On the topic of MITRE/Board transparency

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

On the topic of MITRE/Board transparency

jericho
MITRE,

My last mail regarding the Google/robots.txt issue demonstrates that MITRE
is not as transparent as they should be with the board. This is hardly the
first time such an issue has come up. Like the "3000+ rejected" notice we
received yesterday, that many had a problem with, and NVD spoke up about,
there have been previous incidents:

Very Important Message for the Editorial Board [1]

    The world has changed significantly since CVE was released in 1999, and
    we are moving out rapidly to satisfy the needs of security researchers
    who need ready access to vulnerability IDs. To that end, MITRE will
    begin a pilot program to address rapid-response CVE-IDs on Monday, 21
    March 2016. We wish to underscore that this is in no way an attempt to
    circumvent the Editorial Board but is rather an experimental step
    toward the federated vulnerability ID methodology that the community
    has been discussing over the past several years. We will work closely
    with the Board to evaluate the results of the pilot and to work
    together to develop a long-term solution that continues to expand
    coverage moving forward.

    Details of the pilot program are provided in the Press Release below,
    which will be published to the CVE-ANNOUNCE email list and to the CVE
    web site later today. It is important to note that this approach was
    chosen to avoid any conflict with the existing CVE process as it is
    currently operating, and that the IDs issued under the federated scheme
    during the pilot will not be analyzed and incorporated into the CVE
    list or feeds. There will be no effect on external operations; all
    in-scope vulnerabilities will be handled as they are now.

If we recall, this decision was not brought to the board at all. Once the
Board learned of it, there was immediate question and criticism [2]. Only
after that did MITRE first say they would like to discuss the issue/change
with the board [3].

In that spirit, after showing two times where MITRE was clearly not
transparent, the first on an annoyance and the second on an
industry-impacting change, I would like to bring to the Board's attention
another. This one may be more critical than any we have seen.

On 2017-04-10, in one of my *many* mails to CVE that are done outside of
the board list, usually challenging them on breaking their own policies,
auditing the declining quality of CVE assignments, or similar issues, I
brought up a 'small' point in one of those emails. The relevant bit can be
found at the end of this email.

The important part is that I called MITRE out for what is arguably the
biggest event in CVE's history as far as "no confidence" and concern over
the management of CVE. The fact that I had to hear about it from a CNA is
interesting, as this should have been brought to the board's attention
immediately by MITRE. When I brought it up in email, I told them that i
expected a mail to the board with MITRE's statement two days later.

Instead, MITRE opted NOT to bring it to the board's attention. Instead,
they replied to my very long mail that took over an hour to write,
detailing numerous examples to back my statements showing that CVE was
failing to adhere to their own abstraction rules, as well as other rules,
by saying:

    First, you bring up a number of things in your message which are all
    important and all should be discussed fully and transparently. We
    encourage you to share this message with the Board so we can discuss it
    with the whole Board's input. We can also forward it along, if you're
    prefer to begin the conversation.

    We encourage you to share this message with the Board so we can discuss
    it with the whole Board's input.

Since I clearly stated "I expect a mail to the Board and CNA list no later
than Wednesday about this", note both the board *and* CNA list, their
deferral to have me bring it up on list is unacceptable. Especially given
the severity of the topic. I waited several weeks for them to bring it up
on their own, and they did not.

Quite simply, this is a lack of transparency in a tax-payer funded,
government run initiative that impacts the entire IT industry. This is not
acceptable, and we all deserve better.

So I am formally requesting, on list, that all correspondence between
MITRE and Congress be sent to the list as well. Any correspondence is
subject to FOIA and is not privileged, like many other aspects of MITRE's
management of CVE (e.g. exact budgets, salaries, expenditures). Given your
past claims of wanting to be transparent, this is your chance to restore
some faith in that claim.

Brian

[1] https://cve.mitre.org/data/board/archives/2016-03/msg00017.html
[2] https://cve.mitre.org/data/board/archives/2016-03/msg00016.html
     https://cve.mitre.org/data/board/archives/2016-03/msg00015.html
[3] https://cve.mitre.org/data/board/archives/2016-03/msg00019.html

---------- Forwarded message ----------
From: jericho <[hidden email]>
To: "Adinolfi, Daniel R" <[hidden email]>
Cc: "Coffin, Chris" <[hidden email]>,
     Common Vulnerabilities & Exposures <[hidden email]>
Date: Mon, 10 Apr 2017 02:37:13 -0500 (CDT)

[..]

https://energycommerce.house.gov/news-center/letters/letters-dhs-and-mitre-regarding-performance-critical-cyber-database

Congress is investigating MITRE and the deficiency. That is pretty big
news, and I missed this completely until a CNA brought this to my
attention. They sat on it for three days before they told me and started
asking question.

Think about the above please.

And now that it has been brought up, I expect a mail to the Board and CNA
list no later than Wednesday about this. The Board deserves an official
reply from MITRE addressing these concerns. At least one CNA is concerned
about this, and unwilling to take their concerns to MITRE directly. We all
deserve to know what is going on.

[..]
Reply | Threaded
Open this post in threaded view
|

RE: On the topic of MITRE/Board transparency

Coffin, Chris
Brian,

Congress sent an inquiry to both MITRE and DHS regarding CVE. This request is a matter of public record. We assume the responses from both MITRE and DHS will also be a matter of public record. MITRE has not yet transmitted its response to Congress. Once the response is transmitted, should Congress make it public, all members of the general public will be able to review it, including any member of the Board.
 
More importantly, MITRE looks forward to working with our colleagues to sustain the tremendous progress the program has made over the past 15 months: implementing a federated program structure including a new governance and operational model; building upon and improving the CNA rules and implementation of them; recruitment of new CNAs; improving CVE-in-a-Box artifacts; improving data exchange; expanding internationally; and continuing bimonthly collaborative sessions and working groups with our Board colleagues, the CNAs, and the greater CVE community.
 
Thank you for your ongoing feedback and please keep providing it.

Regards,

The CVE Team

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of jericho
Sent: Thursday, May 11, 2017 1:55 AM
To: cve-editorial-board-list <[hidden email]>
Subject: On the topic of MITRE/Board transparency
Importance: High

MITRE,

My last mail regarding the Google/robots.txt issue demonstrates that MITRE is not as transparent as they should be with the board. This is hardly the first time such an issue has come up. Like the "3000+ rejected" notice we received yesterday, that many had a problem with, and NVD spoke up about, there have been previous incidents:

Very Important Message for the Editorial Board [1]

    The world has changed significantly since CVE was released in 1999, and
    we are moving out rapidly to satisfy the needs of security researchers
    who need ready access to vulnerability IDs. To that end, MITRE will
    begin a pilot program to address rapid-response CVE-IDs on Monday, 21
    March 2016. We wish to underscore that this is in no way an attempt to
    circumvent the Editorial Board but is rather an experimental step
    toward the federated vulnerability ID methodology that the community
    has been discussing over the past several years. We will work closely
    with the Board to evaluate the results of the pilot and to work
    together to develop a long-term solution that continues to expand
    coverage moving forward.

    Details of the pilot program are provided in the Press Release below,
    which will be published to the CVE-ANNOUNCE email list and to the CVE
    web site later today. It is important to note that this approach was
    chosen to avoid any conflict with the existing CVE process as it is
    currently operating, and that the IDs issued under the federated scheme
    during the pilot will not be analyzed and incorporated into the CVE
    list or feeds. There will be no effect on external operations; all
    in-scope vulnerabilities will be handled as they are now.

If we recall, this decision was not brought to the board at all. Once the Board learned of it, there was immediate question and criticism [2]. Only after that did MITRE first say they would like to discuss the issue/change with the board [3].

In that spirit, after showing two times where MITRE was clearly not transparent, the first on an annoyance and the second on an industry-impacting change, I would like to bring to the Board's attention another. This one may be more critical than any we have seen.

On 2017-04-10, in one of my *many* mails to CVE that are done outside of the board list, usually challenging them on breaking their own policies, auditing the declining quality of CVE assignments, or similar issues, I brought up a 'small' point in one of those emails. The relevant bit can be found at the end of this email.

The important part is that I called MITRE out for what is arguably the biggest event in CVE's history as far as "no confidence" and concern over the management of CVE. The fact that I had to hear about it from a CNA is interesting, as this should have been brought to the board's attention immediately by MITRE. When I brought it up in email, I told them that i expected a mail to the board with MITRE's statement two days later.

Instead, MITRE opted NOT to bring it to the board's attention. Instead, they replied to my very long mail that took over an hour to write, detailing numerous examples to back my statements showing that CVE was failing to adhere to their own abstraction rules, as well as other rules, by saying:

    First, you bring up a number of things in your message which are all
    important and all should be discussed fully and transparently. We
    encourage you to share this message with the Board so we can discuss it
    with the whole Board's input. We can also forward it along, if you're
    prefer to begin the conversation.

    We encourage you to share this message with the Board so we can discuss
    it with the whole Board's input.

Since I clearly stated "I expect a mail to the Board and CNA list no later than Wednesday about this", note both the board *and* CNA list, their deferral to have me bring it up on list is unacceptable. Especially given the severity of the topic. I waited several weeks for them to bring it up on their own, and they did not.

Quite simply, this is a lack of transparency in a tax-payer funded, government run initiative that impacts the entire IT industry. This is not acceptable, and we all deserve better.

So I am formally requesting, on list, that all correspondence between MITRE and Congress be sent to the list as well. Any correspondence is subject to FOIA and is not privileged, like many other aspects of MITRE's management of CVE (e.g. exact budgets, salaries, expenditures). Given your past claims of wanting to be transparent, this is your chance to restore some faith in that claim.

Brian

[1] https://cve.mitre.org/data/board/archives/2016-03/msg00017.html
[2] https://cve.mitre.org/data/board/archives/2016-03/msg00016.html
     https://cve.mitre.org/data/board/archives/2016-03/msg00015.html
[3] https://cve.mitre.org/data/board/archives/2016-03/msg00019.html

---------- Forwarded message ----------
From: jericho <[hidden email]>
To: "Adinolfi, Daniel R" <[hidden email]>
Cc: "Coffin, Chris" <[hidden email]>,
     Common Vulnerabilities & Exposures <[hidden email]>
Date: Mon, 10 Apr 2017 02:37:13 -0500 (CDT)

[..]

https://energycommerce.house.gov/news-center/letters/letters-dhs-and-mitre-regarding-performance-critical-cyber-database

Congress is investigating MITRE and the deficiency. That is pretty big news, and I missed this completely until a CNA brought this to my attention. They sat on it for three days before they told me and started asking question.

