[ Date Prev ][ Date Next ][ Thread Prev ][ Thread Next ][ Date Index ][ Thread Index ]

Re: CNA Rules Announcement

To : "Coffin, Chris" < ccoffin@mitre.org >
Subject : Re: CNA Rules Announcement
From : jericho < jericho@attrition.org >
Date : Fri, 7 Oct 2016 13:54:02 -0500
Authentication-results : spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=attrition.org;mitre.org; dkim=none (message not signed) header.d=none;
Cc : cve-editorial-board-list < cve-editorial-board-list@lists.mitre.org >, cve-cna-list < cve-cna-list@lists.mitre.org >
Delivery-date : Mon Oct 10 08:02:31 2016
Importance : high
In-reply-to : < MWHPR09MB1485225620B9A4E94B589A85A1C60@MWHPR09MB1485.namprd09.prod.outlook.com >
List-help : < mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST >
List-owner : < mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG >
List-subscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG >
List-unsubscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG >
References : < MWHPR09MB1485225620B9A4E94B589A85A1C60@MWHPR09MB1485.namprd09.prod.outlook.com >
Sender : < owner-cve-editorial-board-list@lists.mitre.org >
Spamdiagnosticmetadata : 6cdb8bfc89744bd8bfee511e3e65aa05
Spamdiagnosticoutput : 1:2
User-agent : Alpine 2.00 (LNX 1167 2008-08-23)

Chris,

On Fri, 7 Oct 2016, Coffin, Chris wrote:

: On Monday, October 10th, all CNAs should be assigning CVE IDs based
on the new CNA rules listed here:
:
: <http://cveproject.github.io/docs/cna/CNA%20Rules%20v1.1.docx>

Just to be clear, does this mean MITRE has reached out to all of the
current CNAs and informed them of the new rules?

: As you use these new rules, please feel free to share any feedback
you
: might have with the rest of the CNA community and MITRE. We would
like
: to understand what is working and what isn't so that the rules evolve
to
: meet the needs of the program and so that additional guidance and
: training can be developed based on what we collectively learn.  You
can
: share your feedback through the cve-cna-list mailing list or directly
to
: MITRE through the CVE Web Form.

How should we approach CNAs that are violating these rules, via a
long-term string of violations regarding an assignment. For example,
IBM
has been using CVE-2014-8730 for their products despite the early
change
in the entry from MITRE specifically designating it for F5 products
only.
I have contacted IBM half a dozen times over the last year or more
pointing out examples of this. Their most recent mis-use of this CVE
was
on Sep 19 (http://www-01.ibm.com/support/docview.wss?uid=swg21390112).
Moving forward, if they continue to mis-use 2014-8730, what is the best
course of action since contacting them doesn't seem to help?

Thanks,

Brian

Follow-Ups :
- RE: CNA Rules Announcement
  - From: "Coffin, Chris" <ccoffin@mitre.org>

References :
- CNA Rules Announcement
  - From: "Coffin, Chris" <ccoffin@mitre.org>

Prev by Date: RE: CNA Rules Announcement
Next by Date: RE: CNA Rules Announcement
Previous by thread: RE: CNA Rules Announcement
Next by thread: RE: CNA Rules Announcement
Index(es):
- Date
- Thread