CVE Board Meeting Minutes - 22 February 2017

CVE Board Meeting

22 February 2017, 2:00 p.m. EST

The CVE Board met via teleconference on 22 February 2017.

Board members in attendance were:

Andy Balinsky

Harold Booth (NIST)

Art Manion (CERT-CC)

Pascal Meunier

Kurt Seifried (Red Hat)

William Cox (Black Duck)

Dave Waltermire (NIST)

Ken Williams (CA Tech)

Members of the MITRE CVE Team who attended the call are as follows:

Dan Adinolfi

Jon Baker

Chris Coffin

Jonathan Evans

Anthony Singleton

George Theall

Agenda

2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin

2:05 – 2:25: Working Groups

            Strategic Planning

                        Issues

                        Actions

                        Board Decisions

            Automation - Harold Booth

                        Issues

                        Actions

                        Board Decisions

2:25 – 2:50: CNA Update

            DWF – Kurt Seifried

                        Issues

                        Actions

                        Board Decisions

            General - Dan Adinolfi

                        Issues

                        Actions

                        Board Decisions

2:50 – 3:00: Documentation update (Researcher Reservation Guidelines, CVE Vision) - Chris Coffin

3:00 – 3:10: RSA Conference Debrief - Dan Adinolfi

3:10 – 3:30: Coverage of services - Jonathan Evans

3:30 – 3:55: Open discussion – CVE Board

3:55 – 4:00: Action items, wrap-up – Chris Coffin

Meeting Began with review of previous action items

Introductions, action items from the last meeting – Chris Coffin

• MITRE will be sending out the notification to the oss-security mailing list directing any CVE requests through the CVE Request web form.
• The Automation Working Group is continuing work on the JSON format and were asked to try to produce a final draft ASAP.
• Descriptions of the CNA documentation that MITRE is developing is still being written. These documents are being seeded in GitHub for collaborative development.
• MITRE is developing documentation on to aid in training new CNAs and will share that with the DWF.
• The Board was to be updated on the status of VRDX and CVRF efforts. This will be done in an upcoming meeting or via email.

Working Groups

• Strategic Planning - Kent Landfield
  • Updates
    • There were no updates from the Strategic Planning Working Group.
  • Actions
    • There were no actions for the Strategic Planning Working Group discussed.
  • Board Decisions
    • There was no additional Board Discussion.
• Automation – Kurt Seifried
  • Updates
    • Some additional changes will be made to the JSON format.
    • The details of how to format date and time will be figured out.
    • There was discussion on how to represent versioning and multiple products.
    • There was discussion about how to integrate XML and other formats within the JSON format.
    • There was discussion on how to develop the syntax for CVSS descriptions.
  • Actions
    • Additional updates to JSON format will happen.
    • Use cases will be documented and published.
  • Board Discussion
    • There was no additional Board discussion.

CNA Update

• DWF – Kurt Seifried
  • Issues
    • Working on minting data
  • Actions
    • There are 16 individuals who have signed up for the mentoring program. They will be on-boarded as soon as possible.
  • Board Decisions
    • There was no additional Board discussion.
• General - Dan Adinolfi
  • Issues
    • Since the last Board meeting, we spoke with Qualcomm about becoming a CNA.
    • Some other candidates are in the queue.
  • Actions
    • MITRE will continue to reach out to those who express interest in becoming a CNA.
  • Board Decisions
    • There was no additional Board discussion.

Documentation update (Researcher Reservation Guidelines, CVE Vision)

MITRE is fleshing out the documentation plan that had been presented to the Board. Development of those documents will be done on GitHub. Among other documents, a revision of the CVE reservation guidelines for non-CNAs will be included.

RSA Conference Debrief - Dan Adinolfi

CVE had some representation at the RSA Conference 2017. Dan Adinolfi presented to the pre-conference CERT Vendor Meeting, describing the CNA program and CVE federation. Kent Landfield and Kurt Seifried presented two sessions relating to the DWF process. Dan also conducted a large amount of outreach with vendors at the RSA Expo with the hope of drumming up more interest and participation in the CNA program. Dan also had some discussions with Apple and Synopsis among other existing CNAs.

Coverage of services

Continuing the discussion regarding including hosted service vulnerabilities in CVE, MITRE asked the Board if it could offer some use cases to help understand the requirements. Kurt Seifried is working with the Cloud Security Alliance on tracking these kinds of issues, and he will share their development with the Board. The discussion will continue on the mailing list, and the Board will create those use cases.

Open discussion – CVE Board

The Board discussed the implications of CVE IDs remaining in a “reserved” state indefinitely. This may happen for numerous reasons, one being organizations using CVE IDs for internal issue tracking even when many of those issues will never be public or may be public. The Board asked MITRE to consider the addition of a field that will indicate what CNA is responsible for a reserved CVE ID, which may help mitigate confusion caused by CVE IDs that are reserved but unpopulated.

Action items, wrap-up – Chris Coffin

• A poll will be created to schedule the Automation Working Group meeting for around March 6.
• Descriptions for each proposed CNA document will be developed to help the Board understand the intended content of each document. The CNA documentation will be developed in GitHub.
• DWF and MITRE will discuss how best to offer guidance on “what a vulnerability is”.
• MITRE will summarize RSA Conference experiences for the CVE board.
• Some Board members will create use cases for including hosted services in CVE. Art Manion will be starting a thread regarding the inclusion of hosted services in CVE via Board email list.