New Researcher guidelines

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

New Researcher guidelines

Landfield, Kent B

I see MITRE announced new Researcher Reservation Guidelines... In the new Guidelines it states:

 

4. Requests to third-party coordinator CNAs or email lists.

If a CVE ID cannot be requested through a CNA, consider contacting a third party coordinator such as an emergency response or vulnerability analysis team (e.g., CERT/CC), especially when there are problems in contacting the affected vendor. If the request is accepted, that organization will work to have a CVE ID assigned to the issue. Or, you may post the information to mailing lists such as BugTraq or oss-security and, if accepted, the issue will eventually be assigned a CVE ID by a CNA.

 

Where did this come from?  I believe you are setting CVE up for more Researcher distain by not making it an official process with specificity.  If people just anticipate a CVE because they posted to some random mailing list as written, they will get frustrated when they don’t get one. 

 

This whole document should have been sent to the Board list before it was posted.  Was this discussed in the F2F when I was out of the room?  I can’t find it posted to the Board list. I was under the impression that MITRE had agreed to keep the Board informed on these type of things before they are made public.  Where is the alignment and transparency of actions?

 

I believe the “Or statement’ should either be rewritten for real clarity and much less ambiguity OR it should be removed entirely. I believe this was an error that will cause issues for us in the future.  Be specific, be articulate. Do not be general in such a way to create unreasonable expectations within the researcher community...

 

And why was the Board not informed earlier???

 

Kent Landfield

Intel Corporation

+1.817.637.8026

 

 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: New Researcher guidelines

Coffin, Chris

Hey Kent,

 

Even though the News article (http://cve.mitre.org/news/archives/2017/news.html#january122017_Researcher_Reservation_Guidelines_Document_Now_Available) reads as if it’s a new document, the content of the document has not changed since August 2016 when it was first shared with the Board and the public on Github (http://cveproject.github.io/docs/requester/reservation-guidelines.html). The only change was that the document was moved to the CVE website.

 

As for the bolded sentence, you are correctly pointing out something that very obviously should be revisited. This statement, and potentially other statements within the document may not align with the current processes being used by the team. I am ok with immediately removing the sentence starting with “Or” if there are no objections from anybody else. The other action item which you have also correctly brought to the table, would be to schedule a discussion in a future Board call along with providing ample time for a Board review of the document.

 

We have a Board meeting Wednesday of next week. However, my assumption is that this is too short of notice to review and provide feedback. My suggestion would be that Board members review and provide feedback on the current guidelines and provide feedback before the following Board call (Feb 8). We could discuss any steps to be taken in that meeting based on the feedback received. Does anyone have any objections to this plan?

 

Chris Coffin

The CVE Team

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Landfield, Kent B
Sent: Friday, January 20, 2017 10:35 AM
To: cve-editorial-board-list <[hidden email]>
Subject: New Researcher guidelines

 

I see MITRE announced new Researcher Reservation Guidelines... In the new Guidelines it states:

 

4. Requests to third-party coordinator CNAs or email lists.

If a CVE ID cannot be requested through a CNA, consider contacting a third party coordinator such as an emergency response or vulnerability analysis team (e.g., CERT/CC), especially when there are problems in contacting the affected vendor. If the request is accepted, that organization will work to have a CVE ID assigned to the issue. Or, you may post the information to mailing lists such as BugTraq or oss-security and, if accepted, the issue will eventually be assigned a CVE ID by a CNA.

 

Where did this come from?  I believe you are setting CVE up for more Researcher distain by not making it an official process with specificity.  If people just anticipate a CVE because they posted to some random mailing list as written, they will get frustrated when they don’t get one. 

 

This whole document should have been sent to the Board list before it was posted.  Was this discussed in the F2F when I was out of the room?  I can’t find it posted to the Board list. I was under the impression that MITRE had agreed to keep the Board informed on these type of things before they are made public.  Where is the alignment and transparency of actions?

 

I believe the “Or statement’ should either be rewritten for real clarity and much less ambiguity OR it should be removed entirely. I believe this was an error that will cause issues for us in the future.  Be specific, be articulate. Do not be general in such a way to create unreasonable expectations within the researcher community...

 

And why was the Board not informed earlier???

 

Kent Landfield

Intel Corporation

+1.817.637.8026

 

 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: New Researcher guidelines

Landfield, Kent B

Sorry, I am confused. You put something on github, ask a question and give the impression it is a work in progress (WIP) and then post it as a completed policy with no notification to the Board?  I think there should have been some notification a WIP to a policy/public guideline was occurring.  It does not appear the CNAs were notified via the mailing list.  I did not find anything on the CNA list.  It affects them. Did they get sent something out-of-band?

