Question about dual source vendors

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Question about dual source vendors

Kurt Seifried
So increasingly we have "dual source" vendors, that is vendors with everything from fully OSI Open Source to completely closed source. Basically any large commercial vendor already (Microsoft, Oracle, etc.) and a growing number of others (witness the proliferation of GitHub projects). 

I am talking to one that is not a CNA, and they want to do CVEs for both their Open Source, and their closed source. But there is no easy way to do this currently other than ask [hidden email] directly (and it seems after they read the https://cve.mitre.org/cve/data_sources_product_coverage.html document they were under the impression [hidden email] could NOT do it). 

I would like to propose that for vendors where Open Source is a major part of what they ship, or the core of their commercial; product that the DWF be able to take them under it's wing as it were.

One hypothetical example that fits into this model would be a company like Ansible (let's ignore the fact that Red Hat acquired it and as such Ansible falls under the Red Hat CNA), Ansible currently has "ansible" which is the Open Source core, and Ansible tower which is a currently closed source management/dashboard. I think in a case like this it makes sense to have a company like Ansible be a CNA under the DWF for both the Open Source parts and the closed source parts. 

Thought/comments?

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Question about dual source vendors

Adinolfi, Daniel R
Thinking through the issue:

Ideally, the vendor would themselves be a CNA, covering their products regardless of the type of licensing model.

Not every company can be or wants to be a CNA, of course, so how do we handle those?

If there is another sector-based CNA (e.g., Healthcare systems) or a regional CNA (e.g., JPCERT), the company could work directly with those CNAs, who will facilitate the CVE assignment and disclosure regardless.

If neither of these situations fit, it will depend on how DWF manages their assignees. MITRE as a CNA has the advantage of being a trusted third party for vulnerability disclosure. When closed-source software is involved, that trust can be important. If DWF creates that same level of trust with closed-source vendors, they could also fulfill that role. But this leads to some tricky scoping issues, and it could create situations similar to "CNA shopping" or introduce other coordination issues.

How do other folks feel about these scoping issues?

Thanks.

-Dan



From: [hidden email] <[hidden email]> on behalf of Kurt Seifried <[hidden email]>
Sent: Thursday, June 16, 2016 7:13:58 PM
To: cve-editorial-board-list
Subject: Question about dual source vendors
 
So increasingly we have "dual source" vendors, that is vendors with everything from fully OSI Open Source to completely closed source. Basically any large commercial vendor already (Microsoft, Oracle, etc.) and a growing number of others (witness the proliferation of GitHub projects). 

I am talking to one that is not a CNA, and they want to do CVEs for both their Open Source, and their closed source. But there is no easy way to do this currently other than ask [hidden email] directly (and it seems after they read the https://cve.mitre.org/cve/data_sources_product_coverage.html document they were under the impression [hidden email] could NOT do it). 

I would like to propose that for vendors where Open Source is a major part of what they ship, or the core of their commercial; product that the DWF be able to take them under it's wing as it were.

One hypothetical example that fits into this model would be a company like Ansible (let's ignore the fact that Red Hat acquired it and as such Ansible falls under the Red Hat CNA), Ansible currently has "ansible" which is the Open Source core, and Ansible tower which is a currently closed source management/dashboard. I think in a case like this it makes sense to have a company like Ansible be a CNA under the DWF for both the Open Source parts and the closed source parts. 

Thought/comments?

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Question about dual source vendors

Kurt Seifried


On Thu, Jun 16, 2016 at 6:25 PM, Adinolfi, Daniel R <[hidden email]> wrote:
Thinking through the issue:

Ideally, the vendor would themselves be a CNA, covering their products regardless of the type of licensing model.

That is my long term goal for anyone and everyone basically, but I think a graduated CVE response will help ease people in, as I see it for DWF:

1) You ask the DWF for CVEs and use them internally/with partners/etc, and put them in your commits/changelogs/advisories at a minimum (at least one public artifact), and ideally into security advisories (with details like CWE/etc.), and ideally you report them back to the DWF. Basically what [hidden email] does (we don't chase people down at all, just assign and mark as used in our pool with some basic info). 
 
2) You start asking the DWF for CVEs in a structured manner that encourages and shows you've gotten the hang of "what is a security vuln" and "SPLIT/MERGE", at this point you are definitely using the CVEs publicly, and informing the DWF as they go public.

