New CNAs

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

New CNAs

Adinolfi, Daniel R

All,

 

As you probably remember, Intel expressed an interest in becoming a CNA, and they have since been working through the on-boarding process. We are pleased to announce the Intel team is ready to assign CVE IDs, and we are adding them to the CNA list COB Friday. This CNA will cover Intel and McAfee products.

 

The Apache Software Foundation has been involved with CVE assignment through Red Hat and through a long history of vulnerability management. We are also adding them to the CNA list COB Friday. This CNA will cover all software developed under the Apache Software Foundation.

 

Both teams have shown that they understand the assignment process and know what content needs to be provided for creating useful descriptions.

 

Please let us know if you have any questions.

 

-Dan

_________________________

Daniel Adinolfi, CISSP

Lead Cybersecurity Engineer, The MITRE Corporation

CVE Communications and CNA Coordinator

Email: <[hidden email]>  Phone: 781-271-5774

 

 

 

 

Reply | Threaded
Open this post in threaded view
|

Re: New CNAs

Kurt Seifried
Just to confirm the Apache foundation will be a "Traditional" CNA, e.g. under MITRE directly, not under the DWF (in other words I want to confirm that they get their CVE blocks from MITRE)? Thanks.

On Wed, Aug 17, 2016 at 1:54 PM, Adinolfi, Daniel R <[hidden email]> wrote:

All,

 

As you probably remember, Intel expressed an interest in becoming a CNA, and they have since been working through the on-boarding process. We are pleased to announce the Intel team is ready to assign CVE IDs, and we are adding them to the CNA list COB Friday. This CNA will cover Intel and McAfee products.

 

The Apache Software Foundation has been involved with CVE assignment through Red Hat and through a long history of vulnerability management. We are also adding them to the CNA list COB Friday. This CNA will cover all software developed under the Apache Software Foundation.

 

Both teams have shown that they understand the assignment process and know what content needs to be provided for creating useful descriptions.

 

Please let us know if you have any questions.

 

-Dan

_________________________

Daniel Adinolfi, CISSP

Lead Cybersecurity Engineer, The MITRE Corporation

CVE Communications and CNA Coordinator

Email: <[hidden email]>  Phone: <a href="tel:781-271-5774" value="+17812715774" target="_blank">781-271-5774

 

 

 

 




--

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: New CNAs

Mark J Cox
> Just to confirm the Apache foundation will be a "Traditional" CNA, e.g.
> under MITRE directly, not under the DWF (in other words I want to confirm
> that they get their CVE blocks from MITRE)? Thanks.

Correct, Apache is a traditional CNA and we have block from Mitre already
and have switched to it.  Mark.
Reply | Threaded
Open this post in threaded view
|

Re: New CNAs

Kurt Seifried
Awesome, any word on OpenSSL becoming a traditional CNA?

On Sun, Aug 21, 2016 at 12:22 PM, Mark J Cox <[hidden email]> wrote:
Just to confirm the Apache foundation will be a "Traditional" CNA, e.g.
under MITRE directly, not under the DWF (in other words I want to confirm
that they get their CVE blocks from MITRE)? Thanks.

Correct, Apache is a traditional CNA and we have block from Mitre already and have switched to it.  Mark.



--

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: New CNAs

Mark J Cox
> Awesome, any word on OpenSSL becoming a traditional CNA?

We (OpenSSL) haven't asked to be one yet.  I think it needs a little more
thought and consideration because it doesn't really make sense to have
every OSS project which releases only a handful of CVE a year have the
overhead of being a CNA.  It made sense for Apache (since ASF security
team is an umbrella, similar to DWF in a way, to hundreds of other
projects, each with their own processes and policies and we churn through
a lot of CVEs, and where DWF process would actually be more overhead).

So I was planning to hedge our bets, continuing to take OpenSSL issues
from the Red Hat CNA pool, and wait a few months to see what makes sense.

Mark