[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: HP's policy on CVE assignments

To: "Adinolfi, Daniel R" <dadinolfi@mitre.org>
Subject: Re: HP's policy on CVE assignments
From: Kurt Seifried <kurt@seifried.org>
Date: Tue, 11 Apr 2017 08:29:15 -0600
Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=seifried.org;
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Delivery-date: Tue Apr 11 11:04:59 2017
In-reply-to: <A4893B6A-3D5D-4E5F-8157-C37708135FA7@mitre.org>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <alpine.LNX.2.00.1704071412390.19881@forced.attrition.org> <alpine.LNX.2.00.1704102158590.19881@forced.attrition.org> <A4893B6A-3D5D-4E5F-8157-C37708135FA7@mitre.org>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
Spamdiagnosticoutput: 1:2

Just a note: it might be useful to go through the CNA docs and highlight some of the potentially undefined/problematic terms/phrases, e.g. "public disclosure" and so on is so that we can maybe define them better.

On Tue, Apr 11, 2017 at 7:41 AM, Adinolfi, Daniel R <dadinolfi@mitre.org> wrote:

Greetings,

We are contacting HP to discuss their disclosure policy to verify that it is not in conflict with the CNA Rules.

Once we have spoken to HP and have a better understanding of the issues, we will report back to the Board.

Please let us know if there are any other questions or concerns about this issue.

Thanks.

-Dan

_________________________

Daniel Adinolfi, CISSP

Lead Cybersecurity Engineer, The MITRE Corporation

CVE Communications and CNA Coordinator

Email: <dadinolfi@mitre.org> Phone: 781-271-5774

From: <owner-cve-editorial-board-list@lists.mitre.org> on behalf of jericho <jericho@attrition.org>
Date: Monday, April 10, 2017 at 22:59
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: HP's policy on CVE assignments

Can MITRE weigh in on this please? Pretty significant stance for a CNA to

take, saying they will selective assign based on how a solution is

delivered. I feel this goes against the spirit and purpose of CVE.

On Fri, 7 Apr 2017, jericho wrote:

: Caught this via Twitter. Thoughts?

:

: https://twitter.com/tombkeeper/status/850275006256787456

:

Kurt Seifried
kurt@seifried.org

Follow-Ups:
- Re: HP's policy on CVE assignments
  - From: "Adinolfi, Daniel R" <dadinolfi@mitre.org>

References:
- HP's policy on CVE assignments
  - From: jericho <jericho@attrition.org>
- Re: HP's policy on CVE assignments
  - From: jericho <jericho@attrition.org>
- Re: HP's policy on CVE assignments
  - From: "Adinolfi, Daniel R" <dadinolfi@mitre.org>

Prev by Date: Re: HP's policy on CVE assignments
Next by Date: Re: HP's policy on CVE assignments
Previous by thread: Re: HP's policy on CVE assignments
Next by thread: Re: HP's policy on CVE assignments
Index(es):
- Date
- Thread