Think about the above please.

And now that it has been brought up, I expect a mail to the Board and CNA list no later than Wednesday about this. The Board deserves an official reply from MITRE addressing these concerns. At least one CNA is concerned about this, and unwilling to take their concerns to MITRE directly. We all deserve to know what is going on.

[..]
Reply | Threaded
Open this post in threaded view
|

RE: On the topic of MITRE/Board transparency

Williams, Ken
Brian, thank you for bringing this to our attention.  
Chris, thanks for the reply.

As Brian emphasized, this is a very significant issue.  Considering the
prominence of other current Congressional and TLA investigations that
involve internet security, this appears to be a momentous issue for CVE.

I do have a few questions, for Mitre and Brian:

1) Why was the board never notified directly by Mitre?  That letter is
from March 31.

2) Why has Mitre not responded to Congress yet?  The due date was
2017-04-13 at the latest.

3) When do you anticipate responding to Congress?

4) Has Mitre received anything like this before from any US government
agency?

5) Brian, can you provide the name of the CNA who brought this to your
attention, and the circumstances?


Regards,
Ken Williams


> From: [hidden email] [mailto:owner-cve-
> [hidden email]] On Behalf Of Coffin, Chris
> Sent: Thursday, May 11, 2017 11:52 AM
> To: jericho <[hidden email]>
> Cc: cve-editorial-board-list <[hidden email]>
> Subject: RE: On the topic of MITRE/Board transparency
>
> Brian,
>
> Congress sent an inquiry to both MITRE and DHS regarding CVE. This
> request is a matter of public record. We assume the responses from both
> MITRE and DHS will also be a matter of public record. MITRE has not yet
> transmitted its response to Congress. Once the response is transmitted,
> should Congress make it public, all members of the general public will
> be able to review it, including any member of the Board.
>
> More importantly, MITRE looks forward to working with our colleagues to
> sustain the tremendous progress the program has made over the past 15
> months: implementing a federated program structure including a new
> governance and operational model; building upon and improving the CNA
> rules and implementation of them; recruitment of new CNAs; improving
> CVE-in-a-Box artifacts; improving data exchange; expanding
> internationally; and continuing bimonthly collaborative sessions and
> working groups with our Board colleagues, the CNAs, and the greater CVE
> community.
>
> Thank you for your ongoing feedback and please keep providing it.
>
> Regards,
>
> The CVE Team
>
> -----Original Message-----
> From: [hidden email] [mailto:owner-cve-
> [hidden email]] On Behalf Of jericho
> Sent: Thursday, May 11, 2017 1:55 AM
> To: cve-editorial-board-list <[hidden email]>
> Subject: On the topic of MITRE/Board transparency
> Importance: High
>
> MITRE,
>
> My last mail regarding the Google/robots.txt issue demonstrates that
> MITRE is not as transparent as they should be with the board. This is
> hardly the first time such an issue has come up. Like the "3000+
> rejected" notice we received yesterday, that many had a problem with,
> and NVD spoke up about, there have been previous incidents:
>
> Very Important Message for the Editorial Board [1]
>
>     The world has changed significantly since CVE was released in 1999,
> and
>     we are moving out rapidly to satisfy the needs of security
> researchers
>     who need ready access to vulnerability IDs. To that end, MITRE will
>     begin a pilot program to address rapid-response CVE-IDs on Monday,
> 21
>     March 2016. We wish to underscore that this is in no way an attempt
> to
>     circumvent the Editorial Board but is rather an experimental step
>     toward the federated vulnerability ID methodology that the community
>     has been discussing over the past several years. We will work
> closely
>     with the Board to evaluate the results of the pilot and to work
>     together to develop a long-term solution that continues to expand
>     coverage moving forward.
>
>     Details of the pilot program are provided in the Press Release
> below,
>     which will be published to the CVE-ANNOUNCE email list and to the
> CVE
>     web site later today. It is important to note that this approach was
>     chosen to avoid any conflict with the existing CVE process as it is
>     currently operating, and that the IDs issued under the federated
> scheme
>     during the pilot will not be analyzed and incorporated into the CVE
>     list or feeds. There will be no effect on external operations; all
>     in-scope vulnerabilities will be handled as they are now.
>
> If we recall, this decision was not brought to the board at all. Once
> the Board learned of it, there was immediate question and criticism [2].
> Only after that did MITRE first say they would like to discuss the
> issue/change with the board [3].
>
> In that spirit, after showing two times where MITRE was clearly not
> transparent, the first on an annoyance and the second on an industry-
> impacting change, I would like to bring to the Board's attention
> another. This one may be more critical than any we have seen.
>
> On 2017-04-10, in one of my *many* mails to CVE that are done outside of
> the board list, usually challenging them on breaking their own policies,
> auditing the declining quality of CVE assignments, or similar issues, I
> brought up a 'small' point in one of those emails. The relevant bit can
> be found at the end of this email.
>
> The important part is that I called MITRE out for what is arguably the
> biggest event in CVE's history as far as "no confidence" and concern
> over the management of CVE. The fact that I had to hear about it from a
> CNA is interesting, as this should have been brought to the board's
> attention immediately by MITRE. When I brought it up in email, I told
> them that i expected a mail to the board with MITRE's statement two days
> later.
>
> Instead, MITRE opted NOT to bring it to the board's attention. Instead,
> they replied to my very long mail that took over an hour to write,
> detailing numerous examples to back my statements showing that CVE was
> failing to adhere to their own abstraction rules, as well as other
> rules, by saying:
>
>     First, you bring up a number of things in your message which are all
>     important and all should be discussed fully and transparently. We
>     encourage you to share this message with the Board so we can discuss
> it
>     with the whole Board's input. We can also forward it along, if
> you're
>     prefer to begin the conversation.
>
>     We encourage you to share this message with the Board so we can
> discuss
>     it with the whole Board's input.
>
> Since I clearly stated "I expect a mail to the Board and CNA list no
> later than Wednesday about this", note both the board *and* CNA list,
> their deferral to have me bring it up on list is unacceptable.
> Especially given the severity of the topic. I waited several weeks for
> them to bring it up on their own, and they did not.
>
> Quite simply, this is a lack of transparency in a tax-payer funded,
> government run initiative that impacts the entire IT industry. This is
> not acceptable, and we all deserve better.
>
> So I am formally requesting, on list, that all correspondence between
> MITRE and Congress be sent to the list as well. Any correspondence is
> subject to FOIA and is not privileged, like many other aspects of
> MITRE's management of CVE (e.g. exact budgets, salaries, expenditures).
> Given your past claims of wanting to be transparent, this is your chance
> to restore some faith in that claim.
>
> Brian
>
> [1] https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__cve.mitre.org_data_board_archives_2016-
> 2D03_msg00017.html&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=aCoKdNwykRoiEMq0lnqIgVHWqNXhzNq-xnn2GpdBWys&e=
> [2] https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__cve.mitre.org_data_board_archives_2016-
> 2D03_msg00016.html&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=JWjMmLx-L61CmWQl1cCnUj67YkHR1kncbOGKFFnynDE&e=
>      https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__cve.mitre.org_data_board_archives_2016-
> 2D03_msg00015.html&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=00xbdZ9B_E4GFpS4YFnao3gaCt1huNh5U4KxYoOAfAU&e=
> [3] https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__cve.mitre.org_data_board_archives_2016-
> 2D03_msg00019.html&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=ml4hx2EOzFBfqSbQJDHj4pX6woTKkC7QHXUd7xY0qwU&e=
>
> ---------- Forwarded message ----------
> From: jericho <[hidden email]>
> To: "Adinolfi, Daniel R" <[hidden email]>
> Cc: "Coffin, Chris" <[hidden email]>,
>      Common Vulnerabilities & Exposures <[hidden email]>
> Date: Mon, 10 Apr 2017 02:37:13 -0500 (CDT)
>
> [..]
>
> https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__energycommerce.house.gov_news-2Dcenter_letters_letters-2Ddhs-2Dand-
> 2Dmitre-2Dregarding-2Dperformance-2Dcritical-2Dcyber-
> 2Ddatabase&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=l-J7rV1ZzoHVAw6bGtMV7K-riNINXXRdzizOrIxsUcA&e=
>
> Congress is investigating MITRE and the deficiency. That is pretty big
> news, and I missed this completely until a CNA brought this to my
> attention. They sat on it for three days before they told me and started
> asking question.
>
> Think about the above please.
>
> And now that it has been brought up, I expect a mail to the Board and
> CNA list no later than Wednesday about this. The Board deserves an
> official reply from MITRE addressing these concerns. At least one CNA is
> concerned about this, and unwilling to take their concerns to MITRE
> directly. We all deserve to know what is going on.
>
> [..]
Reply | Threaded
Open this post in threaded view
|

Re: On the topic of MITRE/Board transparency

Scott Lawler

I share the concerns about more transparency being needed.  That's a pretty clear issue.


However, there's also another side of the coin to consider.   The Board is here to help MITRE respond to requests like this too.  


Personally, I'll commit some time to help craft the response to Congress if needed.   At a minimum, we can help edit a rough draft provided by MITRE.   Did MITRE already respond to this request or not?     


Just let us know what you need and we will help.    


Scott


From: [hidden email] <[hidden email]> on behalf of Williams, Ken <[hidden email]>
Sent: Thursday, May 11, 2017 4:42:36 PM
To: Coffin, Chris; jericho
Cc: cve-editorial-board-list
Subject: RE: On the topic of MITRE/Board transparency
 
Brian, thank you for bringing this to our attention. 
Chris, thanks for the reply.

As Brian emphasized, this is a very significant issue.  Considering the
prominence of other current Congressional and TLA investigations that
involve internet security, this appears to be a momentous issue for CVE.

I do have a few questions, for Mitre and Brian:

1) Why was the board never notified directly by Mitre?  That letter is
from March 31.

2) Why has Mitre not responded to Congress yet?  The due date was
2017-04-13 at the latest.

3) When do you anticipate responding to Congress?

4) Has Mitre received anything like this before from any US government
agency?

5) Brian, can you provide the name of the CNA who brought this to your
attention, and the circumstances?