 

I can provide feedback by then.  I guess I will need to review every single WIP document on github...

 

---

Kent Landfield

+1.817.637.8026

 

From: "Coffin, Chris" <[hidden email]>
Date: Friday, January 20, 2017 at 11:48 AM
To: Kent Landfield <[hidden email]>, cve-editorial-board-list <[hidden email]>
Subject: RE: New Researcher guidelines

 

Hey Kent,

 

Even though the News article (http://cve.mitre.org/news/archives/2017/news.html#january122017_Researcher_Reservation_Guidelines_Document_Now_Available) reads as if it’s a new document, the content of the document has not changed since August 2016 when it was first shared with the Board and the public on Github (http://cveproject.github.io/docs/requester/reservation-guidelines.html). The only change was that the document was moved to the CVE website.

 

As for the bolded sentence, you are correctly pointing out something that very obviously should be revisited. This statement, and potentially other statements within the document may not align with the current processes being used by the team. I am ok with immediately removing the sentence starting with “Or” if there are no objections from anybody else. The other action item which you have also correctly brought to the table, would be to schedule a discussion in a future Board call along with providing ample time for a Board review of the document.

 

We have a Board meeting Wednesday of next week. However, my assumption is that this is too short of notice to review and provide feedback. My suggestion would be that Board members review and provide feedback on the current guidelines and provide feedback before the following Board call (Feb 8). We could discuss any steps to be taken in that meeting based on the feedback received. Does anyone have any objections to this plan?

 

Chris Coffin

The CVE Team

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Landfield, Kent B
Sent: Friday, January 20, 2017 10:35 AM
To: cve-editorial-board-list <[hidden email]>
Subject: New Researcher guidelines

 

I see MITRE announced new Researcher Reservation Guidelines... In the new Guidelines it states:

 

4. Requests to third-party coordinator CNAs or email lists.

If a CVE ID cannot be requested through a CNA, consider contacting a third party coordinator such as an emergency response or vulnerability analysis team (e.g., CERT/CC), especially when there are problems in contacting the affected vendor. If the request is accepted, that organization will work to have a CVE ID assigned to the issue. Or, you may post the information to mailing lists such as BugTraq or oss-security and, if accepted, the issue will eventually be assigned a CVE ID by a CNA.

 

Where did this come from?  I believe you are setting CVE up for more Researcher distain by not making it an official process with specificity.  If people just anticipate a CVE because they posted to some random mailing list as written, they will get frustrated when they don’t get one. 

 

This whole document should have been sent to the Board list before it was posted.  Was this discussed in the F2F when I was out of the room?  I can’t find it posted to the Board list. I was under the impression that MITRE had agreed to keep the Board informed on these type of things before they are made public.  Where is the alignment and transparency of actions?

 

I believe the “Or statement’ should either be rewritten for real clarity and much less ambiguity OR it should be removed entirely. I believe this was an error that will cause issues for us in the future.  Be specific, be articulate. Do not be general in such a way to create unreasonable expectations within the researcher community...

 

And why was the Board not informed earlier???

 

Kent Landfield

Intel Corporation

+1.817.637.8026

 

 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: New Researcher guidelines

Coffin, Chris

Along with most of the documents available in Github and on the CVE web site, I share the opinion that the Researcher Reservation Guidelines is still a WIP. However, based on the current processing of requests we felt that the document should be more broadly accessible and should be published on the CVE web site. Even in its current form, the document can serve to answer questions that the community (specifically researchers) might have when going through the process.

 

We will continue to update the document when useful feedback is received, and we can continue to receive this feedback via Github as well. How we go about notifying the Board of these changes is probably something we should discuss in a future Board call. For example, would the Board want to approve minor updates, or just major items such as changes to the steps in question, etc?

 

Chris

 

From: Landfield, Kent B [mailto:[hidden email]]
Sent: Friday, January 20, 2017 12:34 PM
To: Coffin, Chris <[hidden email]>; cve-editorial-board-list <[hidden email]>
Subject: Re: New Researcher guidelines

 

Sorry, I am confused. You put something on github, ask a question and give the impression it is a work in progress (WIP) and then post it as a completed policy with no notification to the Board?  I think there should have been some notification a WIP to a policy/public guideline was occurring.  It does not appear the CNAs were notified via the mailing list.  I did not find anything on the CNA list.  It affects them. Did they get sent something out-of-band?