3) You graduate to CNA status and get a block and commit to the DWF in an automated fashion (in other words no more human resources from the DWF side are needed unless there is a problem). 

Some people/projects may never "Graduate" past step one and that's fine (it's better than no CVEs!). 


Not every company can be or wants to be a CNA, of course, so how do we handle those?

See above.
 

If there is another sector-based CNA (e.g., Healthcare systems) or a regional CNA (e.g., JPCERT), the company could work directly with those CNAs, who will facilitate the CVE assignment and disclosure regardless.


If another federated CNA hierarchy wants to take the vendor (or the vendor is more suited to them) and train them and make sure they do CVE properly I'm all for that (less work for me, and the community gets their CVEs!). 
 
If neither of these situations fit, it will depend on how DWF manages their assignees. MITRE as a CNA has the advantage of being a trusted third party for vulnerability disclosure. When closed-source software is involved, that trust can be important. If DWF creates that same level of trust with closed-source vendors, they could also fulfill that role. But this leads to some tricky scoping issues, and it could create situations similar to "CNA shopping" or introduce other coordination issues.

One thing I do sometimes ask is "have you already asked for a cve from MITRE/anyone else?" depending on the request (some you can tell probably have because they say "we've had trouble getting a CVE, can you give us one?"
 

How do other folks feel about these scoping issues?

Ideally the vendor is responsive enough that reporters don't go CVE shopping, and if they do they tell the vendor (who tells me) so we don't end up with dupes. I suspect cutting down the assignment time will largely solve this.
 

Thanks.

-Dan



From: [hidden email] <[hidden email]> on behalf of Kurt Seifried <[hidden email]>
Sent: Thursday, June 16, 2016 7:13:58 PM
To: cve-editorial-board-list
Subject: Question about dual source vendors
 
So increasingly we have "dual source" vendors, that is vendors with everything from fully OSI Open Source to completely closed source. Basically any large commercial vendor already (Microsoft, Oracle, etc.) and a growing number of others (witness the proliferation of GitHub projects). 

I am talking to one that is not a CNA, and they want to do CVEs for both their Open Source, and their closed source. But there is no easy way to do this currently other than ask [hidden email] directly (and it seems after they read the https://cve.mitre.org/cve/data_sources_product_coverage.html document they were under the impression [hidden email] could NOT do it). 

I would like to propose that for vendors where Open Source is a major part of what they ship, or the core of their commercial; product that the DWF be able to take them under it's wing as it were.

One hypothetical example that fits into this model would be a company like Ansible (let's ignore the fact that Red Hat acquired it and as such Ansible falls under the Red Hat CNA), Ansible currently has "ansible" which is the Open Source core, and Ansible tower which is a currently closed source management/dashboard. I think in a case like this it makes sense to have a company like Ansible be a CNA under the DWF for both the Open Source parts and the closed source parts. 

Thought/comments?

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]



--

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Question about dual source vendors

Andy Balinsky (balinsky)
In reply to this post by Adinolfi, Daniel R
Regarding "CNA shopping" Is this a problem, as long as only 1 CVE gets issued?
Andy
On Jun 16, 2016, at 7:37 PM, Adinolfi, Daniel R <[hidden email]> wrote:

Thinking through the issue:

Ideally, the vendor would themselves be a CNA, covering their products regardless of the type of licensing model.

Not every company can be or wants to be a CNA, of course, so how do we handle those?

If there is another sector-based CNA (e.g., Healthcare systems) or a regional CNA (e.g., JPCERT), the company could work directly with those CNAs, who will facilitate the CVE assignment and disclosure regardless.

If neither of these situations fit, it will depend on how DWF manages their assignees. MITRE as a CNA has the advantage of being a trusted third party for vulnerability disclosure. When closed-source software is involved, that trust can be important. If DWF creates that same level of trust with closed-source vendors, they could also fulfill that role. But this leads to some tricky scoping issues, and it could create situations similar to "CNA shopping" or introduce other coordination issues.

How do other folks feel about these scoping issues?

Thanks.

-Dan



From: [hidden email] <[hidden email]> on behalf of Kurt Seifried <[hidden email]>
Sent: Thursday, June 16, 2016 7:13:58 PM
To: cve-editorial-board-list
Subject: Question about dual source vendors
 
So increasingly we have "dual source" vendors, that is vendors with everything from fully OSI Open Source to completely closed source. Basically any large commercial vendor already (Microsoft, Oracle, etc.) and a growing number of others (witness the proliferation of GitHub projects). 

