[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New CNA - Booz Allen Hamilton

Like Kent points out, that I did minutes after he did...

What is the value of MITRE spending time training a new CNA that has 
*zero* history of disclosure? Is BAH, founded in 1970, that has not 
done a 
single disclosure in 47 years, going to start now? Great if they do! 
But 
do they need to become a CNA to do so? Absolutely not.

Let them start disclosing vulnerabilities before MITRE wastes their 
"limited" resources coaching a new CNA. And since they are a CNA now, 
officially, let this be a lesson to MITRE and the Board, that they 
should 
be more strategic in picking the CNAs.

For those reading between the lines, this is not the first time this 
has 
come up, and not the first time MITRE has ignored obvious CNA 
candidates 
with a history of disclosure, in favor of a company with no disclosures.

Mileage may vary, etc etc.

.b

On Mon, 6 Nov 2017, Landfield, Kent wrote:

: Please list any of their products where they have published an 
advisory in the past.
: 
: --
: Kent Landfield
: +1.817.637.8026
: kent_landfield@mcafee.com
: 
: 
: From: "Coffin, Chris" <ccoffin@mitre.org>
: Date: Monday, November 6, 2017 at 3:32 PM
: To: Kent Landfield <Kent_Landfield@McAfee.com>
: Cc: cve-editorial-board-list 
<cve-editorial-board-list@lists.mitre.org>
: Subject: RE: New CNA - Booz Allen Hamilton
: 
: Kent,
: 
: I apologize if there was any confusion or misunderstanding around 
this topic.
: 
: In this case, BAH was interested and was willing to participate in 
the program as a CNA for their own products. They are also willing to 
fill the gaps where other CNAs do not provide coverage. Our 
understanding from the discussion was that this CNA falls into the 
category of a large and established organization that should be part of 
the CVE program, especially if they are reaching out to us to 
participate. It was the smaller research organizations that were the 
issue, right?
: 
: If we run into any significant scope concerns with any of our CNAs, 
we can definitely address those when they appear. The concerns 
regarding the addition of new CNAs to the program were noted and we 
will put a hold on any outreach activities temporarily. As we 
discussed, we will focus on building the base, i.e., identifying and 
developing Root CNAs. We can continue this discussion in the next 
Strategic Planning WG call and list.
: 
: Regards,
: 
: Chris
: 
: From: Landfield, Kent [mailto:Kent_Landfield@McAfee.com]
: Sent: Monday, November 6, 2017 3:14 PM
: To: cve-editorial-board-list 
<cve-editorial-board-list@lists.mitre.org>; Coffin, Chris 
<ccoffin@mitre.org>
: Subject: Re: New CNA - Booz Allen Hamilton
: 
: Why do we have Board calls if what is discussed on the calls are just 
ignored?  I personally feel there were serious issues discussed with 
these types of CNAs but yet here we are with the Board comments totally 
ignored and the focus of the discussion now a CNA? We specifically 
discussed BAH and multiple Board Members had issues.
: 
: I personally do NOT want a slew of beltway bandits lining up with 
?me-too? requests. This type of CNA is NOT helpful to CVE, as discussed 
on the Board call.
: 
: But that?s ok, no one will listen yet again to the thoughts and 
comments of Board members.
: 
: --
: Kent Landfield
: +1.817.637.8026
: kent_landfield@mcafee.com<mailto:kent_landfield@mcafee.com>
: 
: 
: From: 
<owner-cve-editorial-board-list@lists.mitre.org<mailto:owner-cve-editorial-board-list@lists.mitre.org>>
 on behalf of "Adinolfi, Daniel R" 
<dadinolfi@mitre.org<mailto:dadinolfi@mitre.org>>
: Date: Monday, November 6, 2017 at 1:13 PM
: To: cve-editorial-board-list 
<cve-editorial-board-list@lists.mitre.org<mailto:cve-editorial-board-list@lists.mitre.org>>
: Subject: New CNA - Booz Allen Hamilton
: 
: Greetings,
: 
: Booz Allen Hamilton is now a CNA. Their scope is all Booz Allen 
Hamilton products as well as vulnerabilities in third-party software 
discovered by Booz Allen Hamilton that are not covered by another CNA.
: 
: Note, though we discussed the concerns related to too many new CNAs 
being on-boarded during last week's Board meeting, BAH was in the queue 
and had requested their participation many weeks ago.
: 
: Their public contact point is CVE@bah.com<mailto:CVE@bah.com>.
: 
: Thanks.
: 
: -Dan
: _________________________
: Daniel Adinolfi, CISSP
: Lead Cybersecurity Engineer, The MITRE Corporation
: CVE Numbering Authority (CNA) Coordinator
: Email: <dadinolfi@mitre.org<mailto:dadinolfi@mitre.org>>  Phone: 
781-271-5774
: 
: 
: 
:
Page Last Updated or Reviewed: November 07, 2017