CVE Board Meeting
11 January 2017, 2:00 p.m. EST
The CVE Board met via teleconference on 11 January 2017.
Board members in attendance were:
Andy Balinsky (Cisco)
Harold Booth (NIST)
Kent Landfield (Intel)
Scott Lawler (LP3)
Art Manion (CERT/CC)
Kurt Seifried (Red Hat)
Taki Uchiyama (JPCERT/CC)
Members of the MITRE CVE Team who attended the call are as follows:
2:00 – 2:05: Introductions, action items from the last meeting – Dan Adinolfi
2:05 – 2:10: CVE Strategic Planning Working Group Update – Kent Landfield
2:10 – 2:40: DWF Update – Kurt Seifried
- DWF and reserved CVE IDs - Jonathan Evans
2:40 – 2:50: Automation Working Group - Kurt Seifried and Harold Booth
2:50 – 3:00: CVE mailing list usage - Dan Adinolfi
3:00 – 3:20: Requirements for Test CVE ID data - Dan Adinolfi
3:20 – 3:30: CVE Contributor Public Recognition - Dan Adinolfi
3:30 – 3:40: Monthly CNA Report - Dan Adinolfi
3:40 – 3:45: Board Nomination for William Cox - Dan Adinolfi
3:45 – 3:55: Open discussion – CVE Board
3:55 – 4:00: Action items, wrap-up – Dan Adinolfi
The action items from the previous Board meeting were:
CVE Strategic Planning Working Group Update
Coming out of their January 4, 2017, meeting, the Strategic Planning Working Group made the following recommendations.
Also, the WG suggested considering a new schedule for the Board meetings to accommodate the wider array of time zones and changing schedules of Board participants.
The WG also discussed the role of all working groups formed by the Board. Working groups are meant to advise the Board with specific suggestions and action items. Working groups should be considered an extension of the Board, and when a working group reports to the Board, the Board should comment immediately on the working groups’ findings. Those findings should be considered the findings of the Board, and, unless there is significant disagreement about them, they will be implemented on behalf of the Board.
DWF continues working with developers to identify and train new Sub CNAs under DWF. At this point, no Sub CNAs have been formally named.
Work on the DWF JSON schema is continuing, and that work will be done in coordination with the Automation Working Group. Other operational processes are still under development as well, including how to make the GitHub repository scale.
MITRE brought up the fact that currently DWF cannot accommodate CVE ID requests for embargoed vulnerabilities. DWF recognizes this as a requirement, and a solution will be developed.
Automation Working Group
The Automation Working Group (AWG) will be meeting 17 January, 2017. An agenda will be posted before the meeting, and that agenda will include the JSON schema. MITRE requested that a version of the JSON schema be finalized to allow CNAs to develop against that schema without it being a moving target. A new version of the DWF schema will be presented as well.
CVE mailing list usage
As the CVE community grows, more communications channels are being created and more new members of the community are using those channels. Mailing list etiquette and list focus has occasionally been the source of confusion.
The Board discussed the use of each mailing list and wants the lists to have a professional tone and appropriate content shared on each. The goal is for the community to be comfortable with posting questions and making remarks on the lists and for the flow of information on the lists to be manageable.
Requirements for Test CVE ID Data
During the previous Board meeting, the idea of creating a set of CVE ID test data was proposed. MITRE solicited the Board for specific requirements and use cases for this data set. The Board discussed these, but they then suggested that the development and testing of these data sets be done through the Automation Working Group.
CVE Contributor Public Recognition
MITRE asked the Board their opinion on the creation of a “Thank You” page for the CVE website that would recognize anyone who submitted a CVE ID description in the last month. This would create a small incentive for descriptions being written by the community. The Board felt that the likelihood of contributors “gaming the system” to have public recognition while adding minimal value to CVE was high. This idea will not be pursued.
Monthly CNA Report
MITRE asked the Board what kinds of information they would like to see in periodic reports on CNAs and the CVE program as a whole. The Board hoped to get indications as to the quality of the data being included in the CVE list, how many errors and duplicates are being handled, and which CNAs may require additional help or training.
Metrics that show the number of Board and Working Group meetings, the number of CNAs, and the number of CNA assignments would also be useful. Metrics that can give an indication on the time taken to assign and public CVE IDs may also be useful. All of these reports would be best delivered on a quarterly basis.
Board Nomination for William Cox
MITRE is formally nominating William Cox of Black Duck software for the Board.
MITRE has published a news article explaining why reserved CVE ID numbers have a much higher ordinal section than compared to previous years. http://cve.mitre.org/news/archives/2017/news.html#january122017_FOCUS_ON:_The_Significance_and_Meaning_of_the_Year_Portion_of_a_CVE_Identifier
The Blog post for December received only one response. MITRE would like to see some more feedback on the issue, and they asked the Board to spread the word about the post.
NVD mentioned that they will be launching a newly-designed website very soon.
The next Board Meeting will be held on January 25, 2017.
CVE Board Meeting_1_11_17.docx
Description: CVE Board Meeting_1_11_17.docx