I am talking to one that is not a CNA, and they want to do CVEs for both their Open Source, and their closed source. But there is no easy way to do this currently other than ask [hidden email] directly (and it seems after they read the https://cve.mitre.org/cve/data_sources_product_coverage.html document they were under the impression [hidden email] could NOT do it). 

I would like to propose that for vendors where Open Source is a major part of what they ship, or the core of their commercial; product that the DWF be able to take them under it's wing as it were.

One hypothetical example that fits into this model would be a company like Ansible (let's ignore the fact that Red Hat acquired it and as such Ansible falls under the Red Hat CNA), Ansible currently has "ansible" which is the Open Source core, and Ansible tower which is a currently closed source management/dashboard. I think in a case like this it makes sense to have a company like Ansible be a CNA under the DWF for both the Open Source parts and the closed source parts. 

Thought/comments?

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Question about dual source vendors

Kurt Seifried
There have been occasions in the past where people went to MITRE, then CERT, then Red Hat, granted it's rare, but with the backlog and public perception (e.g. the coverage document that seems to have made some vendors think they can't get CVE's at all) there is potential for messes, which I'd like to avoid (ounce of prevention and all that). I suspect once we all get faster at CVE's and train people to make better requests a lot of our problems will stop.

On Fri, Jun 17, 2016 at 9:32 AM, Andy Balinsky (balinsky) <[hidden email]> wrote:
Regarding "CNA shopping" Is this a problem, as long as only 1 CVE gets issued?
Andy

On Jun 16, 2016, at 7:37 PM, Adinolfi, Daniel R <[hidden email]> wrote:

Thinking through the issue:

Ideally, the vendor would themselves be a CNA, covering their products regardless of the type of licensing model.

Not every company can be or wants to be a CNA, of course, so how do we handle those?

If there is another sector-based CNA (e.g., Healthcare systems) or a regional CNA (e.g., JPCERT), the company could work directly with those CNAs, who will facilitate the CVE assignment and disclosure regardless.

If neither of these situations fit, it will depend on how DWF manages their assignees. MITRE as a CNA has the advantage of being a trusted third party for vulnerability disclosure. When closed-source software is involved, that trust can be important. If DWF creates that same level of trust with closed-source vendors, they could also fulfill that role. But this leads to some tricky scoping issues, and it could create situations similar to "CNA shopping" or introduce other coordination issues.

How do other folks feel about these scoping issues?

Thanks.

-Dan



From: [hidden email] <[hidden email]> on behalf of Kurt Seifried <[hidden email]>
Sent: Thursday, June 16, 2016 7:13:58 PM
To: cve-editorial-board-list
Subject: Question about dual source vendors
 
So increasingly we have "dual source" vendors, that is vendors with everything from fully OSI Open Source to completely closed source. Basically any large commercial vendor already (Microsoft, Oracle, etc.) and a growing number of others (witness the proliferation of GitHub projects). 

I am talking to one that is not a CNA, and they want to do CVEs for both their Open Source, and their closed source. But there is no easy way to do this currently other than ask [hidden email] directly (and it seems after they read the https://cve.mitre.org/cve/data_sources_product_coverage.html document they were under the impression [hidden email] could NOT do it). 

I would like to propose that for vendors where Open Source is a major part of what they ship, or the core of their commercial; product that the DWF be able to take them under it's wing as it were.

One hypothetical example that fits into this model would be a company like Ansible (let's ignore the fact that Red Hat acquired it and as such Ansible falls under the Red Hat CNA), Ansible currently has "ansible" which is the Open Source core, and Ansible tower which is a currently closed source management/dashboard. I think in a case like this it makes sense to have a company like Ansible be a CNA under the DWF for both the Open Source parts and the closed source parts. 

Thought/comments?

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]



--

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Question about dual source vendors

Pascal Meunier
In reply to this post by Andy Balinsky (balinsky)
I very much like the idea of someone being able to get an identifier
from an alternate CNA, when the CNA nominally responsible for an area is
disfunctional or unwilling to perform, say due to a conflict of interest
like refusing to admit that an issue is a real concern or trying to
delay disclosure.  These conflicts of interests are quite possible when
the CNA is also the vendor, which seems to be the model going forward.
There should ideally be alternate, secondary or "backup" CVE issuers for
all domains.

