[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New CNA - Booz Allen Hamilton

On 2017-11-07 08:51, Beverly Finch wrote:

> Can we target suppliers like Infineon, Realtek, Sierra Wireless, 
> Dolby for instance?
> We've had vulns published for their products and all were not willing 
> to request CVE. In the case of Infineon, someone else (US-CERT?) 
> assigned the CVE.

My .02 after reading the thread.

I have no immediate problems adding BAH as a CNA.  They agree to follow 
CNA rules, fine.

They sure don't seem like a high-priority choice (no history of CVE).

Opportunity cost -- yes, there are probably more valuable CNA targets, 
for example, Beverly's list.

But if they asked to be a CNA and will follow CNA rules, no concerns.

(Dave) Rapid expansion vs. governance/structure -- I'm OK with the 
current balance.     

 - Art

Page Last Updated or Reviewed: November 08, 2017