Regards,
Ken Williams


> From: [hidden email] [mailto:owner-cve-
> [hidden email]] On Behalf Of Coffin, Chris
> Sent: Thursday, May 11, 2017 11:52 AM
> To: jericho <[hidden email]>
> Cc: cve-editorial-board-list <[hidden email]>
> Subject: RE: On the topic of MITRE/Board transparency
>
> Brian,
>
> Congress sent an inquiry to both MITRE and DHS regarding CVE. This
> request is a matter of public record. We assume the responses from both
> MITRE and DHS will also be a matter of public record. MITRE has not yet
> transmitted its response to Congress. Once the response is transmitted,
> should Congress make it public, all members of the general public will
> be able to review it, including any member of the Board.
>
> More importantly, MITRE looks forward to working with our colleagues to
> sustain the tremendous progress the program has made over the past 15
> months: implementing a federated program structure including a new
> governance and operational model; building upon and improving the CNA
> rules and implementation of them; recruitment of new CNAs; improving
> CVE-in-a-Box artifacts; improving data exchange; expanding
> internationally; and continuing bimonthly collaborative sessions and
> working groups with our Board colleagues, the CNAs, and the greater CVE
> community.
>
> Thank you for your ongoing feedback and please keep providing it.
>
> Regards,
>
> The CVE Team
>
> -----Original Message-----
> From: [hidden email] [mailto:owner-cve-
> [hidden email]] On Behalf Of jericho
> Sent: Thursday, May 11, 2017 1:55 AM
> To: cve-editorial-board-list <[hidden email]>
> Subject: On the topic of MITRE/Board transparency
> Importance: High
>
> MITRE,
>
> My last mail regarding the Google/robots.txt issue demonstrates that
> MITRE is not as transparent as they should be with the board. This is
> hardly the first time such an issue has come up. Like the "3000+
> rejected" notice we received yesterday, that many had a problem with,
> and NVD spoke up about, there have been previous incidents:
>
> Very Important Message for the Editorial Board [1]
>
>     The world has changed significantly since CVE was released in 1999,
> and
>     we are moving out rapidly to satisfy the needs of security
> researchers
>     who need ready access to vulnerability IDs. To that end, MITRE will
>     begin a pilot program to address rapid-response CVE-IDs on Monday,
> 21
>     March 2016. We wish to underscore that this is in no way an attempt
> to
>     circumvent the Editorial Board but is rather an experimental step
>     toward the federated vulnerability ID methodology that the community
>     has been discussing over the past several years. We will work
> closely
>     with the Board to evaluate the results of the pilot and to work
>     together to develop a long-term solution that continues to expand
>     coverage moving forward.
>
>     Details of the pilot program are provided in the Press Release
> below,
>     which will be published to the CVE-ANNOUNCE email list and to the
> CVE
>     web site later today. It is important to note that this approach was
>     chosen to avoid any conflict with the existing CVE process as it is
>     currently operating, and that the IDs issued under the federated
> scheme
>     during the pilot will not be analyzed and incorporated into the CVE
>     list or feeds. There will be no effect on external operations; all
>     in-scope vulnerabilities will be handled as they are now.
>
> If we recall, this decision was not brought to the board at all. Once
> the Board learned of it, there was immediate question and criticism [2].
> Only after that did MITRE first say they would like to discuss the
> issue/change with the board [3].
>
> In that spirit, after showing two times where MITRE was clearly not
> transparent, the first on an annoyance and the second on an industry-
> impacting change, I would like to bring to the Board's attention
> another. This one may be more critical than any we have seen.
>
> On 2017-04-10, in one of my *many* mails to CVE that are done outside of
> the board list, usually challenging them on breaking their own policies,
> auditing the declining quality of CVE assignments, or similar issues, I
> brought up a 'small' point in one of those emails. The relevant bit can
> be found at the end of this email.
>
> The important part is that I called MITRE out for what is arguably the
> biggest event in CVE's history as far as "no confidence" and concern
> over the management of CVE. The fact that I had to hear about it from a
> CNA is interesting, as this should have been brought to the board's
> attention immediately by MITRE. When I brought it up in email, I told
> them that i expected a mail to the board with MITRE's statement two days
> later.
>
> Instead, MITRE opted NOT to bring it to the board's attention. Instead,
> they replied to my very long mail that took over an hour to write,
> detailing numerous examples to back my statements showing that CVE was
> failing to adhere to their own abstraction rules, as well as other
> rules, by saying:
>
>     First, you bring up a number of things in your message which are all
>     important and all should be discussed fully and transparently. We
>     encourage you to share this message with the Board so we can discuss
> it
>     with the whole Board's input. We can also forward it along, if
> you're
>     prefer to begin the conversation.
>
>     We encourage you to share this message with the Board so we can
> discuss
>     it with the whole Board's input.
>
> Since I clearly stated "I expect a mail to the Board and CNA list no
> later than Wednesday about this", note both the board *and* CNA list,
> their deferral to have me bring it up on list is unacceptable.
> Especially given the severity of the topic. I waited several weeks for
> them to bring it up on their own, and they did not.
>
> Quite simply, this is a lack of transparency in a tax-payer funded,
> government run initiative that impacts the entire IT industry. This is
> not acceptable, and we all deserve better.
>
> So I am formally requesting, on list, that all correspondence between
> MITRE and Congress be sent to the list as well. Any correspondence is
> subject to FOIA and is not privileged, like many other aspects of
> MITRE's management of CVE (e.g. exact budgets, salaries, expenditures).
> Given your past claims of wanting to be transparent, this is your chance
> to restore some faith in that claim.
>
> Brian
>
> [1] https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__cve.mitre.org_data_board_archives_2016-
> 2D03_msg00017.html&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=aCoKdNwykRoiEMq0lnqIgVHWqNXhzNq-xnn2GpdBWys&e=
> [2] https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__cve.mitre.org_data_board_archives_2016-
> 2D03_msg00016.html&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=JWjMmLx-L61CmWQl1cCnUj67YkHR1kncbOGKFFnynDE&e=
>      https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__cve.mitre.org_data_board_archives_2016-
> 2D03_msg00015.html&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=00xbdZ9B_E4GFpS4YFnao3gaCt1huNh5U4KxYoOAfAU&e=
> [3] https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__cve.mitre.org_data_board_archives_2016-
> 2D03_msg00019.html&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=ml4hx2EOzFBfqSbQJDHj4pX6woTKkC7QHXUd7xY0qwU&e=
>
> ---------- Forwarded message ----------
> From: jericho <[hidden email]>
> To: "Adinolfi, Daniel R" <[hidden email]>
> Cc: "Coffin, Chris" <[hidden email]>,
>      Common Vulnerabilities & Exposures <[hidden email]>
> Date: Mon, 10 Apr 2017 02:37:13 -0500 (CDT)
>
> [..]
>
> https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__energycommerce.house.gov_news-2Dcenter_letters_letters-2Ddhs-2Dand-
> 2Dmitre-2Dregarding-2Dperformance-2Dcritical-2Dcyber-
> 2Ddatabase&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=l-J7rV1ZzoHVAw6bGtMV7K-riNINXXRdzizOrIxsUcA&e=
>
> Congress is investigating MITRE and the deficiency. That is pretty big
> news, and I missed this completely until a CNA brought this to my
> attention. They sat on it for three days before they told me and started
> asking question.
>
> Think about the above please.
>
> And now that it has been brought up, I expect a mail to the Board and
> CNA list no later than Wednesday about this. The Board deserves an
> official reply from MITRE addressing these concerns. At least one CNA is
> concerned about this, and unwilling to take their concerns to MITRE
> directly. We all deserve to know what is going on.
>
> [..]
Reply | Threaded
Open this post in threaded view
|

RE: On the topic of MITRE/Board transparency

Millar, Thomas

This is the same committee we talked to last spring after DWF and CVE started making the news, and they are being diligent and following up to learn more about how we, and MITRE, manage the CVE program.

 

I believe MITRE's response has already been sent to the Committee. It is now the Committee's decision whether to release that to the public.

 

DHS is still preparing our response, which is quite comprehensive. To the due date for the responses - this is not a subpoena or an investigation, these are questions. Energy & Commerce Committee does not have oversight responsibilities for Homeland Security, so this is a respectful request for information about a program they deem important for the health of the economy.

 

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Scott Lawler
Sent: 11 May, 2017 16:53
To: cve-editorial-board-list <[hidden email]>
Subject: Re: On the topic of MITRE/Board transparency

 

I share the concerns about more transparency being needed.  That's a pretty clear issue.

 

However, there's also another side of the coin to consider.   The Board is here to help MITRE respond to requests like this too.  

 

Personally, I'll commit some time to help craft the response to Congress if needed.   At a minimum, we can help edit a rough draft provided by MITRE.   Did MITRE already respond to this request or not?     

 

Just let us know what you need and we will help.    

 

Scott


From: [hidden email] <[hidden email]> on behalf of Williams, Ken <[hidden email]>
Sent: Thursday, May 11, 2017 4:42:36 PM
To: Coffin, Chris; jericho
Cc: cve-editorial-board-list
Subject: RE: On the topic of MITRE/Board transparency

 

Brian, thank you for bringing this to our attention. 
Chris, thanks for the reply.

As Brian emphasized, this is a very significant issue.  Considering the
prominence of other current Congressional and TLA investigations that
involve internet security, this appears to be a momentous issue for CVE.

I do have a few questions, for Mitre and Brian:

1) Why was the board never notified directly by Mitre?  That letter is
from March 31.

2) Why has Mitre not responded to Congress yet?  The due date was
2017-04-13 at the latest.

3) When do you anticipate responding to Congress?

4) Has Mitre received anything like this before from any US government
agency?

5) Brian, can you provide the name of the CNA who brought this to your
attention, and the circumstances?