Pascal

On 06/17/2016 11:32 AM, Andy Balinsky (balinsky) wrote:

> Regarding "CNA shopping" Is this a problem, as long as only 1 CVE gets issued?
> Andy
> On Jun 16, 2016, at 7:37 PM, Adinolfi, Daniel R <[hidden email]<mailto:[hidden email]>> wrote:
>
> Thinking through the issue:
>
> Ideally, the vendor would themselves be a CNA, covering their products regardless of the type of licensing model.
>
> Not every company can be or wants to be a CNA, of course, so how do we handle those?
>
> If there is another sector-based CNA (e.g., Healthcare systems) or a regional CNA (e.g., JPCERT), the company could work directly with those CNAs, who will facilitate the CVE assignment and disclosure regardless.
>
> If neither of these situations fit, it will depend on how DWF manages their assignees. MITRE as a CNA has the advantage of being a trusted third party for vulnerability disclosure. When closed-source software is involved, that trust can be important. If DWF creates that same level of trust with closed-source vendors, they could also fulfill that role. But this leads to some tricky scoping issues, and it could create situations similar to "CNA shopping" or introduce other coordination issues.
>
> How do other folks feel about these scoping issues?
>
> Thanks.
>
> -Dan
>
>
> ________________________________
> From: [hidden email]<mailto:[hidden email]> <[hidden email]<mailto:[hidden email]>> on behalf of Kurt Seifried <[hidden email]<mailto:[hidden email]>>
> Sent: Thursday, June 16, 2016 7:13:58 PM
> To: cve-editorial-board-list
> Subject: Question about dual source vendors
>
> So increasingly we have "dual source" vendors, that is vendors with everything from fully OSI Open Source to completely closed source. Basically any large commercial vendor already (Microsoft, Oracle, etc.) and a growing number of others (witness the proliferation of GitHub projects).
>
> I am talking to one that is not a CNA, and they want to do CVEs for both their Open Source, and their closed source. But there is no easy way to do this currently other than ask [hidden email]<mailto:[hidden email]> directly (and it seems after they read the https://cve.mitre.org/cve/data_sources_product_coverage.html document they were under the impression [hidden email]<mailto:[hidden email]> could NOT do it).
>
> I would like to propose that for vendors where Open Source is a major part of what they ship, or the core of their commercial; product that the DWF be able to take them under it's wing as it were.
>
> One hypothetical example that fits into this model would be a company like Ansible (let's ignore the fact that Red Hat acquired it and as such Ansible falls under the Red Hat CNA), Ansible currently has "ansible" which is the Open Source core, and Ansible tower which is a currently closed source management/dashboard. I think in a case like this it makes sense to have a company like Ansible be a CNA under the DWF for both the Open Source parts and the closed source parts.
>
> Thought/comments?
>
> --
> Kurt Seifried -- Red Hat -- Product Security -- Cloud
> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
> Red Hat Product Security contact: [hidden email]<mailto:[hidden email]>
>
Reply | Threaded
Open this post in threaded view
|

Re: Question about dual source vendors

Kurt Seifried

On Fri, Jun 17, 2016 at 10:18 AM, Pascal Meunier <[hidden email]> wrote:
I very much like the idea of someone being able to get an identifier from an alternate CNA, when the CNA nominally responsible for an area is disfunctional or unwilling to perform, say due to a conflict of interest like refusing to admit that an issue is a real concern or trying to delay disclosure.  These conflicts of interests are quite possible when the CNA is also the vendor, which seems to be the model going forward. There should ideally be alternate, secondary or "backup" CVE issuers for all domains.

My understanding is that the "root" CNA of a federation (e.g. Open Source -> DWF) should be the CVE issuer of last resort, with a final backstop of MITRE as the "ultimate-root". So if a researcher can't get satisfaction from the CNA or the DWF they can go to MITRE as the final option. One second order effect is that vendors may become more cooperative since researchers/reporters will now have a better course of action to take. This is one of the reasons I added the TIMELINE data to the DWF data, I want to start holding vendors more accountable and allow the public to have more data to base security related decisions on.
 

