Re: New CNA - Booz Allen Hamilton

[jericho <jericho@attrition.org>]

Out of curiosity, can someone link a vuln disclosure in one of their 
products? Or one of their research advisories?

I ask because a quick search suggests there are none, of either. 
Rapidly 
adding CNAs that have little to no history of disclosures, in their own 
products or in others, seems odd to me. Especially if there was Board 
push-back on adding them in the first place.

.b


On Mon, 6 Nov 2017, Kurt Seifried wrote:

: Disclaimer I'm not speaking for MITRE (obviously), just my opinion.
: 
: I understand the concerns, but we have process/methods to deal with 
"rogue"
: CNAs (e.g. feedback loops, and not publishing their stuff, other 
forms of
: censure, some of which I'm experienced with =) and more to the point 
we
: can't wait for perfect docs/process to happen, which also won't happen
: without operational experience. If I had to guess I'm more concerned 
about
: the unknown problems we'll encounter, vs. the ones we think we will 
(and
: have some idea to handle). I'm also not convinced even having a rogue 
CNA
: is that bad, e.g. I already had to flip a piel of DWF assignments from
: PUBLIC to REJECT because of bad reference URLs and whatnot. While not
: ideal, it's not the end of the world. Having a perfect CVE system 
isn't
: going to happen, and we can't take it from where it is (people still
: actively hate CVE for past sins) to "good enough" without 
moving/making
: changes.
: 
: On Mon, Nov 6, 2017 at 2:14 PM, Landfield, Kent 
<Kent_Landfield@mcafee.com>
: wrote:
: 
: > Why do we have Board calls if what is discussed on the calls are 
just
: > ignored?  I personally feel there were serious issues discussed 
with these
: > types of CNAs but yet here we are with the Board comments totally 
ignored
: > and the focus of the discussion now a CNA? We specifically 
discussed BAH
: > and multiple Board Members had issues.
: >
: > *From: *<owner-cve-editorial-board-list@lists.mitre.org> on behalf 
of
: > "Adinolfi, Daniel R" <dadinolfi@mitre.org>
: > *Date: *Monday, November 6, 2017 at 1:13 PM
: > *To: *cve-editorial-board-list 
<cve-editorial-board-list@lists.mitre.org>
: > *Subject: *New CNA - Booz Allen Hamilton
: >
: > Booz Allen Hamilton is now a CNA. Their scope is all Booz Allen 
Hamilton
: > products as well as vulnerabilities in third-party software 
discovered by
: > Booz Allen Hamilton that are not covered by another CNA.
: >
: > Note, though we discussed the concerns related to too many new CNAs 
being
: > on-boarded during last week's Board meeting, BAH was in the queue 
and had
: > requested their participation many weeks ago.
: