[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: New Researcher guidelines

Along with most of the documents available in Github and on the CVE web site, I share the opinion that the Researcher Reservation Guidelines is still a WIP. However, based on the current processing of requests we felt that the document should be more broadly accessible and should be published on the CVE web site. Even in its current form, the document can serve to answer questions that the community (specifically researchers) might have when going through the process.

 

We will continue to update the document when useful feedback is received, and we can continue to receive this feedback via Github as well. How we go about notifying the Board of these changes is probably something we should discuss in a future Board call. For example, would the Board want to approve minor updates, or just major items such as changes to the steps in question, etc?

 

Chris

 

From: Landfield, Kent B [mailto:kent.b.landfield@intel.com]
Sent: Friday, January 20, 2017 12:34 PM
To: Coffin, Chris <ccoffin@mitre.org>; cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: New Researcher guidelines

 

Sorry, I am confused. You put something on github, ask a question and give the impression it is a work in progress (WIP) and then post it as a completed policy with no notification to the Board?  I think there should have been some notification a WIP to a policy/public guideline was occurring.  It does not appear the CNAs were notified via the mailing list.  I did not find anything on the CNA list.  It affects them. Did they get sent something out-of-band?

 

I can provide feedback by then.  I guess I will need to review every single WIP document on github...

 

---

Kent Landfield

+1.817.637.8026

 

From: "Coffin, Chris" <ccoffin@mitre.org>
Date: Friday, January 20, 2017 at 11:48 AM
To: Kent Landfield <kent.b.landfield@intel.com>, cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: RE: New Researcher guidelines

 

Hey Kent,

 

Even though the News article (http://cve.mitre.org/news/archives/2017/news.html#january122017_Researcher_Reservation_Guidelines_Document_Now_Available) reads as if it’s a new document, the content of the document has not changed since August 2016 when it was first shared with the Board and the public on Github (http://cveproject.github.io/docs/requester/reservation-guidelines.html). The only change was that the document was moved to the CVE website.

 

As for the bolded sentence, you are correctly pointing out something that very obviously should be revisited. This statement, and potentially other statements within the document may not align with the current processes being used by the team. I am ok with immediately removing the sentence starting with “Or” if there are no objections from anybody else. The other action item which you have also correctly brought to the table, would be to schedule a discussion in a future Board call along with providing ample time for a Board review of the document.

 

We have a Board meeting Wednesday of next week. However, my assumption is that this is too short of notice to review and provide feedback. My suggestion would be that Board members review and provide feedback on the current guidelines and provide feedback before the following Board call (Feb 8). We could discuss any steps to be taken in that meeting based on the feedback received. Does anyone have any objections to this plan?

 

Chris Coffin

The CVE Team

 

From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Landfield, Kent B
Sent: Friday, January 20, 2017 10:35 AM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: New Researcher guidelines

 

I see MITRE announced new Researcher Reservation Guidelines... In the new Guidelines it states:

 

4. Requests to third-party coordinator CNAs or email lists.

If a CVE ID cannot be requested through a CNA, consider contacting a third party coordinator such as an emergency response or vulnerability analysis team (e.g., CERT/CC), especially when there are problems in contacting the affected vendor. If the request is accepted, that organization will work to have a CVE ID assigned to the issue. Or, you may post the information to mailing lists such as BugTraq or oss-security and, if accepted, the issue will eventually be assigned a CVE ID by a CNA.

 

Where did this come from?  I believe you are setting CVE up for more Researcher distain by not making it an official process with specificity.  If people just anticipate a CVE because they posted to some random mailing list as written, they will get frustrated when they don’t get one. 

 

This whole document should have been sent to the Board list before it was posted.  Was this discussed in the F2F when I was out of the room?  I can’t find it posted to the Board list. I was under the impression that MITRE had agreed to keep the Board informed on these type of things before they are made public.  Where is the alignment and transparency of actions?

 

I believe the “Or statement’ should either be rewritten for real clarity and much less ambiguity OR it should be removed entirely. I believe this was an error that will cause issues for us in the future.  Be specific, be articulate. Do not be general in such a way to create unreasonable expectations within the researcher community...

 

And why was the Board not informed earlier???

 

Kent Landfield

Intel Corporation

+1.817.637.8026

 

 

Page Last Updated or Reviewed: January 20, 2017