Pascal

On 06/17/2016 11:32 AM, Andy Balinsky (balinsky) wrote:
Regarding "CNA shopping" Is this a problem, as long as only 1 CVE gets issued?
Andy
On Jun 16, 2016, at 7:37 PM, Adinolfi, Daniel R <[hidden email]<mailto:[hidden email]>> wrote:

Thinking through the issue:

Ideally, the vendor would themselves be a CNA, covering their products regardless of the type of licensing model.

Not every company can be or wants to be a CNA, of course, so how do we handle those?

If there is another sector-based CNA (e.g., Healthcare systems) or a regional CNA (e.g., JPCERT), the company could work directly with those CNAs, who will facilitate the CVE assignment and disclosure regardless.

If neither of these situations fit, it will depend on how DWF manages their assignees. MITRE as a CNA has the advantage of being a trusted third party for vulnerability disclosure. When closed-source software is involved, that trust can be important. If DWF creates that same level of trust with closed-source vendors, they could also fulfill that role. But this leads to some tricky scoping issues, and it could create situations similar to "CNA shopping" or introduce other coordination issues.

How do other folks feel about these scoping issues?

Thanks.

-Dan


________________________________
From: [hidden email]<mailto:[hidden email]> <[hidden email]<mailto:[hidden email]>> on behalf of Kurt Seifried <[hidden email]<mailto:[hidden email]>>
Sent: Thursday, June 16, 2016 7:13:58 PM
To: cve-editorial-board-list
Subject: Question about dual source vendors

So increasingly we have "dual source" vendors, that is vendors with everything from fully OSI Open Source to completely closed source. Basically any large commercial vendor already (Microsoft, Oracle, etc.) and a growing number of others (witness the proliferation of GitHub projects).

I am talking to one that is not a CNA, and they want to do CVEs for both their Open Source, and their closed source. But there is no easy way to do this currently other than ask [hidden email]<mailto:[hidden email]> directly (and it seems after they read the https://cve.mitre.org/cve/data_sources_product_coverage.html document they were under the impression [hidden email]<mailto:[hidden email]> could NOT do it).

I would like to propose that for vendors where Open Source is a major part of what they ship, or the core of their commercial; product that the DWF be able to take them under it's wing as it were.

One hypothetical example that fits into this model would be a company like Ansible (let's ignore the fact that Red Hat acquired it and as such Ansible falls under the Red Hat CNA), Ansible currently has "ansible" which is the Open Source core, and Ansible tower which is a currently closed source management/dashboard. I think in a case like this it makes sense to have a company like Ansible be a CNA under the DWF for both the Open Source parts and the closed source parts.

Thought/comments?

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]<mailto:[hidden email]>




--

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Question about dual source vendors

Landfield, Kent B
In reply to this post by Pascal Meunier
Seems this conversation is morphing from simple clarification to something broader.  Let me see if I can dissect this….

Kurt asked:
> I would like to propose that for vendors where Open Source is a major part of what they ship, or the core of their commercial; product that the DWF be able to take them under it's wing as it were.

This is a swim lane discussion.  Personally this should be something decided by the parent CNA. In this case, that is MITRE.  I would have no problem with the proposal as stated. When there are more Root CNAs than just DWF, I believe we should let the “chain of administration” established by the hierarchy make the decision.

Dan wrote:
> If neither of these situations fit, it will depend on how DWF manages their assignees. MITRE as a CNA has the advantage of being a trusted third party for vulnerability disclosure. When closed-source software is involved, that trust can be important. If DWF creates that same level of trust with closed-source vendors, they could also fulfill that role. But this leads to some tricky scoping issues, and it could create situations similar to "CNA shopping" or introduce other coordination issues.

I am sorry but I have heard this trust argument before and have never believed it when it came to MITRE. I do believe it when it comes to a Vulnerability Coordinators such a US-CERT.  Coordination requires much more active hands on with highly sensitive information, working closely with vendors and researchers to address issues and assure a coordinated release.  MITRE touches some sensitive information but trust is not why people come to MITRE for a CVE.  Just not.

You do bring up a great topic, CNA Shopping.  Pascal’s comments are exactly how I feel as well.  Requesters should go to an identifiable CNA as a normal course of action. I don’t believe we should completely lock someone in to only 1 CNA.  In a hierarchy, the requester should be able to walk the tree to circumvent a CNA that is refusing to work with the requester. The requester should indicate the reason to the secondary CNA as to why they are making the request to a CNA other than their primary. That is valuable information as to the behavior of the CNAs acceptance and activities.