Regards,
Ken Williams


> From: [hidden email] [mailto:owner-cve-
> [hidden email]] On Behalf Of Coffin, Chris
> Sent: Thursday, May 11, 2017 11:52 AM
> To: jericho <[hidden email]>
> Cc: cve-editorial-board-list <[hidden email]>
> Subject: RE: On the topic of MITRE/Board transparency
>
> Brian,
>
> Congress sent an inquiry to both MITRE and DHS regarding CVE. This
> request is a matter of public record. We assume the responses from both
> MITRE and DHS will also be a matter of public record. MITRE has not yet
> transmitted its response to Congress. Once the response is transmitted,
> should Congress make it public, all members of the general public will
> be able to review it, including any member of the Board.
>
> More importantly, MITRE looks forward to working with our colleagues to
> sustain the tremendous progress the program has made over the past 15
> months: implementing a federated program structure including a new
> governance and operational model; building upon and improving the CNA
> rules and implementation of them; recruitment of new CNAs; improving
> CVE-in-a-Box artifacts; improving data exchange; expanding
> internationally; and continuing bimonthly collaborative sessions and
> working groups with our Board colleagues, the CNAs, and the greater CVE
> community.
>
> Thank you for your ongoing feedback and please keep providing it.
>
> Regards,
>
> The CVE Team
>
> -----Original Message-----
> From: [hidden email] [mailto:owner-cve-
> [hidden email]] On Behalf Of jericho
> Sent: Thursday, May 11, 2017 1:55 AM
> To: cve-editorial-board-list <[hidden email]>
> Subject: On the topic of MITRE/Board transparency
> Importance: High
>
> MITRE,
>
> My last mail regarding the Google/robots.txt issue demonstrates that
> MITRE is not as transparent as they should be with the board. This is
> hardly the first time such an issue has come up. Like the "3000+
> rejected" notice we received yesterday, that many had a problem with,
> and NVD spoke up about, there have been previous incidents:
>
> Very Important Message for the Editorial Board [1]
>
>     The world has changed significantly since CVE was released in 1999,
> and
>     we are moving out rapidly to satisfy the needs of security
> researchers
>     who need ready access to vulnerability IDs. To that end, MITRE will
>     begin a pilot program to address rapid-response CVE-IDs on Monday,
> 21
>     March 2016. We wish to underscore that this is in no way an attempt
> to
>     circumvent the Editorial Board but is rather an experimental step
>     toward the federated vulnerability ID methodology that the community
>     has been discussing over the past several years. We will work
> closely
>     with the Board to evaluate the results of the pilot and to work
>     together to develop a long-term solution that continues to expand
>     coverage moving forward.
>
>     Details of the pilot program are provided in the Press Release
> below,
>     which will be published to the CVE-ANNOUNCE email list and to the
> CVE
>     web site later today. It is important to note that this approach was
>     chosen to avoid any conflict with the existing CVE process as it is
>     currently operating, and that the IDs issued under the federated
> scheme
>     during the pilot will not be analyzed and incorporated into the CVE
>     list or feeds. There will be no effect on external operations; all
>     in-scope vulnerabilities will be handled as they are now.
>
> If we recall, this decision was not brought to the board at all. Once
> the Board learned of it, there was immediate question and criticism [2].
> Only after that did MITRE first say they would like to discuss the
> issue/change with the board [3].
>
> In that spirit, after showing two times where MITRE was clearly not
> transparent, the first on an annoyance and the second on an industry-
> impacting change, I would like to bring to the Board's attention
> another. This one may be more critical than any we have seen.
>
> On 2017-04-10, in one of my *many* mails to CVE that are done outside of
> the board list, usually challenging them on breaking their own policies,
> auditing the declining quality of CVE assignments, or similar issues, I
> brought up a 'small' point in one of those emails. The relevant bit can
> be found at the end of this email.
>
> The important part is that I called MITRE out for what is arguably the
> biggest event in CVE's history as far as "no confidence" and concern
> over the management of CVE. The fact that I had to hear about it from a
> CNA is interesting, as this should have been brought to the board's
> attention immediately by MITRE. When I brought it up in email, I told
> them that i expected a mail to the board with MITRE's statement two days
> later.
>
> Instead, MITRE opted NOT to bring it to the board's attention. Instead,
> they replied to my very long mail that took over an hour to write,
> detailing numerous examples to back my statements showing that CVE was
> failing to adhere to their own abstraction rules, as well as other
> rules, by saying:
>
>     First, you bring up a number of things in your message which are all
>     important and all should be discussed fully and transparently. We
>     encourage you to share this message with the Board so we can discuss
> it
>     with the whole Board's input. We can also forward it along, if
> you're
>     prefer to begin the conversation.
>
>     We encourage you to share this message with the Board so we can
> discuss
>     it with the whole Board's input.
>
> Since I clearly stated "I expect a mail to the Board and CNA list no
> later than Wednesday about this", note both the board *and* CNA list,
> their deferral to have me bring it up on list is unacceptable.
> Especially given the severity of the topic. I waited several weeks for
> them to bring it up on their own, and they did not.
>
> Quite simply, this is a lack of transparency in a tax-payer funded,
> government run initiative that impacts the entire IT industry. This is
> not acceptable, and we all deserve better.
>
> So I am formally requesting, on list, that all correspondence between
> MITRE and Congress be sent to the list as well. Any correspondence is
> subject to FOIA and is not privileged, like many other aspects of
> MITRE's management of CVE (e.g. exact budgets, salaries, expenditures).
> Given your past claims of wanting to be transparent, this is your chance
> to restore some faith in that claim.
>
> Brian
>
> [1] https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__cve.mitre.org_data_board_archives_2016-
> 2D03_msg00017.html&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=aCoKdNwykRoiEMq0lnqIgVHWqNXhzNq-xnn2GpdBWys&e=
> [2] https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__cve.mitre.org_data_board_archives_2016-
> 2D03_msg00016.html&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=JWjMmLx-L61CmWQl1cCnUj67YkHR1kncbOGKFFnynDE&e=
>      https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__cve.mitre.org_data_board_archives_2016-
> 2D03_msg00015.html&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=00xbdZ9B_E4GFpS4YFnao3gaCt1huNh5U4KxYoOAfAU&e=
> [3] https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__cve.mitre.org_data_board_archives_2016-
> 2D03_msg00019.html&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=ml4hx2EOzFBfqSbQJDHj4pX6woTKkC7QHXUd7xY0qwU&e=
>
> ---------- Forwarded message ----------
> From: jericho <[hidden email]>
> To: "Adinolfi, Daniel R" <[hidden email]>
> Cc: "Coffin, Chris" <[hidden email]>,
>      Common Vulnerabilities & Exposures <[hidden email]>
> Date: Mon, 10 Apr 2017 02:37:13 -0500 (CDT)
>
> [..]
>
> https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__energycommerce.house.gov_news-2Dcenter_letters_letters-2Ddhs-2Dand-
> 2Dmitre-2Dregarding-2Dperformance-2Dcritical-2Dcyber-
> 2Ddatabase&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=l-J7rV1ZzoHVAw6bGtMV7K-riNINXXRdzizOrIxsUcA&e=
>
> Congress is investigating MITRE and the deficiency. That is pretty big
> news, and I missed this completely until a CNA brought this to my
> attention. They sat on it for three days before they told me and started
> asking question.
>
> Think about the above please.
>
> And now that it has been brought up, I expect a mail to the Board and
> CNA list no later than Wednesday about this. The Board deserves an
> official reply from MITRE addressing these concerns. At least one CNA is
> concerned about this, and unwilling to take their concerns to MITRE
> directly. We all deserve to know what is going on.
>
> [..]

Reply | Threaded
Open this post in threaded view
|

RE: On the topic of MITRE/Board transparency

Williams, Ken

Thanks, Tom.  I appreciate the background info, and explanation about the nature of the inquiry.  Most concerns are allayed now.

 

Regards,

kw

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Millar, Thomas
Sent: Thursday, May 11, 2017 4:14 PM
To: Scott Lawler <[hidden email]>; cve-editorial-board-list <[hidden email]>
Subject: RE: On the topic of MITRE/Board transparency

 

This is the same committee we talked to last spring after DWF and CVE started making the news, and they are being diligent and following up to learn more about how we, and MITRE, manage the CVE program.

 

I believe MITRE's response has already been sent to the Committee. It is now the Committee's decision whether to release that to the public.

 

DHS is still preparing our response, which is quite comprehensive. To the due date for the responses - this is not a subpoena or an investigation, these are questions. Energy & Commerce Committee does not have oversight responsibilities for Homeland Security, so this is a respectful request for information about a program they deem important for the health of the economy.

 

 

From: [hidden email] [[hidden email]] On Behalf Of Scott Lawler
Sent: 11 May, 2017 16:53
To: cve-editorial-board-list <[hidden email]>
Subject: Re: On the topic of MITRE/Board transparency

 

I share the concerns about more transparency being needed.  That's a pretty clear issue.

 

However, there's also another side of the coin to consider.   The Board is here to help MITRE respond to requests like this too.  

 

Personally, I'll commit some time to help craft the response to Congress if needed.   At a minimum, we can help edit a rough draft provided by MITRE.   Did MITRE already respond to this request or not?     

 

Just let us know what you need and we will help.    

 

Scott


From: [hidden email] <[hidden email]> on behalf of Williams, Ken <[hidden email]>
Sent: Thursday, May 11, 2017 4:42:36 PM
To: Coffin, Chris; jericho
Cc: cve-editorial-board-list
Subject: RE: On the topic of MITRE/Board transparency

 

Brian, thank you for bringing this to our attention. 
Chris, thanks for the reply.

As Brian emphasized, this is a very significant issue.  Considering the
prominence of other current Congressional and TLA investigations that
involve internet security, this appears to be a momentous issue for CVE.

I do have a few questions, for Mitre and Brian:

1) Why was the board never notified directly by Mitre?  That letter is
from March 31.

2) Why has Mitre not responded to Congress yet?  The due date was
2017-04-13 at the latest.

3) When do you anticipate responding to Congress?

4) Has Mitre received anything like this before from any US government
agency?

5) Brian, can you provide the name of the CNA who brought this to your
attention, and the circumstances?


