We started the cve-cna workspace waaaay back in 2017 as a means to offer a more modern messaging system for the world's CNAs in this new-fangled federated world. Access to Slack has always been pretty open with very little human intervention. In these five and a half years, as you can imagine, we've collected a fair number of individual users; 389 at last count. This is great!
But, as you might also imagine, not everyone who is registered in the Slack workspace is, in fact, a current CNA representative. A job change is the usual reason why someone is in there who isn't a CNA. There is a small handful of CVE Board members and CVE working group members who are not CNAs, as well. Finally, there is the occasional interested person who has never been a CNA who has joined our little Slack community for their own inscrutable reasons.
One way of ensuring that Slack is more-or-less "private for CNAs" is to regularly audit the membership list. Slack exposes the email address of everyone who has signed up to workspace administrators, so it should be nominally easy to implement a rule: "If you're on the cve-cna-list@mitre.org mailing list, you're allowed to remain on the Slack workspace."
As it happens, MITRE, acting as the CVE Secretariat, just went through an audit of that mailing list, making sure that everyone signed up on that list is a known contact for a current CNA. They removed a whole bunch of stale email addresses (again, usually because of job changes).
So, we're pretty confident that the mailing list is an accurate representation of who all are active CNAs today.
That brings me to my question. Should we make an effort to audit membership, and remove those accounts that are not on the CVE-CNA general mailing list? You can answer that question over on this form. The CNACWG will publish those poll results on Friday, June 23, 2023.
If you'd like to discuss this more, we've started a Slack channel on the workspace, #audit. Details like how often the audit happens, if we'll maintain an exception list, and any other administrative minutiae will be discussed there as well, if the will of the people is to implement member audits.
No matter what we do, with a free Slack workspace, it will be impossible to prevent a determined intruder from gaining access to the public channels. The most we can do is regularly audit the membership list against the CVE-CNA mailing list and remove those who aren't on the mailing list.
Incidentally, you should never talk secrets in the #general channel or other public channels. You shouldn't really talk deep secrets on Slack at all, since it's not end-to-end encrypted, and Slack employees and contractors and infiltrators can see all your current and past messages. Private channels are usually secure enough for the kinds of light secrets that CNAs are likely to discuss.
Head over to #audit on Slack to ask questions, float ideas, offer alternatives, etc. Or message Tod Beardsley directly, if you like, since he's the owner of the space.