[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Agenda for CVE Board Meeting Wednesday, 15 November 2017

Do we much care about the year assigned/vs the year it was asked for and acknowledged as a security issue? Looks like HackerOne may have done a mass 2017 assignment to a lot of old issues. e.g. https://hackerone.com/reports/713

On Tue, Nov 14, 2017 at 7:08 PM, Waltermire, David A. (Fed) <david.waltermire@nist.gov> wrote:

I will likely not be able to make this call due to travel. As a result here is a quick status on my action items.

Due to travel, I haven't made as much progress on reviewing the CNA rules as I had hoped. I do plan to complete this review soon and will send comments to the list once I have completed this work.

Regarding developing a list of CNAs that have quality issues, I never intended to do this. Instead, I suggested that I would work with the NVD team to identify and raise issues with the board as issues are found. I will do this on an ongoing basis to highlight quality issues that affect down stream use of CVE information. It might be worth identifying a more robust mechanism for others to identify similar issues to allow for a more robust feedback mechanism. This may be worth discussing on a board call at some point.



From: owner-cve-editorial-board-list@lists.mitre.org <owner-cve-editorial-board-list@lists.mitre.org> on behalf of Coffin, Chris <ccoffin@mitre.org>
Sent: Wednesday, November 15, 2017 5:08:16 AM
To: cve-editorial-board-list
Subject: RE: Agenda for CVE Board Meeting Wednesday, 15 November 2017

Summary of Action Items from the Nov 1 Board Meeting

  • Dave Waltermire volunteered to review current CNA rules for required items and flexible items.
  • MITRE will schedule a Board meeting that will include the representatives from Github.
  • MITRE will start a discussion about additional technical domains and areas that should have CVE coverage.
  • The discussion on building the base (i.e., identifying and onboarding Root CNAs) will be discussed by the Strategic Planning WG.
  • The discussion on broken links and handling them with the CVE downloads and JSON will continue in a Board email thread.
  • Dave Waltermire will develop a list of CNAs that have quality issues.



From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Common Vulnerabilities & Exposures
Sent: Tuesday, November 14, 2017 2:57 PM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Agenda for CVE Board Meeting Wednesday, 15 November 2017


Dear members of the CVE Board –


Here is the agenda for tomorrow’s CVE Board Meeting. Documents to be discussed during the meeting will be emailed separately.







CVE Board Meeting 15 November 2017 -  Agenda

2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin

2:05 – 2:25: Working Groups

  • Strategic Planning – Kent Landfield
    • Issues
    • Actions
    • Board Decisions
  • Automation – George Theall
    • Issues
    • Actions
    • Board Decisions

2:25 – 2:50: CNA Update

  • DWF – Kurt Seifried
    • Issues
    • Actions
    • Board Decisions
  • General – Jonathan Evans, Nick Caron, Joe Sain
    • Issues
    • Actions
    • Board Decisions

2:50 – 3:10: Documentation: CNA Processes – Jonathan Evans

3:10 – 3:30: Discussion: Problematic assignments for subpar reports via CVE request form - Chris Coffin and Jonathan Evans

                       Email thread on Board mailing list 10/23 - 11/13.

3:30 – 3:45: CVE communications, document repositories, and collaboration – Joe Sain

3:45 – 3:55: Open Discussion

3:55 – 4:00: Action items, wrap-up – Chris Coffin





Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Page Last Updated or Reviewed: November 15, 2017