RE:横切的主题/董事会透明度

布莱恩,国会派出一个调查关于CVE斜方和国土安全部。这个请求是一个公共记录的问题。我们假设斜方和国土安全部的响应也将公共记录的问题。主教法冠向国会尚未传播其响应。一旦传输响应,如果国会公开,公众的所有成员将能够审查,包括任何董事会的成员。更重要的是,主教法冠期待与我们的同事合作,维持该计划取得巨大的进步在过去的15个月:实现一个联邦程序结构包括一个新的治理和运营模式;建设和改善CNA规则和实施;招聘新的区域;改善CVE-in-a-Box工件;提高数据交换; expanding internationally; and continuing bimonthly collaborative sessions and working groups with our Board colleagues, the CNAs, and the greater CVE community. Thank you for your ongoing feedback and please keep providing it. Regards, The CVE Team -----Original Message----- From: owner-cve-editorial-board-list@lists.mitre.org [mailto: owner-cve-editorial-board-list@lists.mitre.org]代表耶利哥派:星期四,5月11日,2017年55分是:cve-editorial-board-list < cve-editorial-board-list@lists.mitre.org >主题:主题的斜方/董事会透明度的重要性:高斜接,我最后的邮件关于谷歌/机器人。表明斜接三种问题不是他们应该与董事会一样透明。这不是第一次发生了这样的一个问题。像“3000 +拒绝”通知我们收到了昨天,许多问题,NVD说话了,有以前的事件:非常重要的信息的编辑委员会[1]CVE以来世界已经发生了巨大变化在1999年被释放,我们正在迅速准备好满足安全的需要,研究人员需要访问漏洞id。为此,横切将开始一个试点项目,解决快速反应CVE-IDs星期一,2016年3月21日。我们希望强调,这绝不是一个试图绕过编辑部而是一个实验一步联邦社区脆弱性ID的方法被讨论在过去的几年中。我们将与董事会密切合作,评估的结果飞行员和共同努力,建立一个长期的解决方案,继续扩大覆盖面前进。试点项目的细节提供了下面的新闻稿,将发布到CVE-ANNOUNCE邮件列表和CVE网站今天晚些时候。重要的是要注意,这种方法被选为避免冲突与现有的CVE目前操作过程,这下的id发表联合方案在飞行员不会分析和纳入CVE列表或提要。不会有影响外部操作;所有作用的漏洞将像他们现在来处理。 If we recall, this decision was not brought to the board at all. Once the Board learned of it, there was immediate question and criticism [2]. Only after that did MITRE first say they would like to discuss the issue/change with the board [3]. In that spirit, after showing two times where MITRE was clearly not transparent, the first on an annoyance and the second on an industry-impacting change, I would like to bring to the Board's attention another. This one may be more critical than any we have seen. On 2017-04-10, in one of my *many* mails to CVE that are done outside of the board list, usually challenging them on breaking their own policies, auditing the declining quality of CVE assignments, or similar issues, I brought up a 'small' point in one of those emails. The relevant bit can be found at the end of this email. The important part is that I called MITRE out for what is arguably the biggest event in CVE's history as far as "no confidence" and concern over the management of CVE. The fact that I had to hear about it from a CNA is interesting, as this should have been brought to the board's attention immediately by MITRE. When I brought it up in email, I told them that i expected a mail to the board with MITRE's statement two days later. Instead, MITRE opted NOT to bring it to the board's attention. Instead, they replied to my very long mail that took over an hour to write, detailing numerous examples to back my statements showing that CVE was failing to adhere to their own abstraction rules, as well as other rules, by saying: First, you bring up a number of things in your message which are all important and all should be discussed fully and transparently. We encourage you to share this message with the Board so we can discuss it with the whole Board's input. We can also forward it along, if you're prefer to begin the conversation. We encourage you to share this message with the Board so we can discuss it with the whole Board's input. Since I clearly stated "I expect a mail to the Board and CNA list no later than Wednesday about this", note both the board *and* CNA list, their deferral to have me bring it up on list is unacceptable. Especially given the severity of the topic. I waited several weeks for them to bring it up on their own, and they did not. Quite simply, this is a lack of transparency in a tax-payer funded, government run initiative that impacts the entire IT industry. This is not acceptable, and we all deserve better. So I am formally requesting, on list, that all correspondence between MITRE and Congress be sent to the list as well. Any correspondence is subject to FOIA and is not privileged, like many other aspects of MITRE's management of CVE (e.g. exact budgets, salaries, expenditures). Given your past claims of wanting to be transparent, this is your chance to restore some faith in that claim. Brian [1]https://cve.mitre.org/data/board/archives/2016-03/msg00017.html[2]https://cve.mitre.org/data/board/archives/2016-03/msg00016.htmlhttps://cve.mitre.org/data/board/archives/2016-03/msg00015.html[3]https://cve.mitre.org/data/board/archives/2016-03/msg00019.html- - - - - - - - - - - - - - - - - - - - - -转发消息:耶利哥< jericho@attrition.org >:“Adinolfi, Daniel R”< dadinolfi@mitre.org >答:“棺材,克里斯”< ccoffin@mitre.org >,常见的漏洞和风险敞口< cve@mitre.org >日期:星期一,2017年4月10 02:37:13 -0500 (CDT) [. .]https://energycommerce.house.gov/万博下载包news-center/letters/letters-dhs-and-mitre-regarding-performance-critical-cyber-database国会正在调查斜方和不足。相当大的新闻,我错过了这个完全直到CN万博下载包A让我注意到这个问题。他们坐在这三天之前他们告诉我,开始问问题。请考虑以上。现在已经长大,我希望一个邮件向董事会和CNA列表不迟于周三。董事会应该斜方的官方答复解决这些问题。至少一个CNA担心这个,不愿意把他们的问题直接斜接。我们都应该知道是怎么回事。[. .]