Regards,
Ken Williams


> From: [hidden email] [mailto:owner-cve-
> [hidden email]] On Behalf Of Coffin, Chris
> Sent: Thursday, May 11, 2017 11:52 AM
> To: jericho <[hidden email]>
> Cc: cve-editorial-board-list <[hidden email]>
> Subject: RE: On the topic of MITRE/Board transparency
>
> Brian,
>
> Congress sent an inquiry to both MITRE and DHS regarding CVE. This
> request is a matter of public record. We assume the responses from both
> MITRE and DHS will also be a matter of public record. MITRE has not yet
> transmitted its response to Congress. Once the response is transmitted,
> should Congress make it public, all members of the general public will
> be able to review it, including any member of the Board.
>
> More importantly, MITRE looks forward to working with our colleagues to
> sustain the tremendous progress the program has made over the past 15
> months: implementing a federated program structure including a new
> governance and operational model; building upon and improving the CNA
> rules and implementation of them; recruitment of new CNAs; improving
> CVE-in-a-Box artifacts; improving data exchange; expanding
> internationally; and continuing bimonthly collaborative sessions and
> working groups with our Board colleagues, the CNAs, and the greater CVE
> community.
>
> Thank you for your ongoing feedback and please keep providing it.
>
> Regards,
>
> The CVE Team
>
> -----Original Message-----
> From: [hidden email] [mailto:owner-cve-
> [hidden email]] On Behalf Of jericho
> Sent: Thursday, May 11, 2017 1:55 AM
> To: cve-editorial-board-list <[hidden email]>
> Subject: On the topic of MITRE/Board transparency
> Importance: High
>
> MITRE,
>
> My last mail regarding the Google/robots.txt issue demonstrates that
> MITRE is not as transparent as they should be with the board. This is
> hardly the first time such an issue has come up. Like the "3000+
> rejected" notice we received yesterday, that many had a problem with,
> and NVD spoke up about, there have been previous incidents:
>
> Very Important Message for the Editorial Board [1]
>
>     The world has changed significantly since CVE was released in 1999,
> and
>     we are moving out rapidly to satisfy the needs of security
> researchers
>     who need ready access to vulnerability IDs. To that end, MITRE will
>     begin a pilot program to address rapid-response CVE-IDs on Monday,
> 21
>     March 2016. We wish to underscore that this is in no way an attempt
> to
>     circumvent the Editorial Board but is rather an experimental step
>     toward the federated vulnerability ID methodology that the community
>     has been discussing over the past several years. We will work
> closely
>     with the Board to evaluate the results of the pilot and to work
>     together to develop a long-term solution that continues to expand
>     coverage moving forward.
>
>     Details of the pilot program are provided in the Press Release
> below,
>     which will be published to the CVE-ANNOUNCE email list and to the
> CVE
>     web site later today. It is important to note that this approach was
>     chosen to avoid any conflict with the existing CVE process as it is
>     currently operating, and that the IDs issued under the federated
> scheme
>     during the pilot will not be analyzed and incorporated into the CVE
>     list or feeds. There will be no effect on external operations; all
>     in-scope vulnerabilities will be handled as they are now.
>
> If we recall, this decision was not brought to the board at all. Once
> the Board learned of it, there was immediate question and criticism [2].
> Only after that did MITRE first say they would like to discuss the
> issue/change with the board [3].
>
> In that spirit, after showing two times where MITRE was clearly not
> transparent, the first on an annoyance and the second on an industry-
> impacting change, I would like to bring to the Board's attention
> another. This one may be more critical than any we have seen.
>
> On 2017-04-10, in one of my *many* mails to CVE that are done outside of
> the board list, usually challenging them on breaking their own policies,
> auditing the declining quality of CVE assignments, or similar issues, I
> brought up a 'small' point in one of those emails. The relevant bit can
> be found at the end of this email.
>
> The important part is that I called MITRE out for what is arguably the
> biggest event in CVE's history as far as "no confidence" and concern
> over the management of CVE. The fact that I had to hear about it from a
> CNA is interesting, as this should have been brought to the board's
> attention immediately by MITRE. When I brought it up in email, I told
> them that i expected a mail to the board with MITRE's statement two days
> later.
>
> Instead, MITRE opted NOT to bring it to the board's attention. Instead,
> they replied to my very long mail that took over an hour to write,
> detailing numerous examples to back my statements showing that CVE was
> failing to adhere to their own abstraction rules, as well as other
> rules, by saying:
>
>     First, you bring up a number of things in your message which are all
>     important and all should be discussed fully and transparently. We
>     encourage you to share this message with the Board so we can discuss
> it
>     with the whole Board's input. We can also forward it along, if
> you're
>     prefer to begin the conversation.
>
>     We encourage you to share this message with the Board so we can
> discuss
>     it with the whole Board's input.
>
> Since I clearly stated "I expect a mail to the Board and CNA list no
> later than Wednesday about this", note both the board *and* CNA list,
> their deferral to have me bring it up on list is unacceptable.
> Especially given the severity of the topic. I waited several weeks for
> them to bring it up on their own, and they did not.
>
> Quite simply, this is a lack of transparency in a tax-payer funded,
> government run initiative that impacts the entire IT industry. This is
> not acceptable, and we all deserve better.
>
> So I am formally requesting, on list, that all correspondence between
> MITRE and Congress be sent to the list as well. Any correspondence is
> subject to FOIA and is not privileged, like many other aspects of
> MITRE's management of CVE (e.g. exact budgets, salaries, expenditures).
> Given your past claims of wanting to be transparent, this is your chance
> to restore some faith in that claim.
>
> Brian
>
> [1] https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__cve.mitre.org_data_board_archives_2016-
> 2D03_msg00017.html&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=aCoKdNwykRoiEMq0lnqIgVHWqNXhzNq-xnn2GpdBWys&e=
> [2] https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__cve.mitre.org_data_board_archives_2016-
> 2D03_msg00016.html&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=JWjMmLx-L61CmWQl1cCnUj67YkHR1kncbOGKFFnynDE&e=
>      https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__cve.mitre.org_data_board_archives_2016-
> 2D03_msg00015.html&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=00xbdZ9B_E4GFpS4YFnao3gaCt1huNh5U4KxYoOAfAU&e=
> [3] https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__cve.mitre.org_data_board_archives_2016-
> 2D03_msg00019.html&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=ml4hx2EOzFBfqSbQJDHj4pX6woTKkC7QHXUd7xY0qwU&e=
>
> ---------- Forwarded message ----------
> From: jericho <[hidden email]>
> To: "Adinolfi, Daniel R" <[hidden email]>
> Cc: "Coffin, Chris" <[hidden email]>,
>      Common Vulnerabilities & Exposures <[hidden email]>
> Date: Mon, 10 Apr 2017 02:37:13 -0500 (CDT)
>
> [..]
>
> https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__energycommerce.house.gov_news-2Dcenter_letters_letters-2Ddhs-2Dand-
> 2Dmitre-2Dregarding-2Dperformance-2Dcritical-2Dcyber-
> 2Ddatabase&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=l-J7rV1ZzoHVAw6bGtMV7K-riNINXXRdzizOrIxsUcA&e=
>
> Congress is investigating MITRE and the deficiency. That is pretty big
> news, and I missed this completely until a CNA brought this to my
> attention. They sat on it for three days before they told me and started
> asking question.
>
> Think about the above please.
>
> And now that it has been brought up, I expect a mail to the Board and
> CNA list no later than Wednesday about this. The Board deserves an
> official reply from MITRE addressing these concerns. At least one CNA is
> concerned about this, and unwilling to take their concerns to MITRE
> directly. We all deserve to know what is going on.
>
> [..]

Reply | Threaded
Open this post in threaded view
|

Re: On the topic of MITRE/Board transparency

Landfield, Kent
In reply to this post by Millar, Thomas

Brian,

 

I was aware if the activities last year but was not aware at all of this set if inquiries. I agree the Board should have been alerted as we could have sent supporting letters describing the active state of the CVE program compared to the concerns of 14 months ago.

 

I agree with you Brian and really appreciate you bringing it to our attention.

 

Now that this is not a private matter, what can we do to assist?  I expect we will be alerted to these situations in the future.  CVE is too important for massive disruptions, especially while we are actually making real progress.

 

I hope the answers to the questions were complete and satisfactory from MITRE but since DHS has not responded, I would not be surprised if some committee chair wanted to see a few MITRE / Board members in person.

 

Thoughts?

 

--

Kent Landfield

817-637-8026

[hidden email]

 

From: <[hidden email]> on behalf of "Millar, Thomas" <[hidden email]>
Date: Thursday, May 11, 2017 at 4:13 PM
To: Scott Lawler <[hidden email]>, cve-editorial-board-list <[hidden email]>
Subject: RE: On the topic of MITRE/Board transparency

 

This is the same committee we talked to last spring after DWF and CVE started making the news, and they are being diligent and following up to learn more about how we, and MITRE, manage the CVE program.

 

I believe MITRE's response has already been sent to the Committee. It is now the Committee's decision whether to release that to the public.

 

DHS is still preparing our response, which is quite comprehensive. To the due date for the responses - this is not a subpoena or an investigation, these are questions. Energy & Commerce Committee does not have oversight responsibilities for Homeland Security, so this is a respectful request for information about a program they deem important for the health of the economy.

 

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Scott Lawler
Sent: 11 May, 2017 16:53
To: cve-editorial-board-list <[hidden email]>
Subject: Re: On the topic of MITRE/Board transparency

 

I share the concerns about more transparency being needed.  That's a pretty clear issue.

 

However, there's also another side of the coin to consider.   The Board is here to help MITRE respond to requests like this too.  

 

Personally, I'll commit some time to help craft the response to Congress if needed.   At a minimum, we can help edit a rough draft provided by MITRE.   Did MITRE already respond to this request or not?     

 

Just let us know what you need and we will help.    

 

Scott


From: [hidden email] <[hidden email]> on behalf of Williams, Ken <[hidden email]>
Sent: Thursday, May 11, 2017 4:42:36 PM
To: Coffin, Chris; jericho
Cc: cve-editorial-board-list
Subject: RE: On the topic of MITRE/Board transparency

 

Brian, thank you for bringing this to our attention. 
Chris, thanks for the reply.

As Brian emphasized, this is a very significant issue.  Considering the
prominence of other current Congressional and TLA investigations that
involve internet security, this appears to be a momentous issue for CVE.

I do have a few questions, for Mitre and Brian:

1) Why was the board never notified directly by Mitre?  That letter is
from March 31.

2) Why has Mitre not responded to Congress yet?  The due date was
2017-04-13 at the latest.

3) When do you anticipate responding to Congress?

4) Has Mitre received anything like this before from any US government
agency?

5) Brian, can you provide the name of the CNA who brought this to your
attention, and the circumstances?


