[ Date Prev ][ Date Next ][ Thread Prev ][ Thread Next ][ Date Index ][ Thread Index ]

RE: New CNA - Booz Allen Hamilton

To : "Coffin, Chris" < ccoffin@mitre.org >
Subject : RE: New CNA - Booz Allen Hamilton
From : jericho < jericho@attrition.org >
Date : Mon, 6 Nov 2017 15:46:18 -0600
Authentication-results : spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=attrition.org;
Cc : cve-editorial-board-list < cve-editorial-board-list@lists.mitre.org >
Delivery-date : Mon Nov 6 16:59:55 2017
Importance : high
In-reply-to : < MWHPR09MB145642C998709E75B4C487C9A1500@MWHPR09MB1456.namprd09.prod.outlook.com >
List-help : < mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST >
List-owner : < mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG >
List-subscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG >
List-unsubscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG >
References : < A62F8A57-2B88-4230-A5BC-E7E6AFC7FAE4@mitre.org > < 300CD105-1EAB-4F10-B1CA-FBA6368CFE4C@mcafee.com > < MWHPR09MB145642C998709E75B4C487C9A1500@MWHPR09MB1456.namprd09.prod.outlook.com >
Sender : < owner-cve-editorial-board-list@lists.mitre.org >
Spamdiagnosticmetadata : 5952c28dcc454f0789fb433d26f936ef
Spamdiagnosticoutput : 1:2
User-agent : Alpine 2.00 (LNX 1167 2008-08-23)

On Mon, 6 Nov 2017, Coffin, Chris wrote:

: In this case, BAH was interested and was willing to participate in
the
: program as a CNA for their own products. They are also willing to
fill
: the gaps where other CNAs do not provide coverage. Our understanding
: from the discussion was that this CNA falls into the category of a
large
: and established organization that should be part of the CVE program,
: especially if they are reaching out to us to participate. It was the
: smaller research organizations that were the issue, right?

In the interest of transparency, and because I don't know if this
represents a conflict or not, or is tangentially related... but could
NIST/NVD clarify BAH's current role in the NVD process?

For those not aware, for several years NIST would out-source the NVD
meta-data generation (e.g. CPE, CVSS scoring) to junior BAH
consultants. I
don't know how long that went on, if it is still does, or if they
changed
vendors over the year.

I had asked both MITRE and NVD many years back about their involvement
in
the context of "when they find an error in a CVE, who do they report
to"
and I don't recall getting a real answer other than what in my memory
was
bureaucratic speak for "don't worry, it's handled".

.b

Follow-Ups :
- RE: New CNA - Booz Allen Hamilton
  - From: "Millar, Thomas" <Thomas.Millar@hq.dhs.gov>

References :
- New CNA - Booz Allen Hamilton
  - From: "Adinolfi, Daniel R" <dadinolfi@mitre.org>
- Re: New CNA - Booz Allen Hamilton
  - From: "Landfield, Kent" <Kent_Landfield@McAfee.com>
- RE: New CNA - Booz Allen Hamilton
  - From: "Coffin, Chris" <ccoffin@mitre.org>

Prev by Date: Re: New CNA - Booz Allen Hamilton
Next by Date: Re: New CNA - Booz Allen Hamilton
Previous by thread: RE: New CNA - Booz Allen Hamilton
Next by thread: RE: New CNA - Booz Allen Hamilton
Index(es):
- Date
- Thread