CVE Board Meeting
25 January 2017, 2:00 p.m. EST
The CVE Board met via teleconference on 25 January 2017.
Board members in attendance were:
Harold Booth (NIST)
Kent Landfield (Intel)
Scott Lawler (LP3)
Pascal Muiener (CERITAS/Purdue University)
Art Manion (CERT-CC)
Kurt Seifried (Red Hat)
Taki Uchiyama (JP CERT)
William Cox (Black Duck)
Members of the MITRE CVE Team who attended the call are as follows:
2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin
2:05 – 2:25: Working Groups
Strategic Planning - Kent Landfield
Automation - Harold Booth
2:25 – 2:50: CNA Update
DWF – Kurt Seifried
General - Dan Adinolfi
2:50 – 3:00: Board Call Schedule - Dan Adinolfi
3:00 – 3:10: Voting results for William Cox inclusion in the Board - Dan Adinolfi
3:10 – 3:20: 2016 Statistics - Chris Coffin
3:20 – 3:40: CVE Errors on the Internet - Dan Adinolfi
3:40 – 3:50: Documentation Develop Process - Chris Coffin
3:50 – 3:55: Open discussion – CVE Board
3:55 – 4:00: Action items, wrap-up – Chris Coffin
The meeting began with discussing last meetings action items:
CVE Strategic Planning Working Group Update
The recommendations made to the Board by the Strategic Planning Working Group have been accepted by the Board. The Working Group will continue working on the agenda described by the recommendations.
The Working Group will share some documentation with the Board, including a presentation that describes a CVE strategy document and some other discussion materials.
DWF has made some progress with operational issues, though it still has significant work to be done. Developing the new JSON format through the Automation Working Group continues.
Automation Working Group
The Automation Working Group continues to develop version 4 of the JSON format. The Working Group has the goal that, after the next meeting, there will be a final draft of the specification which can then be offered to the community as a whole for a 30-day comment period. After incorporating that feedback, the format will be codified and version 4.0 will be considered set.
The Automation Working Group’s next meeting was to be 30 January.
MITRE has been working with some of the CNAs to resolve some operational issues, mostly related to CVE ID submission formatting or content.
TIBCO is now a CNA. MITRE has begun the on-boarding process for Cybersecurity Malaysia, Qihoo 360, Synology, and KR-CERT.
A document tree describing the documentation needed to support the CNA program is under development. This was discussed later in the meeting.
Board Call Schedule
To accommodate the geographic spread of Board members, the schedule for CVE Board meetings will be adjusted. Board meetings will be scheduled in the early morning or late evening Eastern Time to allow easier participation from those in Asia and Europe. MITRE will propose a new schedule on the Board mailing list.
Voting Results for William Cox inclusion in the Board
William Cox of Black Duck Software has been formally added to the Board.
MITRE shared the following statistics with the Board.
CVE Errors on the Internet
Occasionally, a CVE ID will be incorrectly cited on the Internet outside of MITRE or CNA control. MITRE asked the Board how to deal with these events, specifically if any incorrectly cited CVE ID should be rejected. The Board suggested that MITRE follow a consistent policy for these issues, and that policy should not attempt to reconcile every single instance where someone may have mistakenly (or maliciously) cited a CVE ID. Instead, there should be a threshold for when MITRE should react. MITRE will develop this policy.
Documentation Development Process
MITRE has developed a plan for creating the documentation necessary for CNA operations. This documentation includes program descriptions, training, operation documents, and outreach materials. MITRE shared a draft documentation tree that described the documents and their relationships with the Board. The Board will review this documentation plan and offer feedback.
For each document, MITRE will share an outline with the appropriate group for their discussion over a week. Once a draft is ready for review, that review period will be two weeks, and MITRE will then have the final draft completed within two weeks of that. When the draft is finalized, it will be submitted to the Board for approval.
The Board will review general CVE documents themselves over the Board mailing list. Documents that directly affect CNA operations will be reviewed on the cve-cna-list mailing list. Documents that are related to automation will be reviewed on the Automation Working Group mailing list. MITRE will maintain the document masters and act as editor. These masters will be maintained in GitHub.
MITRE asked the Board if MITRE should direct anyone requesting a CVE ID through the oss-security mailing list to the CVE Request web form. The Board stated that MITRE should follow a consistent process. They ask that any message to the mailing list describing the change be reviewed by the Board first. MITRE will draft that message and share it with the Board.
The next CVE Board meeting will be Wednesday, February 8, 2017.
CVE Board Meeting_1_25_17.docx
Description: CVE Board Meeting_1_25_17.docx