Regards,
Ken Williams


> From: [hidden email] [mailto:owner-cve-
> [hidden email]] On Behalf Of Coffin, Chris
> Sent: Thursday, May 11, 2017 11:52 AM
> To: jericho <[hidden email]>
> Cc: cve-editorial-board-list <[hidden email]>
> Subject: RE: On the topic of MITRE/Board transparency
>
> Brian,
>
> Congress sent an inquiry to both MITRE and DHS regarding CVE. This
> request is a matter of public record. We assume the responses from both
> MITRE and DHS will also be a matter of public record. MITRE has not yet
> transmitted its response to Congress. Once the response is transmitted,
> should Congress make it public, all members of the general public will
> be able to review it, including any member of the Board.
>
> More importantly, MITRE looks forward to working with our colleagues to
> sustain the tremendous progress the program has made over the past 15
> months: implementing a federated program structure including a new
> governance and operational model; building upon and improving the CNA
> rules and implementation of them; recruitment of new CNAs; improving
> CVE-in-a-Box artifacts; improving data exchange; expanding
> internationally; and continuing bimonthly collaborative sessions and
> working groups with our Board colleagues, the CNAs, and the greater CVE
> community.
>
> Thank you for your ongoing feedback and please keep providing it.
>
> Regards,
>
> The CVE Team
>
> -----Original Message-----
> From: [hidden email] [mailto:owner-cve-
> [hidden email]] On Behalf Of jericho
> Sent: Thursday, May 11, 2017 1:55 AM
> To: cve-editorial-board-list <[hidden email]>
> Subject: On the topic of MITRE/Board transparency
> Importance: High
>
> MITRE,
>
> My last mail regarding the Google/robots.txt issue demonstrates that
> MITRE is not as transparent as they should be with the board. This is
> hardly the first time such an issue has come up. Like the "3000+
> rejected" notice we received yesterday, that many had a problem with,
> and NVD spoke up about, there have been previous incidents:
>
> Very Important Message for the Editorial Board [1]
>
>     The world has changed significantly since CVE was released in 1999,
> and
>     we are moving out rapidly to satisfy the needs of security
> researchers
>     who need ready access to vulnerability IDs. To that end, MITRE will
>     begin a pilot program to address rapid-response CVE-IDs on Monday,
> 21
>     March 2016. We wish to underscore that this is in no way an attempt
> to
>     circumvent the Editorial Board but is rather an experimental step
>     toward the federated vulnerability ID methodology that the community
>     has been discussing over the past several years. We will work
> closely
>     with the Board to evaluate the results of the pilot and to work
>     together to develop a long-term solution that continues to expand
>     coverage moving forward.
>
>     Details of the pilot program are provided in the Press Release
> below,
>     which will be published to the CVE-ANNOUNCE email list and to the
> CVE
>     web site later today. It is important to note that this approach was
>     chosen to avoid any conflict with the existing CVE process as it is
>     currently operating, and that the IDs issued under the federated
> scheme
>     during the pilot will not be analyzed and incorporated into the CVE
>     list or feeds. There will be no effect on external operations; all
>     in-scope vulnerabilities will be handled as they are now.
>
> If we recall, this decision was not brought to the board at all. Once
> the Board learned of it, there was immediate question and criticism [2].
> Only after that did MITRE first say they would like to discuss the
> issue/change with the board [3].
>
> In that spirit, after showing two times where MITRE was clearly not
> transparent, the first on an annoyance and the second on an industry-
> impacting change, I would like to bring to the Board's attention
> another. This one may be more critical than any we have seen.
>
> On 2017-04-10, in one of my *many* mails to CVE that are done outside of
> the board list, usually challenging them on breaking their own policies,
> auditing the declining quality of CVE assignments, or similar issues, I
> brought up a 'small' point in one of those emails. The relevant bit can
> be found at the end of this email.
>
> The important part is that I called MITRE out for what is arguably the
> biggest event in CVE's history as far as "no confidence" and concern
> over the management of CVE. The fact that I had to hear about it from a
> CNA is interesting, as this should have been brought to the board's
> attention immediately by MITRE. When I brought it up in email, I told
> them that i expected a mail to the board with MITRE's statement two days
> later.
>
> Instead, MITRE opted NOT to bring it to the board's attention. Instead,
> they replied to my very long mail that took over an hour to write,
> detailing numerous examples to back my statements showing that CVE was
> failing to adhere to their own abstraction rules, as well as other
> rules, by saying:
>
>     First, you bring up a number of things in your message which are all
>     important and all should be discussed fully and transparently. We
>     encourage you to share this message with the Board so we can discuss
> it
>     with the whole Board's input. We can also forward it along, if
> you're
>     prefer to begin the conversation.
>
>     We encourage you to share this message with the Board so we can
> discuss
>     it with the whole Board's input.
>
> Since I clearly stated "I expect a mail to the Board and CNA list no
> later than Wednesday about this", note both the board *and* CNA list,
> their deferral to have me bring it up on list is unacceptable.
> Especially given the severity of the topic. I waited several weeks for
> them to bring it up on their own, and they did not.
>
> Quite simply, this is a lack of transparency in a tax-payer funded,
> government run initiative that impacts the entire IT industry. This is
> not acceptable, and we all deserve better.
>
> So I am formally requesting, on list, that all correspondence between
> MITRE and Congress be sent to the list as well. Any correspondence is
> subject to FOIA and is not privileged, like many other aspects of
> MITRE's management of CVE (e.g. exact budgets, salaries, expenditures).
> Given your past claims of wanting to be transparent, this is your chance
> to restore some faith in that claim.
>
> Brian
>
> [1] https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__cve.mitre.org_data_board_archives_2016-
> 2D03_msg00017.html&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=aCoKdNwykRoiEMq0lnqIgVHWqNXhzNq-xnn2GpdBWys&e=
> [2] https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__cve.mitre.org_data_board_archives_2016-
> 2D03_msg00016.html&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=JWjMmLx-L61CmWQl1cCnUj67YkHR1kncbOGKFFnynDE&e=
>      https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__cve.mitre.org_data_board_archives_2016-
> 2D03_msg00015.html&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=00xbdZ9B_E4GFpS4YFnao3gaCt1huNh5U4KxYoOAfAU&e=
> [3] https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__cve.mitre.org_data_board_archives_2016-
> 2D03_msg00019.html&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=ml4hx2EOzFBfqSbQJDHj4pX6woTKkC7QHXUd7xY0qwU&e=
>
> ---------- Forwarded message ----------
> From: jericho <[hidden email]>
> To: "Adinolfi, Daniel R" <[hidden email]>
> Cc: "Coffin, Chris" <[hidden email]>,
>      Common Vulnerabilities & Exposures <[hidden email]>
> Date: Mon, 10 Apr 2017 02:37:13 -0500 (CDT)
>
> [..]
>
> https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__energycommerce.house.gov_news-2Dcenter_letters_letters-2Ddhs-2Dand-
> 2Dmitre-2Dregarding-2Dperformance-2Dcritical-2Dcyber-
> 2Ddatabase&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=l-J7rV1ZzoHVAw6bGtMV7K-riNINXXRdzizOrIxsUcA&e=
>
> Congress is investigating MITRE and the deficiency. That is pretty big
> news, and I missed this completely until a CNA brought this to my
> attention. They sat on it for three days before they told me and started
> asking question.
>
> Think about the above please.
>
> And now that it has been brought up, I expect a mail to the Board and
> CNA list no later than Wednesday about this. The Board deserves an
> official reply from MITRE addressing these concerns. At least one CNA is
> concerned about this, and unwilling to take their concerns to MITRE
> directly. We all deserve to know what is going on.
>
> [..]

Reply | Threaded
Open this post in threaded view
|

RE: On the topic of MITRE/Board transparency

Williams, Ken

I consulted with a DC old timer for insight into the letter, and his response was consistent with Tom’s.  As Tom mentioned, it is important to note that it is “not a subpoena or an investigation” and is basically just a “respectful request for information about a program they deem important for the health of the economy”.  Also, as Tom mentioned, E&CC does not have oversight responsibilities for DHS.

 

The details of the inquiry, and the timing, are still interesting.  Responses by Mitre and DHS to Congress are very important, and more transparency for the CVE Board would be great.  Just ask some of those bank boards how they felt about the incredible lack of transparency from management during the subprime mortgage crisis.  They discovered that they were basically ornamental and non-functional, and not privy to some critical management decisions.

 

While the CVE Board has always had an important role in the CVE Program, we do need to remember that we are not the primary manager or sponsor of CVE.  Consequently, we do not have an absolute right to know about every action of the manager or sponsor.  There are limits to our roles and responsibilities.  In this case, I do wish we had been notified by Mitre instead of learning about it from a 3rd party.  Remember though that it’s just a routine inquiry, and not a red flag signaling the imminent demise of CVE/funding.

 

Regards,

kw

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Landfield, Kent
Sent: Thursday, May 11, 2017 4:36 PM
To: Millar, Thomas <[hidden email]>; Scott Lawler <[hidden email]>; cve-editorial-board-list <[hidden email]>
Subject: Re: On the topic of MITRE/Board transparency

 

Brian,

 

I was aware if the activities last year but was not aware at all of this set if inquiries. I agree the Board should have been alerted as we could have sent supporting letters describing the active state of the CVE program compared to the concerns of 14 months ago.

 

I agree with you Brian and really appreciate you bringing it to our attention.

 

Now that this is not a private matter, what can we do to assist?  I expect we will be alerted to these situations in the future.  CVE is too important for massive disruptions, especially while we are actually making real progress.

 

I hope the answers to the questions were complete and satisfactory from MITRE but since DHS has not responded, I would not be surprised if some committee chair wanted to see a few MITRE / Board members in person.

 

Thoughts?

 

--

Kent Landfield

817-637-8026

[hidden email]

 

From: <[hidden email]> on behalf of "Millar, Thomas" <[hidden email]>
Date: Thursday, May 11, 2017 at 4:13 PM
To: Scott Lawler <[hidden email]>, cve-editorial-board-list <[hidden email]>
Subject: RE: On the topic of MITRE/Board transparency

 

This is the same committee we talked to last spring after DWF and CVE started making the news, and they are being diligent and following up to learn more about how we, and MITRE, manage the CVE program.

 

I believe MITRE's response has already been sent to the Committee. It is now the Committee's decision whether to release that to the public.

 

DHS is still preparing our response, which is quite comprehensive. To the due date for the responses - this is not a subpoena or an investigation, these are questions. Energy & Commerce Committee does not have oversight responsibilities for Homeland Security, so this is a respectful request for information about a program they deem important for the health of the economy.

 

 

From: [hidden email] [[hidden email]] On Behalf Of Scott Lawler
Sent: 11 May, 2017 16:53
To: cve-editorial-board-list <[hidden email]>
Subject: Re: On the topic of MITRE/Board transparency

 

I share the concerns about more transparency being needed.  That's a pretty clear issue.

 

However, there's also another side of the coin to consider.   The Board is here to help MITRE respond to requests like this too.  

 

Personally, I'll commit some time to help craft the response to Congress if needed.   At a minimum, we can help edit a rough draft provided by MITRE.   Did MITRE already respond to this request or not?     

 

Just let us know what you need and we will help.    

