|
|
|||
|
|
|
|||
|
Thanks, Kurt.
I read your note into the record. Feel better soon.
-Dan
From:
Kurt Seifried <kseifried@redhat.com>
My throat is mostly packed up today, so mostly what I have to report:
1) need to CNA/CVE training material to mint more CVE Mentors (since I can't just use existing trained people =) 2) there is definitely interest in CVEMentors becoming CNAs for third party projects (e.g. Adam Caudhill doing wordpress)
One thing that I forgot to mention on the CVE automation WG yesterday but is worth thinking about both for them and the board:
CNA's are required to push data to their parents and ultimately to MITRE, BUT:
how does data from MITRE or data that goes directly to MITRE filter back up the patch?
E.g. DWF CNA creates CVE-XXXX-YYYYYYY and pushes to the DWF which pushes it to MITRE. Then an existing root CNA, say a commercial one, comes along and updates the CVE root level description. How does that updated description go back up the chain to the DWF/child CNA? Do we care? My concern is ending up with different versions of a CVE that become difficult to merge (e.g. a DWF sub CNA updates the root description and then tries to send that up the line to MITRE).
This won't be a problem for sometime I suspect, but it will become a problem eventually.
On Wed, Mar 8, 2017 at 11:59 AM, Adinolfi, Daniel R < dadinolfi@mitre.org > wrote:
--
|