---
Kent Landfield
+1.817.637.8026

On 6/17/16, 11:18 AM, "[hidden email] on behalf of Pascal Meunier" <[hidden email] on behalf of [hidden email]> wrote:

I very much like the idea of someone being able to get an identifier
from an alternate CNA, when the CNA nominally responsible for an area is
disfunctional or unwilling to perform, say due to a conflict of interest
like refusing to admit that an issue is a real concern or trying to
delay disclosure.  These conflicts of interests are quite possible when
the CNA is also the vendor, which seems to be the model going forward.
There should ideally be alternate, secondary or "backup" CVE issuers for
all domains.

Pascal

On 06/17/2016 11:32 AM, Andy Balinsky (balinsky) wrote:

> Regarding "CNA shopping" Is this a problem, as long as only 1 CVE gets issued?
> Andy
> On Jun 16, 2016, at 7:37 PM, Adinolfi, Daniel R <[hidden email]<mailto:[hidden email]>> wrote:
>
> Thinking through the issue:
>
> Ideally, the vendor would themselves be a CNA, covering their products regardless of the type of licensing model.
>
> Not every company can be or wants to be a CNA, of course, so how do we handle those?
>
> If there is another sector-based CNA (e.g., Healthcare systems) or a regional CNA (e.g., JPCERT), the company could work directly with those CNAs, who will facilitate the CVE assignment and disclosure regardless.
>
> If neither of these situations fit, it will depend on how DWF manages their assignees. MITRE as a CNA has the advantage of being a trusted third party for vulnerability disclosure. When closed-source software is involved, that trust can be important. If DWF creates that same level of trust with closed-source vendors, they could also fulfill that role. But this leads to some tricky scoping issues, and it could create situations similar to "CNA shopping" or introduce other coordination issues.
>
> How do other folks feel about these scoping issues?
>
> Thanks.
>
> -Dan
>
>
> ________________________________
> From: [hidden email]<mailto:[hidden email]> <[hidden email]<mailto:[hidden email]>> on behalf of Kurt Seifried <[hidden email]<mailto:[hidden email]>>
> Sent: Thursday, June 16, 2016 7:13:58 PM
> To: cve-editorial-board-list
> Subject: Question about dual source vendors
>
> So increasingly we have "dual source" vendors, that is vendors with everything from fully OSI Open Source to completely closed source. Basically any large commercial vendor already (Microsoft, Oracle, etc.) and a growing number of others (witness the proliferation of GitHub projects).
>
> I am talking to one that is not a CNA, and they want to do CVEs for both their Open Source, and their closed source. But there is no easy way to do this currently other than ask [hidden email]<mailto:[hidden email]> directly (and it seems after they read the https://cve.mitre.org/cve/data_sources_product_coverage.html document they were under the impression [hidden email]<mailto:[hidden email]> could NOT do it).
>
> I would like to propose that for vendors where Open Source is a major part of what they ship, or the core of their commercial; product that the DWF be able to take them under it's wing as it were.
>
> One hypothetical example that fits into this model would be a company like Ansible (let's ignore the fact that Red Hat acquired it and as such Ansible falls under the Red Hat CNA), Ansible currently has "ansible" which is the Open Source core, and Ansible tower which is a currently closed source management/dashboard. I think in a case like this it makes sense to have a company like Ansible be a CNA under the DWF for both the Open Source parts and the closed source parts.
>
> Thought/comments?
>
> --
> Kurt Seifried -- Red Hat -- Product Security -- Cloud
> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
> Red Hat Product Security contact: [hidden email]<mailto:[hidden email]>
>


Reply | Threaded
Open this post in threaded view
|

Re: Question about dual source vendors

Pascal Meunier
In reply to this post by Kurt Seifried
Wonderful, thank you.