 

Scott


From: [hidden email] <[hidden email]> on behalf of Williams, Ken <[hidden email]>
Sent: Thursday, May 11, 2017 4:42:36 PM
To: Coffin, Chris; jericho
Cc: cve-editorial-board-list
Subject: RE: On the topic of MITRE/Board transparency

 

Brian, thank you for bringing this to our attention. 
Chris, thanks for the reply.

As Brian emphasized, this is a very significant issue.  Considering the
prominence of other current Congressional and TLA investigations that
involve internet security, this appears to be a momentous issue for CVE.

I do have a few questions, for Mitre and Brian:

1) Why was the board never notified directly by Mitre?  That letter is
from March 31.

2) Why has Mitre not responded to Congress yet?  The due date was
2017-04-13 at the latest.

3) When do you anticipate responding to Congress?

4) Has Mitre received anything like this before from any US government
agency?

5) Brian, can you provide the name of the CNA who brought this to your
attention, and the circumstances?


Regards,
Ken Williams


> From: [hidden email] [mailto:owner-cve-
> [hidden email]] On Behalf Of Coffin, Chris
> Sent: Thursday, May 11, 2017 11:52 AM
> To: jericho <[hidden email]>
> Cc: cve-editorial-board-list <[hidden email]>
> Subject: RE: On the topic of MITRE/Board transparency
>
> Brian,
>
> Congress sent an inquiry to both MITRE and DHS regarding CVE. This
> request is a matter of public record. We assume the responses from both
> MITRE and DHS will also be a matter of public record. MITRE has not yet
> transmitted its response to Congress. Once the response is transmitted,
> should Congress make it public, all members of the general public will
> be able to review it, including any member of the Board.
>
> More importantly, MITRE looks forward to working with our colleagues to
> sustain the tremendous progress the program has made over the past 15
> months: implementing a federated program structure including a new
> governance and operational model; building upon and improving the CNA
> rules and implementation of them; recruitment of new CNAs; improving
> CVE-in-a-Box artifacts; improving data exchange; expanding
> internationally; and continuing bimonthly collaborative sessions and
> working groups with our Board colleagues, the CNAs, and the greater CVE
> community.
>
> Thank you for your ongoing feedback and please keep providing it.
>
> Regards,
>
> The CVE Team
>
> -----Original Message-----
> From: [hidden email] [mailto:owner-cve-
> [hidden email]] On Behalf Of jericho
> Sent: Thursday, May 11, 2017 1:55 AM
> To: cve-editorial-board-list <[hidden email]>
> Subject: On the topic of MITRE/Board transparency
> Importance: High
>
> MITRE,
>
> My last mail regarding the Google/robots.txt issue demonstrates that
> MITRE is not as transparent as they should be with the board. This is
> hardly the first time such an issue has come up. Like the "3000+
> rejected" notice we received yesterday, that many had a problem with,
> and NVD spoke up about, there have been previous incidents:
>
> Very Important Message for the Editorial Board [1]
>
>     The world has changed significantly since CVE was released in 1999,
> and
>     we are moving out rapidly to satisfy the needs of security
> researchers
>     who need ready access to vulnerability IDs. To that end, MITRE will
>     begin a pilot program to address rapid-response CVE-IDs on Monday,
> 21
>     March 2016. We wish to underscore that this is in no way an attempt
> to
>     circumvent the Editorial Board but is rather an experimental step
>     toward the federated vulnerability ID methodology that the community
>     has been discussing over the past several years. We will work
> closely
>     with the Board to evaluate the results of the pilot and to work
>     together to develop a long-term solution that continues to expand
>     coverage moving forward.
>
>     Details of the pilot program are provided in the Press Release
> below,
>     which will be published to the CVE-ANNOUNCE email list and to the
> CVE
>     web site later today. It is important to note that this approach was
>     chosen to avoid any conflict with the existing CVE process as it is
>     currently operating, and that the IDs issued under the federated
> scheme
>     during the pilot will not be analyzed and incorporated into the CVE
>     list or feeds. There will be no effect on external operations; all
>     in-scope vulnerabilities will be handled as they are now.
>
> If we recall, this decision was not brought to the board at all. Once
> the Board learned of it, there was immediate question and criticism [2].
> Only after that did MITRE first say they would like to discuss the
> issue/change with the board [3].
>
> In that spirit, after showing two times where MITRE was clearly not
> transparent, the first on an annoyance and the second on an industry-
> impacting change, I would like to bring to the Board's attention
> another. This one may be more critical than any we have seen.
>
> On 2017-04-10, in one of my *many* mails to CVE that are done outside of
> the board list, usually challenging them on breaking their own policies,
> auditing the declining quality of CVE assignments, or similar issues, I
> brought up a 'small' point in one of those emails. The relevant bit can
> be found at the end of this email.
>
> The important part is that I called MITRE out for what is arguably the
> biggest event in CVE's history as far as "no confidence" and concern
> over the management of CVE. The fact that I had to hear about it from a
> CNA is interesting, as this should have been brought to the board's
> attention immediately by MITRE. When I brought it up in email, I told
> them that i expected a mail to the board with MITRE's statement two days
> later.
>
> Instead, MITRE opted NOT to bring it to the board's attention. Instead,
> they replied to my very long mail that took over an hour to write,
> detailing numerous examples to back my statements showing that CVE was
> failing to adhere to their own abstraction rules, as well as other
> rules, by saying:
>
>     First, you bring up a number of things in your message which are all
>     important and all should be discussed fully and transparently. We
>     encourage you to share this message with the Board so we can discuss
> it
>     with the whole Board's input. We can also forward it along, if
> you're
>     prefer to begin the conversation.
>
>     We encourage you to share this message with the Board so we can
> discuss
>     it with the whole Board's input.
>
> Since I clearly stated "I expect a mail to the Board and CNA list no
> later than Wednesday about this", note both the board *and* CNA list,
> their deferral to have me bring it up on list is unacceptable.
> Especially given the severity of the topic. I waited several weeks for
> them to bring it up on their own, and they did not.
>
> Quite simply, this is a lack of transparency in a tax-payer funded,
> government run initiative that impacts the entire IT industry. This is
> not acceptable, and we all deserve better.
>
> So I am formally requesting, on list, that all correspondence between
> MITRE and Congress be sent to the list as well. Any correspondence is
> subject to FOIA and is not privileged, like many other aspects of
> MITRE's management of CVE (e.g. exact budgets, salaries, expenditures).
> Given your past claims of wanting to be transparent, this is your chance
> to restore some faith in that claim.
>
> Brian
>
> [1] https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__cve.mitre.org_data_board_archives_2016-
> 2D03_msg00017.html&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=aCoKdNwykRoiEMq0lnqIgVHWqNXhzNq-xnn2GpdBWys&e=
> [2] https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__cve.mitre.org_data_board_archives_2016-
> 2D03_msg00016.html&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=JWjMmLx-L61CmWQl1cCnUj67YkHR1kncbOGKFFnynDE&e=
>      https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__cve.mitre.org_data_board_archives_2016-
> 2D03_msg00015.html&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=00xbdZ9B_E4GFpS4YFnao3gaCt1huNh5U4KxYoOAfAU&e=
> [3] https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__cve.mitre.org_data_board_archives_2016-
> 2D03_msg00019.html&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=ml4hx2EOzFBfqSbQJDHj4pX6woTKkC7QHXUd7xY0qwU&e=
>
> ---------- Forwarded message ----------
> From: jericho <[hidden email]>
> To: "Adinolfi, Daniel R" <[hidden email]>
> Cc: "Coffin, Chris" <[hidden email]>,
>      Common Vulnerabilities & Exposures <[hidden email]>
> Date: Mon, 10 Apr 2017 02:37:13 -0500 (CDT)
>
> [..]
>
> https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__energycommerce.house.gov_news-2Dcenter_letters_letters-2Ddhs-2Dand-
> 2Dmitre-2Dregarding-2Dperformance-2Dcritical-2Dcyber-
> 2Ddatabase&d=DwIFAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-
> Z0&r=HfPBnuVQ08I8x2G0_ETWsgNtb9lXi_cymIwq5boWsoI&m=Eq_oZIwhxowOaCnF4Ft6G
> kEt7357oqwBsIE3tdB1150&s=l-J7rV1ZzoHVAw6bGtMV7K-riNINXXRdzizOrIxsUcA&e=
>
> Congress is investigating MITRE and the deficiency. That is pretty big
> news, and I missed this completely until a CNA brought this to my
> attention. They sat on it for three days before they told me and started
> asking question.
>
> Think about the above please.
>
> And now that it has been brought up, I expect a mail to the Board and
> CNA list no later than Wednesday about this. The Board deserves an
> official reply from MITRE addressing these concerns. At least one CNA is
> concerned about this, and unwilling to take their concerns to MITRE
> directly. We all deserve to know what is going on.
>
> [..]

Reply | Threaded
Open this post in threaded view
|

RE: On the topic of MITRE/Board transparency

jericho
In reply to this post by Coffin, Chris
On Thu, 11 May 2017, Coffin, Chris wrote:

: Congress sent an inquiry to both MITRE and DHS regarding CVE. This
: request is a matter of public record. We assume the responses from both

You know what they say about "assume", yes?

MITRE didn't bring the original "public record" to the list. A CNA found
it, and asked me questions about it, to which I had no answers. This is
how things work in 2017.

: MITRE and DHS will also be a matter of public record. MITRE has not yet
: transmitted its response to Congress. Once the response is transmitted,
: should Congress make it public, all members of the general public will
: be able to review it, including any member of the Board.

Yep, that doesn't work for me. See below.

: More importantly, MITRE looks forward to working with our colleagues to
: sustain the tremendous progress the program has made over the past 15

You look forward to working with us... when you didn't bring the letter to
the board? Even though Congress' letter is public, you still hide behind
this notion that your response, whenever you get around to it, may or may
not be public?

Please, re-read my subject line. In the interest of transparency, you post
your response to the list shortly after you send it to congress. No "if",
no "but", no equivocation.

: months: implementing a federated program structure including a new

Oh stop. "Federated program" only brings up a single thing in my mind;
when MITRE tried to circumvent the board and create some new standard that
made all of us collectively question you. We saw it via news articles, and
almost 24 hours later, the 'update' articles said it was shuttered after
industry questioning. This is so disrespctful to the board.

: governance and operational model; building upon and improving the CNA
: rules and implementation of them; recruitment of new CNAs; improving

The same rules I have called out repeatedly, on and off list. The current
CNA rules that MITRE continually violates. This isn't about you keeping
CNAs in line... for a month now, it has been about keeping MITRE in line
with following the CNA rules, specifically around abstraction.

