|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: GDPR and CVE
- To: "Coffin, Chris" <ccoffin@mitre.org>, "Millar, Thomas" <thomas.millar@hq.dhs.gov>, "Seifried, Kurt" <kurt@seifried.org>, cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
- Subject: Re: GDPR and CVE
- From: "Landfield, Kent" <Kent_Landfield@McAfee.com>
- Date: Thu, 8 Mar 2018 21:43:14 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is 192.52.194.235) smtp.mailfrom=LISTS.MITRE.ORG; imc.mitre.org; dkim=none (message not signed) header.d=none;imc.mitre.org; dmarc=none action=none header.from=McAfee.com;
- Delivery-date: Fri Mar 9 07:46:23 2018
- In-reply-to: <BL0PR0901MB242025B1BE43A6D1BB4540ACA1DF0@BL0PR0901MB2420.namprd09.prod.outlook.com>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <CABqVa3_t-Sa=4Uv+zfJ6=Ht3diJoCSzyd7=_+i4GJJOkxOzs2A@mail.gmail.com> <7748E4BAEC3B964387F3535351DCBA1F011551E578@D2ASEPREA010> <BL0PR0901MB242025B1BE43A6D1BB4540ACA1DF0@BL0PR0901MB2420.namprd09.prod.outlook.com>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 5952c28dcc454f0789fb433d26f936ef
- Spamdiagnosticoutput: 1:2
- Thread-index: AQHTtyNjtgu7bTlemk2GzKxsyIaLLKPG23UAgAAB44D//5y2gA==
- Thread-topic: GDPR and CVE
|
Add to the terms of use that if a submission is provided, all information is considered opt’ed in. This would allow us to maintain the info long term. Assure lawyers approve. There are opt-in considerations. Thank you, Gracias, Grazie, 谢谢, Merci!, Спасибо!, Danke!, ありがとう, धन्यवाद! -- Kent Landfield +1.817.637.8026 kent_landfield@mcafee.com From:
<owner-cve-editorial-board-list@lists.mitre.org> on behalf of "Coffin, Chris" <ccoffin@mitre.org> Not sure… but I will pass it along and see what is being done. Chris C From:
owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org]
On Behalf Of Millar, Thomas GDPR does not take effect until May, so we have some time to figure it out. Does MITRE have counsel already looking into GDPR implications for its projects? From:
owner-cve-editorial-board-list@lists.mitre.org
[mailto:owner-cve-editorial-board-list@lists.mitre.org]
On Behalf Of Kurt Seifried So I had someone request their PII (email address) be removed from the CVE Terms of Use acceptance data I have for DWF, luckily there's no CVE associated with the address (I think it turned out
to be an invalid request). But this does raise the question, under GDPR, even with positive affirmation (e.g. they filled out the form, then replied to an email) they would still be within their rights (as I understand
GDPR) to then request at a later date that we remove their PII from the system. Which... let's be honest, we can't really do, because git, we can "remove" it but it still exists in previous branches/etc. And short of rolling git back in time to before that info existed,
re-applying all the other changes and so on... and then having every fork go bonkers... So in short I think we need to ensure we have some legal/privacy language that makes it REALLY clear that once they submit their data and it gets into git (e.g. a CVE request) that we cannot
remove it fully, and I'm not sure, but can we disclaim that we will remove it at all (I don't know enough about the internals of GDPR/how exactly it is interpreted). |
- References:
- GDPR and CVE
- From: Kurt Seifried <kurt@seifried.org>
- RE: GDPR and CVE
- From: "Millar, Thomas" <Thomas.Millar@hq.dhs.gov>
- RE: GDPR and CVE
- From: "Coffin, Chris" <ccoffin@mitre.org>
- GDPR and CVE
- Prev by Date: RE: GDPR and CVE
- Next by Date: Re: GDPR and CVE
- Previous by thread: RE: GDPR and CVE
- Next by thread: Re: GDPR and CVE
- Index(es):