|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: SLA concerns for DWG CNAs (and probably other CNAs)
- To: Kurt Seifried <kseifried@redhat.com>, cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
- Subject: RE: SLA concerns for DWG CNAs (and probably other CNAs)
- From: "Manley, Meghan E." <mmanley@mitre.org>
- Date: Fri, 26 Aug 2016 18:39:15 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=mitre.org;mitre.org; dkim=none (message not signed) header.d=none;
- Delivery-date: Mon Aug 29 07:50:34 2016
- In-reply-to: <CANO=Ty2Ssyr4QDpOFK+=_3coad5siUd15OmMFyREWWK-o3VoLw@mail.gmail.com>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <CANO=Ty2Ssyr4QDpOFK+=_3coad5siUd15OmMFyREWWK-o3VoLw@mail.gmail.com>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
- Spamdiagnosticoutput: 1:2
- Thread-index: AQHR/6fZMsnkk1r6ZUSPFk9dyw3utqBbkraA
- Thread-topic: SLA concerns for DWG CNAs (and probably other CNAs)
|
Kurt,
We agree that we need to continue to build out the guidance for the CNAs. The CNA Rules document we discussed at the meeting yesterday is only a starting point.
We think a QA document is needed as part of the overall guidance (in line with Brian’s suggestion), and we agree Service Level Agreements (SLAs) should be a part of that. As
we work on that guidance, we would like to use your suggestions as a starting point for the conversation around SLAs. Thank you very much for sharing your thoughts on this. -Dan Adinolfi From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org]
On Behalf Of Kurt Seifried So for existing CNA's under MITRE there aren't a lot of rules around timeliness and disclosure and related areas of operations. Some CNAs are timely, some are slow, some release info, some don't, etc. So first
I want to make sure we cover the right areas with SLAs, step 2 will be determining what values to use. So if you think something is missing please let me know! My main concerns around SLAs are: 1) timely responses to requests 2) correctness of CVEs assigned (SPLIT/MERGE, is it a vuln, covered, etc.) 3) use of CVEs and release of information privately (e.g. for embargoed issues) 4) use of CVEs and release of information for restricted publishing (e.g. for coordinated handling/restricted use) - not a priority for me but something I want to at least consider 5) use of CVEs and release of information for public publishing (e.g. for after the embargo lifts, or or issues that are not embargoed at all) 6) pushing data back to your parent CNA and ultimately to the DWF once the entry is assigned (marked as RESERVED) and once it goes public (PUBLIC) and if it changes (e.g. REJECT/REPLACED_BY, whatever). The timelines will be a spectrum as will the information disclosed/released (e.g. for embargo vs public release), I don't know what the answers/SLAs are yet but first I want to make sure we cover what the problem
space is. One note: I had considered an SLA around CNA activity, e.g. "you must assign X CVE's per month/year or lose CNA status" but I think that is not a good metric, and could result in messy gaming of the system. -- |
- Follow-Ups:
- Re: SLA concerns for DWG CNAs (and probably other CNAs)
- From: Kurt Seifried <kseifried@redhat.com>
- Re: SLA concerns for DWG CNAs (and probably other CNAs)
- References:
- SLA concerns for DWG CNAs (and probably other CNAs)
- From: Kurt Seifried <kseifried@redhat.com>
- SLA concerns for DWG CNAs (and probably other CNAs)
- Prev by Date: RE: Proposed Working group and workshop
- Next by Date: Re: SLA concerns for DWG CNAs (and probably other CNAs)
- Previous by thread: SLA concerns for DWG CNAs (and probably other CNAs)
- Next by thread: Re: SLA concerns for DWG CNAs (and probably other CNAs)
- Index(es):