：回复：CNA要求

[：“阿迪尼尔夫，丹尼尔·R” <dadinolfi@mitre.org>]

布莱恩（Brian），由于我们似乎并非都同意一个成熟的安全过程，因此我们可能应该花一点时间来定义它。您（或董事会上的其他人；请在董事会上）如何定义或描述“成熟”的安全过程？我猜想可能有很多关于这样的事情的定义，如果CVE希望看到他们的CNA有一个成熟的过程，我们将需要有一个棍子来衡量“成熟”。成熟过程是什么样的？该过程取决于组织以及他们如何进行软件/硬件开发和质量请访问，处理公关问题，支持客户等？还是我们的定义应该是标准，无论组织细节如何？我们是否只是衡量他们如何应对产品中的漏洞，还是应该衡量其运营过程的那部分？来自最近的编辑委员会会议中的一个工作组之一是为CVE提交的标准/准则创建标准/准则，作为更大的实践讨论社区的一部分。我们也应该在该工作组中包括这个讨论吗？-Dan P.S. SGI does exist. Their CNA contact is Michael O'Connor, and they can be reached publicly at security-info@sgi.com. On 5/28/16, 02:45, "owner-cve-editorial-board-list@lists.mitre.org on behalf of jericho"  wrote: >On Tue, 17 May 2016, Kurt Seifried wrote: > >: On Tue, May 17, 2016 at 8:54 AM, Waltermire, David A. (Fed) < >: david.waltermire@nist.gov> wrote: >: >: > IMHO, I believe we need to address this in a way that supports a >: > non-hierarchical, graph of communications between CNAs. This >models what >: > happens in the real world. It should be possible for any CNA to >find any >: > other CNA, get their contact info, and then reach out to them to >coordinate >: > on a CVE assignment. Relying on parent CNAs does not make this >work. > >And this is where we get into a meta-discussion... > >: So I've been thinking about this a bit and looking back at some >: situations in the last 5000 or so CVE's I've assigned and some >things >: are obvious: >: >: 1) Being a CNA requires you to have a mature security process, if >you > >Patently false. > >- Apple is a CNA, they do not have a mature security process. >- IBM is a CNA, they have a convoluted disgusting security process. >(Love > Lisa and Scott, but it's true! Also, why isn't IBM on the board?) >- Oracle is a CNA, they do not have a mature security process. >- SGI is a CNA, they ... uh, don't exist? > >That said, your outline on defining CNA requirements is great and >helpful. >=) Just don't equivocate here.