Chris,
It’s hard to say. I’ve pondered this too. In some instances, it may be because they feel the vulnerability attached to their name/brand becomes more visible.
In other cases, they may think the vuln was a one-off and didn’t want to bother. Or it was just one more thing to manage.
Lenovo has worked hard to become a leader in the area of security by following best practices and being transparent. We believe being a CNA strengthens our
message about the importance of security and vuln disclosure. I would like for our suppliers to buy into this thinking as well.
From: Coffin, Chris [mailto:ccoffin@mitre.org]
Sent: Wednesday, November 8, 2017 11:44 AM
To: Beverly Finch; Waltermire, David A. (Fed); Millar, Thomas
Cc: cve-editorial-board-list
Subject: RE: New CNA - Booz Allen Hamilton
Beverly,
In the cases where these vendors were not willing to request a CVE ID, do you have an recollection as to why? It would be interesting to know a bit more about those situations
if possible. It might be that they are also unwilling to be a CNA for the same or similar reasoning.
Regards,
Chris
All,
Can we target suppliers like Infineon, Realtek, Sierra Wireless, Dolby for instance?
We’ve had vulns published for their products and all were not willing to request CVE. In the case of Infineon, someone else (US-CERT?) assigned the CVE.
Tom,
The primary reason we are seeing new CNAs is because Dan is out advertising that the CVE program is looking for new CNAs. I am not calling Dan out by saying this. He is doing what he has been told to do. I believe we should be spending MITRE resources, which
have limits, to work with the board to improve the structure and overall governance of the CVE program.
I am not suggesting we plateau the aquisition of CNAs, but instead that we not actively seek them out. If new CNAs come to the program on their own, I am good with bringing them in. We can then use the time saved to focus resources on making federation a reality
and working out how the federated model can be better governed. In my view, working on these things is critical to the long term success of CVE. We are not making progress as quickly as I had hoped. This is a good time to consider what we can do differently
to reprioritize.
Do you agree that working out federation and governance for the program is a priority? If not, what do you see as the biggest priorities?
-------- Original Message --------
From: owner-cve-editorial-board-list@lists.mitre.org on behalf of "Millar, Thomas" <Thomas.Millar@hq.dhs.gov>
Date: Mon, November 06, 2017 5:00 PM -0500
To: jericho <jericho@attrition.org>, "Coffin, Chris" <ccoffin@mitre.org>
CC: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: RE: New CNA - Booz Allen Hamilton
The big NIST contract with BAH ended some years ago, iirc.
Grep for "booz" through the CERT KB turns up one mention, a possible heap overflow due to an upstream product. Nothing in NVD.
https://na01.safelinks.protection.outlook.com/?url="">
Looking through job listings they do hire a ton of pen testers so I'd presume they want to be able to assign for vulnerabilities they find in the course of gigs. However, stating "we can even assign a CVE to anything we find" - as a feature of their service
offerings - might be problematic.
All that said, I personally tend to agree with Kurt. At this point in time, I would not expect to see the rate of new CNAs plateau - and I would prefer to run into these issues now, and learn and adapt from them more quickly, than drag this painful transformation
out and risk losing momentum.
-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of
jericho
Sent: Monday, November 6, 2017 16:46
To: Coffin, Chris <ccoffin@mitre.org>
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: RE: New CNA - Booz Allen Hamilton
Importance: High
On Mon, 6 Nov 2017, Coffin, Chris wrote:
: In this case, BAH was interested and was willing to participate in the
: program as a CNA for their own products. They are also willing to fill
: the gaps where other CNAs do not provide coverage. Our understanding
: from the discussion was that this CNA falls into the category of a large
: and established organization that should be part of the CVE program,
: especially if they are reaching out to us to participate. It was the
: smaller research organizations that were the issue, right?
In the interest of transparency, and because I don't know if this represents a conflict or not, or is tangentially related... but could NIST/NVD clarify BAH's current role in the NVD process?
For those not aware, for several years NIST would out-source the NVD meta-data generation (e.g. CPE, CVSS scoring) to junior BAH consultants. I don't know how long that went on, if it is still does, or if they changed vendors over the year.
I had asked both MITRE and NVD many years back about their involvement in the context of "when they find an error in a CVE, who do they report to"
and I don't recall getting a real answer other than what in my memory was bureaucratic speak for "don't worry, it's handled".
.b
|