This mail makes it clear I should stop mailing MITRE off-list. Every
single mail I send that points out MITRE breaking their own rules,
questioning assignments, questioning your policies... every single one
MUST be on list, for the public record. It's pretty clear to me that MITRE
is keen on ignoring all of that and putting on a pretty public face.

: CVE-in-a-Box artifacts; improving data exchange; expanding

It's curious you say "CVE-in-a-Box"!

I sent FOIA requests to DHS on that specific term in 2015. They replied a
few months ago saying "no records" available. So... you brought it up on
list. What does that term even mean? Why didn't you share that with the
board? Why didn't you share it with DHS, which I was under the impression
you did? If you DID bring it up with DHS in some capacity, why is DHS uh..
"withholding" that on a FOIA request? That is illegal of course... so your
answer is of particular interest to me. Since we're on board list, which
is public, I expect full disclosure here. Transparency and all, which is
the entire nature of this thread.

: internationally; and continuing bimonthly collaborative sessions and
: working groups with our Board colleagues, the CNAs, and the greater CVE
: community.

All the while, getting dissenting opinions from the board in varying
degrees, and completely ignoring some of those concerns.

: Thank you for your ongoing feedback and please keep providing it.

Oh, your pretty government-funded words are so expected. And I will. Just
not in the channels you expect me to. CVE, as run by MITRE, has become
such a complete disgrace to the industry. The lack of respect you show to
"stakeholders" is incredible.

.b
Reply | Threaded
Open this post in threaded view
|

RE: On the topic of MITRE/Board transparency

jericho
In reply to this post by Williams, Ken
On Thu, 11 May 2017, Williams, Ken wrote:

Ken,

: 1) Why was the board never notified directly by Mitre?  That letter is
: from March 31.

And specifically, I told MITRE I expected this to be brought to the board
in off-list mail. They opted not to saying I could "forward the mail" for
"discussion", despite very explicitly asking MITRE for an official
statement... not discussion. I gave them weeks to do so, they did not.

: 5) Brian, can you provide the name of the CNA who brought this to your
: attention, and the circumstances?

Other than what I said, I cannot.

^ That is for you Ken. Everything below is additional thoughts in the
bigger picture, and primarily for MITRE.

--

I think I have made it pretty clear, and I know MITRE will not admit it...
but the amount of time I spend working with CNAs on assignments is
draining. For years now, I have essentially audited CVE and CNAs on their
assignments. Part of my daily responsibilities, along with others on list
that do the same, is to ensure "100% compliance with CVE". We're the first
tier "stakeholders", as we re-distribute to organizations that rely on
vulnerability intelligence. Complaince requirements demand that they keep
up with CVE, they pay real money to get real vuln intel from other
solutions. Some CNAs ask me directly about abstraction before they release
their advisories. Some engage with me extensively after the fact when I
point out a possible discrepancy. They are eager to figure out if the
assignment was incorrect (e.g. out of their pervue, duplicate, abstraction
rules, etc.)

I have a good working relationship with many CNAs, and a good but weird
relationship with teams at the CNA parent company, that aren't involved in
the CNA process. While weird, it is beneficial to them, to me, and the
industry. After almost a decade of butting heads with oracle, Bruce and I
have had a long thread of mails about CVE, assignments, abstraction, and
more. Through this, I have learned that Bruce has been fighting uphill
battles within his organization that none of us knew about, but once he
won them? They were instantly noticeable. Within 24 hours of him effecting
policy change within his org, related to CVE, many of us noticed it. I
emailed him and pointed it out, thanked him for the change. That is when
he told me, in a vague fashion, how much work it took to effect that
change.

For the Board's information, because this has been going on for half a
year in offlist mails. While I have been questioning some of the new CNAs,
given their history of horrible disclosures, I keep reminding MITRE that I
work for a company that discloses more vulnerabilities than many CNAs.
Especially some of the newer ones. I keep telling them that while I
*personally* don't care about being a CNA, because MITRE has made it clear
that is a losing proposition, that if MITRE approaches my day job with
that idea that we would accept. In six+ months, they have onboarded have a
dozen new CNAs that collectively put out as many vulns a year as my day
job. MITRE has told me they contacted one person in my day job org, who
has nothing to do with security, disclosures, advisories, security
response, etc etc. I have told them exactly what email address to email to
make it happen, since the person that answers will have the ability say
"yes" and knows more about CNAs than some of the current MITRE employees.
Oh... this is the same company that had to wait 113 days for MITRE to
reply to an assignment request, and eventually said "we won't assign,
there might be a duplicate", without asking them for additional
information. The same party that points out duplicate CVE assignments
almost weekly.

So yeah... still waiting.

It's very difficult to believe that MITRE is operating in the industry's
best interest. Since the letter from Congress, MITRE has made some very
drastic changes in the CVE program. We get a lot more volume!! But we also
see a serious drop in quality, more duplicates, arbitrary decisions that
will technically boost their yearly count by 3,000+. (Oh what, didn't
consider how that decision would influence stats, they can push to
congress?)

The recent questions about standards in publishing around "undefined
behavior" is the tip of the iceberg. I haven't sent mails with dozens of
examples of MITRE blindly assigning for very clear-cut "self hack"
situations that have ZERO security impact. They don't take any analysis,
no ASAN, no fuzzing, nothing more than reading the description and
laughing at how absurd the exploit conditions are.

If you doubt me? Please hit "compse" in your email client, and send me an
email with 8000 characters, where every fifth character is replaced by the
word "chinchilla", and every tenth character is replaced by the word
"mitrelolololol".

If you feel that is a realistic 'exploit scenario', then I am clearly
wrong and we should keep seeing CVE IDs for these crap disclosures. It's
2017... I think I mentioned that? VDBs should be a lot more mature and
either not include it, or if they do, tech note the crap out of it so
"stakeholders" understand it really isn't an issue.

The last year is nothing but MITRE floundering, looking for stop-gap
measures to artificially inflate their numbers and put forth this crazy
idea that they really do care. Your effort is showing. How about you stop
trying so hard to hit the lever for a pellet, in the form of your next
yearly $3mil paycheck, and you work on improving the offering giving your
more than abundant resources?

Like I told congress via back-channels a few weeks ago... others do almost
twice your volume, with much higher quality, for half your price. And they
are smart enough not to bid on the contract should it get yanked from
MITRE and re-classified from 'sole source / no-bid'.

.b
Reply | Threaded
Open this post in threaded view
|

Re: On the topic of MITRE/Board transparency

jericho
In reply to this post by Scott Lawler
Scott,

On Thu, 11 May 2017, Scott Lawler wrote:

: I share the concerns about more transparency being needed.  That's a
: pretty clear issue.
:
: However, there's also another side of the coin to consider.  The Board
: is here to help MITRE respond to requests like this too.

: Personally, I'll commit some time to help craft the response to Congress
: if needed.  At a minimum, we can help edit a rough draft provided by
: MITRE.  Did MITRE already respond to this request or not?
:
: Just let us know what you need and we will help.

That requires MITRE be transparent to begin with. That isn't "another side
of the coin" really. If they are transparent, they bring it the board, and
we do our 'advisory role' collectively. Your wording implies that board
failed somehow, when we weren't given any of that information until I
brought it up, to the pain and headache of MITRE. I forced their hand,
after giving them almost three weeks to bring it up despite my "two day"
deadline. If that isn't a real picture into how MITRE operates, and how
they see the value of the board? Not sure what is.

.b
Reply | Threaded
Open this post in threaded view
|

RE: On the topic of MITRE/Board transparency

jericho
In reply to this post by Millar, Thomas
On Thu, 11 May 2017, Millar, Thomas wrote:

: This is the same committee we talked to last spring after DWF and CVE
: started making the news, and they are being diligent and following up to
: learn more about how we, and MITRE, manage the CVE program.
:
: I believe MITRE's response has already been sent to the Committee. It is
: now the Committee's decision whether to release that to the public.
:
: DHS is still preparing our response, which is quite comprehensive. To
: the due date for the responses - this is not a subpoena or an
: investigation, these are questions. Energy & Commerce Committee does not
: have oversight responsibilities for Homeland Security, so this is a
: respectful request for information about a program they deem important
: for the health of the economy.

Wait...

So MITRE / DHS talked to the same committe "last spring" after the DWF
thing, and you think that recent letter is them "following up"?

1. No, not even close.
2. Not up to the commitee to release it. MITRE can if they want. I cannot
   stress how true and important this is for the industry. If they don't,
   they know that we have to FOIA it. And MITRE knows I will do just that
   if I have to. Why make me wait for 1.5 years, the current going rate
   for a FOIA request against DHS? If you weren't aware of that fact, you
   are now. So do the right thing... publish MITRE's response to the
   Congressional letter quickly. If you don't, I have to assume you are
   collectively hiding something.
3. Didn't say or suggest it was a subpoena or investigation. Curious you
   are proactively being defensive with those terms. But hey.. in this
   political climate? Hell yeah you should. =)
4. E&CC doesn't have oversight? Sure! But if you think trying to imply
   they don't have oversight in the current world of vulnerabilities,
   especially on the back of *today's news* is some vindication / excuse /
   whatever? Just no. Any government agency, committe, group, or workshop
   of janitors that takes interest in making CVE better? We should all
   listen and work with them. Or do you want more hospitals to fall victim
   to ransomware because they didn't patch a three-month old
   vulnerability? And this is actually an incident that supports CVE! That
   vuln is in MITRE's database. When you are ready, we'll talk about the
   dozens of European companies popped via a SAP vulnerability that was
   disclosed in 2012, and only added to CVE after the news articles came
   out saying they were popped on a 2 - 3 year old vulnerability. Baby
   steps, I know, but this is how the real world is, outside of MITRE and
   CVE, which is basically academic.

Basically, all of you MITRE and DHS people need to quit being 'government'
and start being industry teammates. We're here to make the industry
better, help protect them, give them information they can use to actually
protect their systems. That certainly doesn't come in the form of MITRE
opening up a dozen OpenSSL IDs dating back to Sep 2016 last week. If you
think that is what this industry needs or deserves, you need to quietly
step down and get the hell out of the CVE world. That is *criminal* and a
clear example, I hope, of why the E&CC is asking questions, "oversight" or
not. In the civil world, that is what they call "negligence".

In my book? Ethical and caring people don't really need oversight. They
just need to ask the right questions in the right light.

.b