Re: CNA Rules Announcement

[jericho <jericho@attrition.org>]

Chris,

On Fri, 7 Oct 2016, Coffin, Chris wrote:

: On Monday, October 10th, all CNAs should be assigning CVE IDs based 
on the new CNA rules listed here:
: 
: <http://cveproject.github.io/docs/cna/CNA%20Rules%20v1.1.docx>

Just to be clear, does this mean MITRE has reached out to all of the 
current CNAs and informed them of the new rules?

: As you use these new rules, please feel free to share any feedback 
you 
: might have with the rest of the CNA community and MITRE. We would 
like 
: to understand what is working and what isn't so that the rules evolve 
to 
: meet the needs of the program and so that additional guidance and 
: training can be developed based on what we collectively learn.  You 
can 
: share your feedback through the cve-cna-list mailing list or directly 
to 
: MITRE through the CVE Web Form.

How should we approach CNAs that are violating these rules, via a 
long-term string of violations regarding an assignment. For example, 
IBM 
has been using CVE-2014-8730 for their products despite the early 
change 
in the entry from MITRE specifically designating it for F5 products 
only. 
I have contacted IBM half a dozen times over the last year or more 
pointing out examples of this. Their most recent mis-use of this CVE 
was 
on Sep 19 (http://www-01.ibm.com/support/docview.wss?uid=swg21390112). 
Moving forward, if they continue to mis-use 2014-8730, what is the best 
course of action since contacting them doesn't seem to help?

Thanks,

Brian