[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

New Researcher guidelines



I see MITRE announced new Researcher Reservation Guidelines... In the new Guidelines it states:

 

4. Requests to third-party coordinator CNAs or email lists.

If a CVE ID cannot be requested through a CNA, consider contacting a third party coordinator such as an emergency response or vulnerability analysis team (e.g., CERT/CC), especially when there are problems in contacting the affected vendor. If the request is accepted, that organization will work to have a CVE ID assigned to the issue. Or, you may post the information to mailing lists such as BugTraq or oss-security and, if accepted, the issue will eventually be assigned a CVE ID by a CNA.

 

Where did this come from?  I believe you are setting CVE up for more Researcher distain by not making it an official process with specificity.  If people just anticipate a CVE because they posted to some random mailing list as written, they will get frustrated when they don’t get one. 

 

This whole document should have been sent to the Board list before it was posted.  Was this discussed in the F2F when I was out of the room?  I can’t find it posted to the Board list. I was under the impression that MITRE had agreed to keep the Board informed on these type of things before they are made public.  Where is the alignment and transparency of actions?

 

I believe the “Or statement’ should either be rewritten for real clarity and much less ambiguity OR it should be removed entirely. I believe this was an error that will cause issues for us in the future.  Be specific, be articulate. Do not be general in such a way to create unreasonable expectations within the researcher community...

 

And why was the Board not informed earlier???

 

Kent Landfield

Intel Corporation

+1.817.637.8026

 

 


Page Last Updated or Reviewed: January 20, 2017