 

I can provide feedback by then.  I guess I will need to review every single WIP document on github...

 

---

Kent Landfield

+1.817.637.8026

 

From: "Coffin, Chris" <[hidden email]>
Date: Friday, January 20, 2017 at 11:48 AM
To: Kent Landfield <[hidden email]>, cve-editorial-board-list <[hidden email]>
Subject: RE: New Researcher guidelines

 

Hey Kent,

 

Even though the News article (http://cve.mitre.org/news/archives/2017/news.html#january122017_Researcher_Reservation_Guidelines_Document_Now_Available) reads as if it’s a new document, the content of the document has not changed since August 2016 when it was first shared with the Board and the public on Github (http://cveproject.github.io/docs/requester/reservation-guidelines.html). The only change was that the document was moved to the CVE website.

 

As for the bolded sentence, you are correctly pointing out something that very obviously should be revisited. This statement, and potentially other statements within the document may not align with the current processes being used by the team. I am ok with immediately removing the sentence starting with “Or” if there are no objections from anybody else. The other action item which you have also correctly brought to the table, would be to schedule a discussion in a future Board call along with providing ample time for a Board review of the document.

 

We have a Board meeting Wednesday of next week. However, my assumption is that this is too short of notice to review and provide feedback. My suggestion would be that Board members review and provide feedback on the current guidelines and provide feedback before the following Board call (Feb 8). We could discuss any steps to be taken in that meeting based on the feedback received. Does anyone have any objections to this plan?

 

Chris Coffin

The CVE Team

 

From: [hidden email] [[hidden email]] On Behalf Of Landfield, Kent B
Sent: Friday, January 20, 2017 10:35 AM
To: cve-editorial-board-list <[hidden email]>
Subject: New Researcher guidelines

 

I see MITRE announced new Researcher Reservation Guidelines... In the new Guidelines it states:

 

4. Requests to third-party coordinator CNAs or email lists.

If a CVE ID cannot be requested through a CNA, consider contacting a third party coordinator such as an emergency response or vulnerability analysis team (e.g., CERT/CC), especially when there are problems in contacting the affected vendor. If the request is accepted, that organization will work to have a CVE ID assigned to the issue. Or, you may post the information to mailing lists such as BugTraq or oss-security and, if accepted, the issue will eventually be assigned a CVE ID by a CNA.

 

Where did this come from?  I believe you are setting CVE up for more Researcher distain by not making it an official process with specificity.  If people just anticipate a CVE because they posted to some random mailing list as written, they will get frustrated when they don’t get one. 

 

This whole document should have been sent to the Board list before it was posted.  Was this discussed in the F2F when I was out of the room?  I can’t find it posted to the Board list. I was under the impression that MITRE had agreed to keep the Board informed on these type of things before they are made public.  Where is the alignment and transparency of actions?

 

I believe the “Or statement’ should either be rewritten for real clarity and much less ambiguity OR it should be removed entirely. I believe this was an error that will cause issues for us in the future.  Be specific, be articulate. Do not be general in such a way to create unreasonable expectations within the researcher community...

 

And why was the Board not informed earlier???

 

Kent Landfield

Intel Corporation

+1.817.637.8026

 

 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: New Researcher guidelines

Landfield, Kent B

Chris, All,

 

I have no issue with MITRE putting up documents and guidelines they believe would be beneficial. However, I believe that before a new policy or guidance documents are posted, it would be professional to inform the Board.  My advice would have resulted in minor changes as was earlier indicated and this all could have been avoided. The document could have gone from a WIP to final in a very short time. We are supposed to advise and support.  We have had this situation occur before and were promised we would not be caught off guard again.  But again, here we are.

 

We can and should discuss what type of ‘changes’ might or might not be appropriate to notify the Board about, but it is clear that this sort of ‘new document’ to inform the community should have been actively reviewed shortly before it was posted.  As we have seen over the past 9 months, the Board can be, has been and will be responsive and timely.  Give us that chance and you will find support in getting it right...