Pascal

On 06/17/2016 12:54 PM, Kurt Seifried wrote:

> On Fri, Jun 17, 2016 at 10:18 AM, Pascal Meunier <[hidden email]
>> wrote:
>
>> I very much like the idea of someone being able to get an identifier from
>> an alternate CNA, when the CNA nominally responsible for an area is
>> disfunctional or unwilling to perform, say due to a conflict of interest
>> like refusing to admit that an issue is a real concern or trying to delay
>> disclosure.  These conflicts of interests are quite possible when the CNA
>> is also the vendor, which seems to be the model going forward. There should
>> ideally be alternate, secondary or "backup" CVE issuers for all domains.
>>
>
> My understanding is that the "root" CNA of a federation (e.g. Open Source
> -> DWF) should be the CVE issuer of last resort, with a final backstop of
> MITRE as the "ultimate-root". So if a researcher can't get satisfaction
> from the CNA or the DWF they can go to MITRE as the final option. One
> second order effect is that vendors may become more cooperative since
> researchers/reporters will now have a better course of action to take. This
> is one of the reasons I added the TIMELINE data to the DWF data, I want to
> start holding vendors more accountable and allow the public to have more
> data to base security related decisions on.
>
>
>>
>> Pascal
>>
>> On 06/17/2016 11:32 AM, Andy Balinsky (balinsky) wrote:
>>
>>> Regarding "CNA shopping" Is this a problem, as long as only 1 CVE gets
>>> issued?
>>> Andy
>>> On Jun 16, 2016, at 7:37 PM, Adinolfi, Daniel R <[hidden email]
>>> <mailto:[hidden email]>> wrote:
>>>
>>> Thinking through the issue:
>>>
>>> Ideally, the vendor would themselves be a CNA, covering their products
>>> regardless of the type of licensing model.
>>>
>>> Not every company can be or wants to be a CNA, of course, so how do we
>>> handle those?
>>>
>>> If there is another sector-based CNA (e.g., Healthcare systems) or a
>>> regional CNA (e.g., JPCERT), the company could work directly with those
>>> CNAs, who will facilitate the CVE assignment and disclosure regardless.
>>>
>>> If neither of these situations fit, it will depend on how DWF manages
>>> their assignees. MITRE as a CNA has the advantage of being a trusted third
>>> party for vulnerability disclosure. When closed-source software is
>>> involved, that trust can be important. If DWF creates that same level of
>>> trust with closed-source vendors, they could also fulfill that role. But
>>> this leads to some tricky scoping issues, and it could create situations
>>> similar to "CNA shopping" or introduce other coordination issues.
>>>
>>> How do other folks feel about these scoping issues?
>>>
>>> Thanks.
>>>
>>> -Dan
>>>
>>>
>>> ________________________________
>>> From: [hidden email]<mailto:
>>> [hidden email]> <
>>> [hidden email]<mailto:
>>> [hidden email]>> on behalf of Kurt
>>> Seifried <[hidden email]<mailto:[hidden email]>>
>>> Sent: Thursday, June 16, 2016 7:13:58 PM
>>> To: cve-editorial-board-list
>>> Subject: Question about dual source vendors
>>>
>>> So increasingly we have "dual source" vendors, that is vendors with
>>> everything from fully OSI Open Source to completely closed source.
>>> Basically any large commercial vendor already (Microsoft, Oracle, etc.) and
>>> a growing number of others (witness the proliferation of GitHub projects).
>>>
>>> I am talking to one that is not a CNA, and they want to do CVEs for both
>>> their Open Source, and their closed source. But there is no easy way to do
>>> this currently other than ask [hidden email]<mailto:
>>> [hidden email]> directly (and it seems after they read the
>>> https://cve.mitre.org/cve/data_sources_product_coverage.html document
>>> they were under the impression [hidden email]<mailto:
>>> [hidden email]> could NOT do it).
>>>
>>> I would like to propose that for vendors where Open Source is a major
>>> part of what they ship, or the core of their commercial; product that the
>>> DWF be able to take them under it's wing as it were.
>>>
>>> One hypothetical example that fits into this model would be a company
>>> like Ansible (let's ignore the fact that Red Hat acquired it and as such
>>> Ansible falls under the Red Hat CNA), Ansible currently has "ansible" which
>>> is the Open Source core, and Ansible tower which is a currently closed
>>> source management/dashboard. I think in a case like this it makes sense to
>>> have a company like Ansible be a CNA under the DWF for both the Open Source
>>> parts and the closed source parts.
>>>
>>> Thought/comments?
>>>
>>> --
>>> Kurt Seifried -- Red Hat -- Product Security -- Cloud
>>> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
>>> Red Hat Product Security contact: [hidden email]<mailto:
>>> [hidden email]>
>>>
>>>
>
>