CVE Board Meeting Minutes - 28 June 2017

CVE Board Meeting

28 June 2017, 2:00 p.m. ET

The CVE Board met via teleconference on 28 June 2017.

Board members in attendance were:

Harold Booth (NIST)

Art Manion (CERT/CC)

Kent Landfield (McAfee)

Kurt Seifried (Red Hat/DWF)

William Cox (Black Duck)

Dave Waltermire (NIST)

Taki Uchiyama (JPCERT/CC)

Ken Williams (CA Technologies)

Members of the MITRE CVE Team who attended the call are as follows:

Dan Adinolfi

Chris Coffin

Jonathan Evans

Anthony Singleton

George Theall

Alex Tweed

Agenda

CVE Board Meeting 28 June 2017

2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin

2:05 – 2:25: Working Groups

            Strategic Planning - Chris Coffin/Daniel Adinolfi

                        Issues

                        Actions

                        Board Decisions

            Automation - Harold Booth/Kurt Seifried

                        Issues

                        Actions

                        Board Decisions

2:25 – 2:50: CNA Update

            DWF – Kurt Seifried

                        Issues

                        Actions

                        Board Decisions

            General - Dan Adinolfi

                        Issues

                        Actions

                        Board Decisions

2:50 – 3:20: CNA Rules Revision Process Overview - Dan Adinolfi

            Goal: Describe how the Board and CNAs will review the CNA Rules and begin that process. See Rules Process below.

            Actions: 1) Decide on specific schedule for weekly review. 2) Board should add any additional Rules update suggestions to the list before COB 6/30.

3:20 – 3:30: Researcher Reservation Guidelines Document Review Kick-off

            Goal: Review and update Research Reservation Guidelines

            Actions: 1) Board will be sent the current draft. They will have two weeks to comment. 2) MITRE will have a week after that comment period to incorporate the comments and share the updated version for final approval.

3:30 – 3:55: Open discussion – CVE Board

3:55 – 4:00: Action items, wrap-up – Dan Adinolfi

Introductions and review of previous action items

• RSS feed of new CVE IDs has been created and is publicly available. We are still debating if we should include updates as well as new entries. We may also look at ROLIE.
• We have published a news item discussing the fact that CVE IDs that are marked as REJECT may change state depending on the circumstances of the individual entry.

Working Groups

• Strategic Planning – Kent Landfield
  • Issues
    • Working Group met on 26 June 1-2PM.
    • This past week’s meeting resulted in an initial agenda for the WG over the next few months.
  • Actions
    • The WG will review the short-term WG agenda and send feedback.
  • Board Decisions
    • There was no additional Board Discussion.
• Automation – Kurt Seifried
  • Issues
    • The WG had a meeting 26 June 2017, and some notes from the meeting were posted to the Automation WG mailing list.
    • The group discussed the further development of a test suite of CVE IDs. These test CVE IDs would have their own state to help differentiate them from “real” CVE IDs.
    • Fields have been well-defined in the JSON schema, but the constraints around the data still need additional development.
    •  
  • Actions
    • The WG will flesh out a plan for test IDs will share this with the Board.
  • Board Decisions
    • There was no Board Discussion.

CNA Update

• DWF – Kurt Seifried
  • Issues
    • Apple assigned CVE IDs for SQLite. It isn’t clear which versions are affected or if the vulnerabilities are in Apple-specific code based on the information that Apple provided. The community needs more information, and MITRE should investigate. What versions of SQLite are affected?
    • Should there be a document developed to more explicitly describe the states of CVE ID entries, the process followed for getting CVE IDs, etc.
    • The Board discussed the recent issue with PaX.
  • Actions
    • CVE will reach out to Apple to discuss the SQLite issue and how best to handle multiparty assignment going forward.
  • Board Decisions
    • There was no additional Board Discussion.
• General - Dan Adinolfi
  • Issues
    • The Board discussed the rules affecting Root CNAs.
    • The Board discussed an issue related CNAs choosing to assign only for “critical” issues.
    • Netflix has been added as a CNA.
    • The list of potential CNAs was reviewed.
    • The Trusted Introducer group within the EU will be coming on as a Root CNA for the EU CERTs. Discussions with the TI group are ongoing.
    • CVE has not heard back from HP yet regarding an issue related to not assigning CVE IDs to issues they consider “internal” despite those issues being made public by a third party.
  • Actions
    • CVE will continue to reach out to HP.
    • New CNAs will be coming on-board soon.
  • Board Decisions
    • There was no additional Board Discussion.

CNA Rules Revision Process Overview - Dan Adinolfi

            Goal: Describe how the Board and CNAs will review the CNA Rules and begin that process. See Rules Process below.

            Actions: 1) Decide on specific schedule for weekly review. 2) Board should add any additional Rules update suggestions to the list before COB 6/30.

The list of suggested changes is here: <https://github.com/CVEProject/docs/blob/cna-documents/cna/CNA%20Rules/CNA%20Rules%20Development/Suggested%20Rules%20Changes>

A template for submissions to the CNA Rules revision process will be used for each suggestion.

  - Goal

  - Proposed solution

  - Expected outcome

  - Proposed language (optional)

First 30 days

  - Open comment period.

  - Board and CNAs are invited to participate.

  - Use above format for revisions.

  - 2 or 3 conference calls throughout the month.

 Next 60 days

  - 1-week sprints with a subset of the proposed revisions each sprint. Each subset is only to be discussed during that sprint.

  - 8 total sprints.

  - At the end of a sprint, if something wasn't resolved or discussed, it will not be included in this revision.

  - At the end of all sprints, the document will be finalized and sent to the Board for approval.

Proposed: New Rules go into effect on Jan 1, 2018

Researcher Reservation Guidelines Document Review Kick-off – Chris Coffin

            Goal: Review and update Research Reservation Guidelines

            Actions: 1) Board will be sent the current draft. They will have two weeks to comment.

Open Discussion – CVE Board

Changes need to be made to large number of CVE IDs’ references because of changes to the URLs in the IDs’ references. Such changes would have a significant downstream effect, but with some coordination, NVD, at least, could accommodate the changes.

Question about associating CNAs with CVE IDs that have been published. That was OK, but some CNAs objected to keeping a list of which CNAs have what CVE IDs reserved.

Git experiment by the AWG has been going well. It has been tested by a number of CNAs, and the feedback has been positive. The experiment will continue until August 21^st.

Action items, wrap-up – Chris Coffin

• MITRE will reach out to Apple to get more information about the SQLite issue.
• Will work internally on how to handle the PaX/GRSecurity issue.
• MITRE will look into simplifying the process of updating dead reference links in the CVE list. MITRE will also reach out to IBM to ask if they will set up redirects to allow the outdated xforce.iss.net links to continue to work.
• The CNA Rules suggestions will be cleaned up and the process will begin.
• Automation working group should consider how to add searching features to the Git experiment.
• MITRE will send the new Researcher Reservation Guidelines document to the Board to begin the review process for that document.