[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE Board Meeting Minutes, 6 September 2017



CVE Board Meeting 6 September 2017

 

Board Members in attendance:

Taki Uchiyama (JPCERT/CC)

David Waltermire (NIST)

Kent Landfield (McAfee)

William Cox (BlackDuck)

Art Manion (CERT-CC)

Andy Balinsky (Cisco)

Scott Lawyer (LP3)

Kurt Seifried (Red Hat)

Members of MITRE CVE in attendance:

Dan Adinolfi

George Theall

Chris Coffin

Jonathan Evans

Anthony Singleton

 

Agenda

 

2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin

2:05 – 2:25: Working Groups

            Strategic Planning – Kent Landfield/Chris Coffin

                        Issues

                        Actions

                        Board Decisions

            Automation – Kurt Seifried/George Theall/Chris Coffin

                        Issues

                        Actions

                        Board Decisions

2:25 – 2:50: CNA Update

            DWF – Kurt Seifried

                        Issues

                        Actions

                        Board Decisions

            General – Dan Adinolfi

                        Issues

                        Actions

                        Board Decisions

2:50 – 3:00: URL Update Status – George Theall/ Chris Coffin

3:00 – 3:30: Service Vulnerabilities – Andy Balinsky

3:30 – 3:55: Open discussion – CVE Board

3:55 – 4:00: Action items, wrap-up – Chris Coffin

 

Review of Action Items from last meeting

PREVIOUS ACTION ITEM:  The Automation Working Group will review different approaches for git pilot submissions for Roots and sub roots

STATUS: No updates at the moment. Meeting scheduled for 9/7. Will notify board of outcome by late next week.

PREVIOUS ACTION ITEM: MITRE to send documentation and operational priorities to Board list for discussion.

STATUS:  Working on edits and will post to the board soon.

PREVIOUS ACTION ITEM: Kurt will send email to Board to start discussion around paying customers and CVE assignments.

STATUS:  Kurt is waiting for contact to reach back to him with more information.

 

Agenda Items:

Working Groups

 

Strategic Planning

 

Status:  No updates

             

Issues: None

Actions: Group is still working to put information together

Board Decisions: Waltermire will respond to Millar’s board email post to facilitate conversation on topic of Strategic objectives for CVE.

 

Automation

 

Status:  Working on next phase of pilot program.

Discussion:  Some JSON data fields have been implemented with limits (see https://github.com/CVEProject/automation-working-group/pull/44). Updated the CVE_JSON_4.0_min.schema to limit the length of a description (3999), length of a given reference (500), and the number of references (500). No comments received from the community on the current data field size changes.

Issues:  

Action:

Board Decisions:

 

CNA Update

CNA DWF

Status: None

Discussion:  None

Issues: Issue with reference material in embargo assignments and public entries from DWF.

Action:  Kurt is still cleaning data for his workflow.

Board Decisions: Kurt will email Chris Coffin and George Theall to further discuss work flow for DWF assignment and publication.

 

CNA MITRE

 

Status: CNA rules revisions continue. Currently in week 5.

Issues: Need to figure out a better solution to track the progress/completion of any given issue or effort.

Actions: MITRE intends to add content to CVE website in regards to how to submit requests to the web form.

Board Decisions: Please include link to resolved webpage in the issue tracker that was closed.

 

URL Update Status

Status: MITRE has gone through 30k url for X-Force references, urls that are broken and IBM not willing to change.

Discussion: Can the remaining references to be repaired be done in one swoop or should batches continue to be used.

Issues:

Action: 20k in total that need to be repaired remaining.

Board Decisions:  Waltermire will consult with the NVD team regarding whether a limit on the number of changes is still needed and rely the answer to MITRE.

 

 

 

Service Vulnerabilities

 

Status: Andy proposes that CVEs be assigned to vulnerabilities that reside in services.

Discussion: Board discusses ideas and counter ideas.

Issues: What is the value of assigning IDs to these issues?

Actions:  Board email list contains discussion in more detail.

Board Decisions: Andy will provide to the board the escalation process and format of the advisories in relation to vulnerabilities in services.

 

Open discussion

 

Discussion: Work flow of changing CVE Reject status / Reservation status

Issue: When there is a provenance issue MITRE historically notes in the entry reason describing the issue.

Action: Kurt asks board to consider a variation of publishing guidelines of CVE IDs that are under embargo.

Board Decisions:

 

Discussion

Issue:

Action:

Board Decisions:

 

 

Summary of Action Items

 

  • Waltermire will respond to Millar’s board email post to facilitate conversation on topic of Strategic objectives for CVE.
  • Kurt asks board to consider a variation of publishing guidelines of CVE IDs that are under embargo.
  • MITRE will open a Board mailing list discussion on CVE references and what purpose they serve.
  • MITRE to update board with git pilot phase 2
  • MITRE will send board prioritized artifact list and outlines.
  • Andy will share with us Cisco policy for vulnerabilities in services.
  • MITRE will consider solutions to better track issues resolution and progress.

 

Significant Decisions, Policy Changes, or Events

 

  • None

 

Attachment: CVE Board Meeting 06 September 2017.docx
Description: CVE Board Meeting 06 September 2017.docx


Page Last Updated or Reviewed: September 21, 2017