SLA concerns for DWG CNAs (and probably other CNAs)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

SLA concerns for DWG CNAs (and probably other CNAs)

Kurt Seifried
So for existing CNA's under MITRE there aren't a lot of rules around timeliness and disclosure and related areas of operations. Some CNAs are timely, some are slow, some release info, some don't, etc. So first I want to make sure we cover the right areas with SLAs, step 2 will be determining what values to use. So if you think something is missing please let me know!

My main concerns around SLAs are:

1) timely responses to requests
2) correctness of CVEs assigned (SPLIT/MERGE, is it a vuln, covered, etc.)
3) use of CVEs and release of information privately (e.g. for embargoed issues)
4) use of CVEs and release of information for restricted publishing (e.g. for coordinated handling/restricted use) - not a priority for me but something I want to at least consider
5) use of CVEs and release of information for public publishing (e.g. for after the embargo lifts, or or issues that are not embargoed at all)
6) pushing data back to your parent CNA and ultimately to the DWF once the entry is assigned (marked as RESERVED) and once it goes public (PUBLIC) and if it changes (e.g. REJECT/REPLACED_BY, whatever). 

The timelines will be a spectrum as will the information disclosed/released (e.g. for embargo vs public release), I don't know what the answers/SLAs are yet but first I want to make sure we cover what the problem space is.

One note: I had considered an SLA around CNA activity, e.g. "you must assign X CVE's per month/year or lose CNA status" but I think that is not a good metric, and could result in messy gaming of the system.

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: SLA concerns for DWG CNAs (and probably other CNAs)

Manley, Meghan E.

Kurt,

 

We agree that we need to continue to build out the guidance for the CNAs.  The CNA Rules document we discussed at the meeting yesterday is only a starting point. 

 

We think a QA document is needed as part of the overall guidance (in line with Brian’s suggestion), and we agree Service Level Agreements (SLAs) should be a part of that. As we work on that guidance, we would like to use your suggestions as a starting point for the conversation around SLAs.

Thank you very much for sharing your thoughts on this.

-Dan Adinolfi

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Kurt Seifried
Sent: Friday, August 26, 2016 10:37 AM
To: cve-editorial-board-list <[hidden email]>
Subject: SLA concerns for DWG CNAs (and probably other CNAs)

 

So for existing CNA's under MITRE there aren't a lot of rules around timeliness and disclosure and related areas of operations. Some CNAs are timely, some are slow, some release info, some don't, etc. So first I want to make sure we cover the right areas with SLAs, step 2 will be determining what values to use. So if you think something is missing please let me know!

 

My main concerns around SLAs are:

 

1) timely responses to requests

2) correctness of CVEs assigned (SPLIT/MERGE, is it a vuln, covered, etc.)

3) use of CVEs and release of information privately (e.g. for embargoed issues)

4) use of CVEs and release of information for restricted publishing (e.g. for coordinated handling/restricted use) - not a priority for me but something I want to at least consider

5) use of CVEs and release of information for public publishing (e.g. for after the embargo lifts, or or issues that are not embargoed at all)

6) pushing data back to your parent CNA and ultimately to the DWF once the entry is assigned (marked as RESERVED) and once it goes public (PUBLIC) and if it changes (e.g. REJECT/REPLACED_BY, whatever). 

 

The timelines will be a spectrum as will the information disclosed/released (e.g. for embargo vs public release), I don't know what the answers/SLAs are yet but first I want to make sure we cover what the problem space is.

 

One note: I had considered an SLA around CNA activity, e.g. "you must assign X CVE's per month/year or lose CNA status" but I think that is not a good metric, and could result in messy gaming of the system.

 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: 
[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: SLA concerns for DWG CNAs (and probably other CNAs)

Kurt Seifried


On Fri, Aug 26, 2016 at 12:39 PM, Manley, Meghan E. <[hidden email]> wrote:

Kurt,

 

We agree that we need to continue to build out the guidance for the CNAs.  The CNA Rules document we discussed at the meeting yesterday is only a starting point. 

 

We think a QA document is needed as part of the overall guidance (in line with Brian’s suggestion), and we agree Service Level Agreements (SLAs) should be a part of that. As we work on that guidance, we would like to use your suggestions as a starting point for the conversation around SLAs.

Thank you very much for sharing your thoughts on this.


I suspect the DWF (due to OpenSource) can/will have slightly different SLAs than the rest (especially closed source), ditto for industries with legal requirements for reporting/etc. But yeah overall guidelines and what to look out for are a good start. 
 

-Dan Adinolfi

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Kurt Seifried
Sent: Friday, August 26, 2016 10:37 AM
To: cve-editorial-board-list <[hidden email]>
Subject: SLA concerns for DWG CNAs (and probably other CNAs)

 

So for existing CNA's under MITRE there aren't a lot of rules around timeliness and disclosure and related areas of operations. Some CNAs are timely, some are slow, some release info, some don't, etc. So first I want to make sure we cover the right areas with SLAs, step 2 will be determining what values to use. So if you think something is missing please let me know!

 

My main concerns around SLAs are:

 

1) timely responses to requests

2) correctness of CVEs assigned (SPLIT/MERGE, is it a vuln, covered, etc.)

3) use of CVEs and release of information privately (e.g. for embargoed issues)

4) use of CVEs and release of information for restricted publishing (e.g. for coordinated handling/restricted use) - not a priority for me but something I want to at least consider

5) use of CVEs and release of information for public publishing (e.g. for after the embargo lifts, or or issues that are not embargoed at all)

6) pushing data back to your parent CNA and ultimately to the DWF once the entry is assigned (marked as RESERVED) and once it goes public (PUBLIC) and if it changes (e.g. REJECT/REPLACED_BY, whatever). 

 

The timelines will be a spectrum as will the information disclosed/released (e.g. for embargo vs public release), I don't know what the answers/SLAs are yet but first I want to make sure we cover what the problem space is.

 

One note: I had considered an SLA around CNA activity, e.g. "you must assign X CVE's per month/year or lose CNA status" but I think that is not a good metric, and could result in messy gaming of the system.

 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: 
[hidden email]




--

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]