再保险:杜松添加到官方列表区域

这最初发布的“私人”编委会名单。我移动这个线程到公共列表,因为它涉及到整个行业。私人列表只能用于向董事会有关事项,如对新成员投票,而不是讨论全行业的问题。另外,请注意,转移到私人列表发生了比它在过去60天在过去6 - 18个月。这是不能接受的。乔,星期二,2016年4月19日,常见的漏洞和风险敞口写道:首先,可以斜方退出发布“常见的漏洞和风险敞口< cve@mitre.org >”吗?有超过10斜方员工编委会名单,没有董事会的成员。我很高兴列举他们如果有任何关于这一事实的问题。这个特定的响应之后你(乔)也加入了战斗,和你的标题:乔祈神保佑CVE通信和拓展领导,所以我认为这是你。如果我错了,那只会让我的点。 We need accountability in the face of all the criticism MITRE has received the last year. It is not ethical, or appropriate that anyone there hide behind the CVE name. Or "cve-id-change" (one post historically) or "CVE-assign" (one post historically). This isn't conducive to trust. >From here out, I suggest that MITRE only reply to board traffic from >an individual, even if it is a general 'CVE' policy proposal. The board list is for discussion of ideas. If the final, voted-on, decision comes from a generic CVE address, I can see that as a proper use of an alias, maybe. : Juniper, as a new CNA, will become better over time as they practice : being a CNA. Another member suggested that all CNA-related documents be Wait... they failed to follow CNA guidelines *before* they were a CNA. Meaning, they asked for assignments from MITRE, who issued them. And Juniper published advisories that were problematic, and didn't follow CVE abstraction. MITRE is rewarding them for that behavior, by giving them full CNA status, saying "they will learn"? I am officially objecting to this policy and precedent. This is absolutely the wrong move, and not going to help the mess that is CVE. Worse, you did so six days after a formal complaint about Juniper, from an active board member? And... worser(?), you did it 7+ months after I specifically asked, and hounded MITRE on, providing official CNA guidance documentation. This is clearly an effort of MITRE to produce more CNAs to help alleviate the assignment workload, while ignoring many Editorial Board members saying we need more CNAs over the last three years. Bandaids aren't going to work at this point, and this is a perfect represenation of such a bandaid. Taking our advice three years later, without proper documentation, is a step-by-step recipe for more problems. Remind me, why are we, the board, here? To expand on this... I have been the only one that I am aware of, policing several CNAs that are not following the old legacy guidelines re: abstraction. I have probably filed more complaints to MITRE on CNAs than anyone else. If that isn't the case, please introduce me to whoever is doing it more than I am. I'd like to compare notes. Why? Because I only mail once out of every ~ 25 instances of a CNA not following rules. e.g. IBM jumped the CNA shark a year or two ago. When I pointed it out repeatedly, and showed they continually gave the wrong assignments for known/public issues, the response from MITRE was "you are right, we MIGHT contact them". To this day, I don't know if MITRE contacted IBM, but I do know they kept using the same offending assignment three months after that mail thread. I have to assume MITRE ignored the rogue CNA, and ignored the complaints from a board member. At some point, MITRE needs to address these issues publicly. The reason people are not happy with this situation, and DHS should be fully aware of, is that most of the solutions were handed to MITRE on a silver platter all along. Every step of the way, MITRE ignored them. : posted publicly so that all CNAs understand better what the CNA : requirements are. This is a good idea and we have established a GitHub : site for these documents at:http://cveproject.github.io/docs/。对不起,GitHub公认是github.com。为什么斜方选择使用github。io, GitHub页面”域2013年转换,有些水果与github.com集成缺乏)是(即用户体验?为什么没有与董事会讨论吗?为什么网站选择DWF倡议后专门选择了GitHub.com由于患病率和收养?每一个迟来的反应从僧帽CVE的教科书定义问题回答“糟糕的解决方案”。当这些决策是质疑,横切安静……列表和列表。我有电子邮件证明,如果你有任何疑问。 Could MITRE form a team to figure this out, and work toward providing a more friendly and intuitive experience for board members bringing up problems? If you start a random crappy hosted RedMine tracker to track these issues, I will scream.