政策、感情和现实(Re:提名…)

结婚,2015年10月14日,帕斯卡贝写道::否定的布莱恩的方法,和一个不愿回应:恶意破坏;它不应该被解释为冷漠。然而,它到底是什么。你可能不喜欢我的方法,但很少有人做些什么来改变CVE并试图激励斜方改进。我很好奇如果你/普渡和安迪/思科还想讲了为什么它是如此重要,我们遵循这个程序文件,当董事会已经15年没有其他程序应该被记录下来,而且从不吗?你也要给你的各自的组织的官方意见横切不遵循自己的记录的政策在几个方面在过去的90天?也许史蒂夫Christey可以解释为什么它是比工作更重要的是对我引用这一政策的大量积压的CVE请求队列,一些年龄超过50天了。对于那些认识我,他们知道我很热衷于记录的政策和标准。我也承认当他们应该游说改变,或忽略。然而,由于许多其他请求(甚至最有礼貌!)(冷漠)充耳不闻的耳朵,这是一个证明我的方法。 My second email prompted a few people to reply, and it prompted MITRE to start the discussion per their policy. Oh, by the way, the idea of bringing Kurt on the board was brought up privately at least twice to MITRE, to at least two people, in the last few years. That didn't work, but per policy, shouldn't it have started the process? Meanwhile, other policies that should have existed a decade ago still don't exist, legitimate questions aimed at trying to better understand the MITRE process are unanswered, CNAs are still issuing advisories that do not follow CVE procedures unchecked, one CNA is selectively issuing CVEs for some vulnerabilities and not assigning for others (Andy, want to look into that for us?), and more. I'm really sorry I hurt your feelings, but personally I would rather see things change for the better first. When MITRE is back to operating at the previous capacity they were 9 months ago, or even better, 3 years ago, then I vote we have a group hug and worry about the rest. The entire industry has been going downhill quickly as evident by the number of organizations compromised every day that we hear about. Vulnerabilities are not slowing down, despite claims otherwise based on some horrible analysis of CVE numbers in recent years, and a significant chunk of our industry is using security products that are based on the CVE dataset and compete to see which of them has the 'best' coverage of one of the worst vulnerability databases. Is it any wonder our industry can't protect clients? Personally, I joined this board with some hesitation because I read the archives first, and saw what I was getting into. But I joined to try to make a difference and help CVE improve as a whole. The archives, and dialogue since joining, make it very clear I am in the minority. If you feel differently, I would love to get your opinion on why CVE has just over 4,100 live IDs for 2015 compared to the 10,743 disclosed vulnerabilities I am aware of. Do you feel that MITRE is doing a sufficient job? Do you feel the board is doing a good job in helping guide MITRE, give valuable input, ask questions to learn more about the process, and generally improve how things are going? Honest questions.