Re: Question about dual source vendors

["Landfield, Kent B" <kent.b.landfield@intel.com>]

Seems this conversation is morphing from simple clarification to 
something broader.  Let me see if I can dissect this….

Kurt asked:
> I would like to propose that for vendors where Open Source is a major 
> part of what they ship, or the core of their commercial; product that 
> the DWF be able to take them under it's wing as it were.

This is a swim lane discussion.  Personally this should be something 
decided by the parent CNA. In this case, that is MITRE.  I would have 
no problem with the proposal as stated. When there are more Root CNAs 
than just DWF, I believe we should let the “chain of administration” 
established by the hierarchy make the decision. 

Dan wrote:
> If neither of these situations fit, it will depend on how DWF manages 
> their assignees. MITRE as a CNA has the advantage of being a trusted 
> third party for vulnerability disclosure. When closed-source software 
> is involved, that trust can be important. If DWF creates that same 
> level of trust with closed-source vendors, they could also fulfill 
> that role. But this leads to some tricky scoping issues, and it could 
> create situations similar to "CNA shopping" or introduce other 
> coordination issues.

I am sorry but I have heard this trust argument before and have never 
believed it when it came to MITRE. I do believe it when it comes to a 
Vulnerability Coordinators such a US-CERT.  Coordination requires much 
more active hands on with highly sensitive information, working closely 
with vendors and researchers to address issues and assure a coordinated 
release.  MITRE touches some sensitive information but trust is not why 
people come to MITRE for a CVE.  Just not.

You do bring up a great topic, CNA Shopping.  Pascal’s comments are 
exactly how I feel as well.  Requesters should go to an identifiable 
CNA as a normal course of action. I don’t believe we should completely 
lock someone in to only 1 CNA.  In a hierarchy, the requester should be 
able to walk the tree to circumvent a CNA that is refusing to work with 
the requester. The requester should indicate the reason to the 
secondary CNA as to why they are making the request to a CNA other than 
their primary. That is valuable information as to the behavior of the 
CNAs acceptance and activities.

---
Kent Landfield
+1.817.637.8026

On 6/17/16, 11:18 AM, "owner-cve-editorial-board-list@lists.mitre.org 
on behalf of Pascal Meunier" 
<owner-cve-editorial-board-list@lists.mitre.org on behalf of 
pmeunier@cerias.purdue.edu> wrote:

I very much like the idea of someone being able to get an identifier 
from an alternate CNA, when the CNA nominally responsible for an area 
is 
disfunctional or unwilling to perform, say due to a conflict of 
interest 
like refusing to admit that an issue is a real concern or trying to 
delay disclosure.  These conflicts of interests are quite possible when 
the CNA is also the vendor, which seems to be the model going forward. 
There should ideally be alternate, secondary or "backup" CVE issuers 
for 
all domains.

Pascal

On 06/17/2016 11:32 AM, Andy Balinsky (balinsky) wrote:
> Regarding "CNA shopping" Is this a problem, as long as only 1 CVE 
> gets issued?
> Andy
> On Jun 16, 2016, at 7:37 PM, Adinolfi, Daniel R 
> <dadinolfi@mitre.org<mailto:dadinolfi@mitre.org>> wrote:
>
> Thinking through the issue:
>
> Ideally, the vendor would themselves be a CNA, covering their 
> products regardless of the type of licensing model.
>
> Not every company can be or wants to be a CNA, of course, so how do 
> we handle those?
>
> If there is another sector-based CNA (e.g., Healthcare systems) or a 
> regional CNA (e.g., JPCERT), the company could work directly with 
> those CNAs, who will facilitate the CVE assignment and disclosure 
> regardless.
>
> If neither of these situations fit, it will depend on how DWF manages 
> their assignees. MITRE as a CNA has the advantage of being a trusted 
> third party for vulnerability disclosure. When closed-source software 
> is involved, that trust can be important. If DWF creates that same 
> level of trust with closed-source vendors, they could also fulfill 
> that role. But this leads to some tricky scoping issues, and it could 
> create situations similar to "CNA shopping" or introduce other 
> coordination issues.
>
> How do other folks feel about these scoping issues?
>
> Thanks.
>
> -Dan
>
>
> ________________________________
> From: 
> owner-cve-editorial-board-list@lists.mitre.org<mailto:owner-cve-editorial-board-list@lists.mitre.org>
>  
> <owner-cve-editorial-board-list@lists.mitre.org<mailto:owner-cve-editorial-board-list@lists.mitre.org>>
>  on behalf of Kurt Seifried 
> <kseifried@redhat.com<mailto:kseifried@redhat.com>>
> Sent: Thursday, June 16, 2016 7:13:58 PM
> To: cve-editorial-board-list
> Subject: Question about dual source vendors
>
> So increasingly we have "dual source" vendors, that is vendors with 
> everything from fully OSI Open Source to completely closed source. 
> Basically any large commercial vendor already (Microsoft, Oracle, 
> etc.) and a growing number of others (witness the proliferation of 
> GitHub projects).
>
> I am talking to one that is not a CNA, and they want to do CVEs for 
> both their Open Source, and their closed source. But there is no easy 
> way to do this currently other than ask 
> cve-assign@mitre.org<mailto:cve-assign@mitre.org> directly (and it 
> seems after they read the 
> https://cve.mitre.org/cve/data_sources_product_coverage.html document 
> they were under the impression 
> cve-assign@mitre.org<mailto:cve-assign@mitre.org> could NOT do it).
>
> I would like to propose that for vendors where Open Source is a major 
> part of what they ship, or the core of their commercial; product that 
> the DWF be able to take them under it's wing as it were.
>
> One hypothetical example that fits into this model would be a company 
> like Ansible (let's ignore the fact that Red Hat acquired it and as 
> such Ansible falls under the Red Hat CNA), Ansible currently has 
> "ansible" which is the Open Source core, and Ansible tower which is a 
> currently closed source management/dashboard. I think in a case like 
> this it makes sense to have a company like Ansible be a CNA under the 
> DWF for both the Open Source parts and the closed source parts.
>
> Thought/comments?
>
> --
> Kurt Seifried -- Red Hat -- Product Security -- Cloud
> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
> Red Hat Product Security contact: 
> secalert@redhat.com<mailto:secalert@redhat.com>
>