RE: On the topic of MITRE/Board transparency

[jericho <jericho@attrition.org>]

On Thu, 11 May 2017, Williams, Ken wrote:

Ken,

: 1) Why was the board never notified directly by Mitre?  That letter 
is 
: from March 31.

And specifically, I told MITRE I expected this to be brought to the 
board 
in off-list mail. They opted not to saying I could "forward the mail" 
for 
"discussion", despite very explicitly asking MITRE for an official 
statement... not discussion. I gave them weeks to do so, they did not.

: 5) Brian, can you provide the name of the CNA who brought this to 
your 
: attention, and the circumstances?

Other than what I said, I cannot.

^ That is for you Ken. Everything below is additional thoughts in the 
bigger picture, and primarily for MITRE.

--

I think I have made it pretty clear, and I know MITRE will not admit 
it... 
but the amount of time I spend working with CNAs on assignments is 
draining. For years now, I have essentially audited CVE and CNAs on 
their 
assignments. Part of my daily responsibilities, along with others on 
list 
that do the same, is to ensure "100% compliance with CVE". We're the 
first 
tier "stakeholders", as we re-distribute to organizations that rely on 
vulnerability intelligence. Complaince requirements demand that they 
keep 
up with CVE, they pay real money to get real vuln intel from other 
solutions. Some CNAs ask me directly about abstraction before they 
release 
their advisories. Some engage with me extensively after the fact when I 
point out a possible discrepancy. They are eager to figure out if the 
assignment was incorrect (e.g. out of their pervue, duplicate, 
abstraction 
rules, etc.)

I have a good working relationship with many CNAs, and a good but weird 
relationship with teams at the CNA parent company, that aren't involved 
in 
the CNA process. While weird, it is beneficial to them, to me, and the 
industry. After almost a decade of butting heads with oracle, Bruce and 
I 
have had a long thread of mails about CVE, assignments, abstraction, 
and 
more. Through this, I have learned that Bruce has been fighting uphill 
battles within his organization that none of us knew about, but once he 
won them? They were instantly noticeable. Within 24 hours of him 
effecting 
policy change within his org, related to CVE, many of us noticed it. I 
emailed him and pointed it out, thanked him for the change. That is 
when 
he told me, in a vague fashion, how much work it took to effect that 
change.

For the Board's information, because this has been going on for half a 
year in offlist mails. While I have been questioning some of the new 
CNAs, 
given their history of horrible disclosures, I keep reminding MITRE 
that I 
work for a company that discloses more vulnerabilities than many CNAs. 
Especially some of the newer ones. I keep telling them that while I 
*personally* don't care about being a CNA, because MITRE has made it 
clear 
that is a losing proposition, that if MITRE approaches my day job with 
that idea that we would accept. In six+ months, they have onboarded 
have a 
dozen new CNAs that collectively put out as many vulns a year as my day 
job. MITRE has told me they contacted one person in my day job org, who 
has nothing to do with security, disclosures, advisories, security 
response, etc etc. I have told them exactly what email address to email 
to 
make it happen, since the person that answers will have the ability say 
"yes" and knows more about CNAs than some of the current MITRE 
employees. 
Oh... this is the same company that had to wait 113 days for MITRE to 
reply to an assignment request, and eventually said "we won't assign, 
there might be a duplicate", without asking them for additional 
information. The same party that points out duplicate CVE assignments 
almost weekly.

So yeah... still waiting.

It's very difficult to believe that MITRE is operating in the 
industry's 
best interest. Since the letter from Congress, MITRE has made some very 
drastic changes in the CVE program. We get a lot more volume!! But we 
also 
see a serious drop in quality, more duplicates, arbitrary decisions 
that 
will technically boost their yearly count by 3,000+. (Oh what, didn't 
consider how that decision would influence stats, they can push to 
congress?)

The recent questions about standards in publishing around "undefined 
behavior" is the tip of the iceberg. I haven't sent mails with dozens 
of 
examples of MITRE blindly assigning for very clear-cut "self hack" 
situations that have ZERO security impact. They don't take any 
analysis, 
no ASAN, no fuzzing, nothing more than reading the description and 
laughing at how absurd the exploit conditions are.

If you doubt me? Please hit "compse" in your email client, and send me 
an 
email with 8000 characters, where every fifth character is replaced by 
the 
word "chinchilla", and every tenth character is replaced by the word 
"mitrelolololol".

If you feel that is a realistic 'exploit scenario', then I am clearly 
wrong and we should keep seeing CVE IDs for these crap disclosures. 
It's 
2017... I think I mentioned that? VDBs should be a lot more mature and 
either not include it, or if they do, tech note the crap out of it so 
"stakeholders" understand it really isn't an issue.

The last year is nothing but MITRE floundering, looking for stop-gap 
measures to artificially inflate their numbers and put forth this crazy 
idea that they really do care. Your effort is showing. How about you 
stop 
trying so hard to hit the lever for a pellet, in the form of your next 
yearly $3mil paycheck, and you work on improving the offering giving 
your 
more than abundant resources?

Like I told congress via back-channels a few weeks ago... others do 
almost 
twice your volume, with much higher quality, for half your price. And 
they 
are smart enough not to bid on the contract should it get yanked from 
MITRE and re-classified from 'sole source / no-bid'.

.b