 

I will step down off my soapbox now... ;-)

 

---

Kent Landfield

+1.817.637.8026

 

From: "Coffin, Chris" <[hidden email]>
Date: Friday, January 20, 2017 at 1:50 PM
To: Kent Landfield <[hidden email]>, cve-editorial-board-list <[hidden email]>
Subject: RE: New Researcher guidelines

 

Along with most of the documents available in Github and on the CVE web site, I share the opinion that the Researcher Reservation Guidelines is still a WIP. However, based on the current processing of requests we felt that the document should be more broadly accessible and should be published on the CVE web site. Even in its current form, the document can serve to answer questions that the community (specifically researchers) might have when going through the process.

 

We will continue to update the document when useful feedback is received, and we can continue to receive this feedback via Github as well. How we go about notifying the Board of these changes is probably something we should discuss in a future Board call. For example, would the Board want to approve minor updates, or just major items such as changes to the steps in question, etc?

 

Chris

 

From: Landfield, Kent B [mailto:[hidden email]]
Sent: Friday, January 20, 2017 12:34 PM
To: Coffin, Chris <[hidden email]>; cve-editorial-board-list <[hidden email]>
Subject: Re: New Researcher guidelines

 

Sorry, I am confused. You put something on github, ask a question and give the impression it is a work in progress (WIP) and then post it as a completed policy with no notification to the Board?  I think there should have been some notification a WIP to a policy/public guideline was occurring.  It does not appear the CNAs were notified via the mailing list.  I did not find anything on the CNA list.  It affects them. Did they get sent something out-of-band?

 

I can provide feedback by then.  I guess I will need to review every single WIP document on github...

 

---

Kent Landfield

+1.817.637.8026

 

From: "Coffin, Chris" <[hidden email]>
Date: Friday, January 20, 2017 at 11:48 AM
To: Kent Landfield <[hidden email]>, cve-editorial-board-list <[hidden email]>
Subject: RE: New Researcher guidelines

 

Hey Kent,

 

Even though the News article (http://cve.mitre.org/news/archives/2017/news.html#january122017_Researcher_Reservation_Guidelines_Document_Now_Available) reads as if it’s a new document, the content of the document has not changed since August 2016 when it was first shared with the Board and the public on Github (http://cveproject.github.io/docs/requester/reservation-guidelines.html). The only change was that the document was moved to the CVE website.

 

As for the bolded sentence, you are correctly pointing out something that very obviously should be revisited. This statement, and potentially other statements within the document may not align with the current processes being used by the team. I am ok with immediately removing the sentence starting with “Or” if there are no objections from anybody else. The other action item which you have also correctly brought to the table, would be to schedule a discussion in a future Board call along with providing ample time for a Board review of the document.

 

We have a Board meeting Wednesday of next week. However, my assumption is that this is too short of notice to review and provide feedback. My suggestion would be that Board members review and provide feedback on the current guidelines and provide feedback before the following Board call (Feb 8). We could discuss any steps to be taken in that meeting based on the feedback received. Does anyone have any objections to this plan?

 

Chris Coffin

The CVE Team

 

From: [hidden email] [[hidden email]] On Behalf Of Landfield, Kent B
Sent: Friday, January 20, 2017 10:35 AM
To: cve-editorial-board-list <[hidden email]>
Subject: New Researcher guidelines

 

I see MITRE announced new Researcher Reservation Guidelines... In the new Guidelines it states:

 

4. Requests to third-party coordinator CNAs or email lists.

If a CVE ID cannot be requested through a CNA, consider contacting a third party coordinator such as an emergency response or vulnerability analysis team (e.g., CERT/CC), especially when there are problems in contacting the affected vendor. If the request is accepted, that organization will work to have a CVE ID assigned to the issue. Or, you may post the information to mailing lists such as BugTraq or oss-security and, if accepted, the issue will eventually be assigned a CVE ID by a CNA.

 

Where did this come from?  I believe you are setting CVE up for more Researcher distain by not making it an official process with specificity.  If people just anticipate a CVE because they posted to some random mailing list as written, they will get frustrated when they don’t get one. 

 

This whole document should have been sent to the Board list before it was posted.  Was this discussed in the F2F when I was out of the room?  I can’t find it posted to the Board list. I was under the impression that MITRE had agreed to keep the Board informed on these type of things before they are made public.  Where is the alignment and transparency of actions?

 

I believe the “Or statement’ should either be rewritten for real clarity and much less ambiguity OR it should be removed entirely. I believe this was an error that will cause issues for us in the future.  Be specific, be articulate. Do not be general in such a way to create unreasonable expectations within the researcher community...

 

And why was the Board not informed earlier???

 

Kent Landfield

Intel Corporation

+1.817.637.8026

 

 

Loading...