>
>>>
>
>