再保险:程序惩罚或撤销CNA状态?

在星期二,2015年9月1日艺术·马尼恩写道::CERT / CC至少经历了一个,不可能两个必须:及时分配CVE id或正确的方式,每CVE内容:决策/抽象的规则。我们看到当:所以. .CERT / CC看到各种各样的问题,我不这样做,因为我不是一个中央社。我只能想象,non-vendor CNAs遇到这样的问题与供应商,和我希望他们说出来。:我不知道有多少董事会章程是写在任何地方,但是:也许我们应该考虑一些基本的治理/投票程序。甚至:如果我们不马上同意所有的决定:添加/删除区域我们可以有一个过程的,这就是原因,我被问及当前CNA的指导方针。什么是共享的,什么是坚定地写成规则,写成的指导方针是什么?同样,当他们打破规则或指导方针说,下一个什么?:文档邮件列表上的证据和投票。也常见:小组成员失去投票权限(甚至会员)由于:缺乏参与。 So because a few asked me off list, since I was vague... let me share a tad more detail. #1 The primary CNA I referenced in my mail is IBM. If their CNA status isn't revoked, I will have serious issues with the process. An editorial board member mailed them about improper assignments, and they said they would look into it. More than three months later, no change. I mailed MITRE directly, who said they would contact IBM and later said they did. No change. I mailed IBM again a month+ later reminding them, no change. We have a CNA that has been issuing the same wrong CVE ID to the same issue, for over six months, across almost *50 ADVISORIES*, without changing their policy. This is implicit, unexcusable, and intentional abuse of the CNA process. They should be revoked right now, no question, end of story. #2 There are three other CNAs that have clearly demonstrated they don't understand the assignment process. One of them, a big database company that rhymes with "Asshole" (but spelled 'ORACLE'), breaks from CNA policy differently than others. I am not the only one who have had issues with their assignment SNAFUs. #3 Two more CNAs have just come to my attention through some pretty interesting digging into disclosures, showing that they issue an ID based on disclosure date, not reported date, consistently. This goes against CNA policy I hope, as it definitely goes against CVE's actual assignment policy. This causes us to get vulnerability assignments for the wrong year, and seriously messes with any meaningful metrics and statistics. I would, again, like to know the explicit guidelines given to a CNA for assignment, along with the documented policy for handling a CNA that is not following said policy. MITRE is the overlord in this game, and they control who has the ability to make assignments. This isn't a time to 'play nice'. In fact, it is specifically a time to play rough, because any of these major companies that get their CNA status suspended or revoked, will be the black sheep in the media and our industry. The onus will be on them to make things right. This is a proper time for MITRE to be a bully of sorts, and ensure the kids are playing by the rules. : I realize adding more formal rules/bylaws increases the governance : overhead, but it may be necessary to move that direction. A couple : documents about board membership were circulated in April. Would an : active board member volunteer to draft something about CNA requirements? Stop there. It's 2015, and CNA assignment issues have been at play for at least five years, likely longer. I have to assume that there are guidelines already and they aren't quickly available on the web. If not, the bigger question is why? When MITRE was approached about this earlier this year, that should have been a great impetus to draft such rules and make them public. .b