DWF Open Source CNA requirements:

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

DWF Open Source CNA requirements:

Kurt Seifried
Draft, please comment/point out any problems, this is the minimum viable product, I want to avoid SLAs/etc since this will be used by individuals and large security teams. 

DWF Open Source CNA requirements:

1. What is the name of your organization (e.g. vendor/project name, and a link for your web site)
2. You must agree to the MITRE CVE Terms of Use (https://cve.mitre.org/about/termsofuse.html)
3. You must agree to the MITRE CNA Rules (http://cveproject.github.io/docs/)
4. What software specifically will you be assigning CVEs for (this can be everything you ship, or a limited subset, either way the DWF will require a list of names at a minimum, ideally with URLs to the software)
5. You must provide a public method (e.g. no login required) for published CVEs (e.g. product ChangeLog or a security page with a list of CVEs and minimum information as specified in the CNA Rules)
6. You must have an email/web page for people to report security issues in your covered products that may need CVEs (basically you need some sort of pre-existing security process that can at a minimum identify if something is a security vulnerability, and then assign a CVE for it that can be made public at some point)
7. How many CVEs per year you expect to need, the DWF allocates in blocks of 10, 20, 50, 100, if you consistently need more, we can assign additional blocks. If a block is unused for a long time we may return it to the DWF pool (method to be determined)
8. You must provide the DWF a minimum of one contact person on your CNA team (note that this can simply be your existing security team) and contact information in the form of an email address that they actually check (e.g. their work email address), this can be kept private if you wish, it must be kept up to date (e.g. if they leave the CNA)
9. You must have at least one GitHUB account to submit pull requests against the DWF-Database and DWF-Database-Artifacts repos
10. Once a CVE is made public (e.g. you have fixed the issue) you must tell the DWF within 24 hours (by pull request to the DWF-Database-Artifacts at a minimum, and optionally the DWF-Database as well) using the minimum DWF-Database-Artifact specification currently in use (https://github.com/distributedweaknessfiling/DWF-Database-Artifacts/blob/master/JSON-file-format-CURRENT.md



--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: DWF Open Source CNA requirements:

Art Manion
On 2016-11-06 16:03, Kurt Seifried wrote:

> 4. What software specifically will you be assigning CVEs for (this can
> be everything you ship, or a limited subset, either way the DWF will
> require a list of names at a minimum, ideally with URLs to the software)

Is something general allowed, e.g., non-vendor CNAs that might have
broad/not-known-in-advance coverage?

> 5. You must provide a public method (e.g. no login required) for
> published CVEs (e.g. product ChangeLog or a security page with a list of
> CVEs and minimum information as specified in the CNA Rules)

As soon as it's worked out, publication must be in the standard minimum
CVE format and published using the standard transport.

> 10. Once a CVE is made public (e.g. you have fixed the issue) you must
> tell the DWF within 24 hours (by pull request to the
> DWF-Database-Artifacts at a minimum, and optionally the DWF-Database as
> well) using the minimum DWF-Database-Artifact specification currently in
> use
> (https://github.com/distributedweaknessfiling/DWF-Database-Artifacts/blob/master/JSON-file-format-CURRENT.md)

Is performing #10 not the same as #5?

 - Art
Reply | Threaded
Open this post in threaded view
|

Re: DWF Open Source CNA requirements:

Kurt Seifried


On Mon, Nov 7, 2016 at 7:54 AM, Art Manion <[hidden email]> wrote:
On 2016-11-06 16:03, Kurt Seifried wrote:

> 4. What software specifically will you be assigning CVEs for (this can
> be everything you ship, or a limited subset, either way the DWF will
> require a list of names at a minimum, ideally with URLs to the software)

Is something general allowed, e.g., non-vendor CNAs that might have
broad/not-known-in-advance coverage?


Right now I want to focus on the process for "Easy" CNAs, the problem with researchers I plan to discuss tuesday/wednesday so we can figure out a framework that will hopefully prevent problems/abuse.
 
> 5. You must provide a public method (e.g. no login required) for
> published CVEs (e.g. product ChangeLog or a security page with a list of
> CVEs and minimum information as specified in the CNA Rules)

As soon as it's worked out, publication must be in the standard minimum
CVE format and published using the standard transport.

> 10. Once a CVE is made public (e.g. you have fixed the issue) you must
> tell the DWF within 24 hours (by pull request to the
> DWF-Database-Artifacts at a minimum, and optionally the DWF-Database as
> well) using the minimum DWF-Database-Artifact specification currently in
> use
> (https://github.com/distributedweaknessfiling/DWF-Database-Artifacts/blob/master/JSON-file-format-CURRENT.md)

Is performing #10 not the same as #5?

No, I want them to also maintain a security page/changelog at a minimum. People using software from a CNA shouldn't have to watch the DWF/MITRE for notification of CVEs, the CNA should also be publishing them. 
 

 - Art



--

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]