[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
RE: CNA Rules Announcement
Brian,
> Just to be clear, does this mean MITRE has reached out to all of the
> current CNAs and informed them of the new rules?
Yes... The rules have been sent through all appropriate channels, and
they are also included in this email thread via the cve-cna-list.
> How should we approach CNAs that are violating these rules, via a
> long-term string of violations regarding an assignment.
We are trying to create a set of rules and a structure for them that
works within the overall federated model. The idea is that the Primary
CAN would be the ultimate authority, and could impose sanctions on any
lower level CNAs. Similarly, root CNAs could impose sanctions on any
sub-CNAs underneath them. This structure is discussed in section 1.3 of
the current document.
> what is the best course of action since contacting them doesn't seem
> to help?
The rules are obviously brand new and there will likely be some growing
pains, but we will work these through the CNA channels as they are
defined in the new rules. If there is failure to communicate regarding
the new rules going forward, then the CNA(s) within those channels will
need to decide how to proceed.
As for the specific issue you mention, we discussed this one recently
and I believe that there are changes in the works (i.e., it shouldn't
be an issue much longer).
Chris
-----Original Message-----
From: jericho [mailto:jericho@attrition.org]
Sent: Friday, October 07, 2016 1:54 PM
To: Coffin, Chris <ccoffin@mitre.org>
Cc: cve-editorial-board-list
<cve-editorial-board-list@lists.mitre.org>; cve-cna-list
<cve-cna-list@lists.mitre.org>
Subject: Re: CNA Rules Announcement
Importance: High
Chris,
On Fri, 7 Oct 2016, Coffin, Chris wrote:
: On Monday, October 10th, all CNAs should be assigning CVE IDs based
on the new CNA rules listed here:
:
: <http://cveproject.github.io/docs/cna/CNA%20Rules%20v1.1.docx>
Just to be clear, does this mean MITRE has reached out to all of the
current CNAs and informed them of the new rules?
: As you use these new rules, please feel free to share any feedback you
: might have with the rest of the CNA community and MITRE. We would like
: to understand what is working and what isn't so that the rules evolve
to
: meet the needs of the program and so that additional guidance and
: training can be developed based on what we collectively learn. You
can
: share your feedback through the cve-cna-list mailing list or directly
to
: MITRE through the CVE Web Form.
How should we approach CNAs that are violating these rules, via a
long-term string of violations regarding an assignment. For example,
IBM has been using CVE-2014-8730 for their products despite the early
change in the entry from MITRE specifically designating it for F5
products only.
I have contacted IBM half a dozen times over the last year or more
pointing out examples of this. Their most recent mis-use of this CVE
was on Sep 19
(http://www-01.ibm.com/support/docview.wss?uid=swg21390112).
Moving forward, if they continue to mis-use 2014-8730, what is the best
course of action since contacting them doesn't seem to help?
Thanks,
Brian