CVE Board Meeting 24 January 2018
Board Members in Attendance
Andy Balinsky (Cisco)
Kent Landfield (McAfee)
Scott Moore (IBM)
Pascal Meunier (Purdue)
Kurt Seifried (Red Hat/DWF)
Taki Uchiyama (JPCERT/CC)
Dave Waltermire (NIST)
Members of MITRE CVE Team in Attendance
Nick Caron
Chris Coffin
Jonathan Evans
Joe Sain
Anthony Singleton
George Theall
Alex Tweed
AGENDA
2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin
-
Previous Action Item: MITRE will reach out to CNAs via CNA list to get ideas on summit topics
-
Previous Action Item: MITRE will send out current list of summit topics with more descriptive content
-
Previous Action Item: Dave Waltermire will put together a slide for the direct CNA feedback (for CNA summit topic)
-
Status: Dave is working on a couple of slides for this.
-
Previous Action Item: For next board meeting, we will continue discussion on proxy/backup for board members
-
Action: On today’s agenda
-
Previous Action Item: MITRE to send out a new meeting invite for Strategic Planning WG (Monday at 4:00 p.m. ET)
-
Previous Action Item: Reach out to AWS and Cloud Security Alliance to see if we can get participation at the
CNA Summit
-
Status: Victor Chin (Cloud Security Alliance) will attend remotely; Amazon will have a representative in attendance
2:05 – 2:25: Working Groups
Strategic Planning – Kent Landfield
-
Issues
-
Will need to go through each role and drive out the actual responsibilities of said roles.
-
Actions
-
Focus on the roles of the CVE program.
-
Questions around rules that involved:
-
CVE mentors
-
CNA of last resort
-
Plan to document more information for roles and the responsibility for next meeting to help expand and further move progress along.
-
Board Decisions
Automation – George Theall
-
Notes
-
Spent time on Kurt’s proposals for handling embargoed ids. Idea is to encrypt information and store it in JSON files for the reserved ids in the cvelist repo in git while embargoed and then
decrypt the info and update the JSON files when vulnerability becomes public.
-
Talked about a framework for storing information about each CNA in a JSON file in a parallel repository (cnalist). CNAs could use that file to manage information about itself and its operations,
such as statements about its scope, points of contact, Github accounts, etc. And they could control whether MITRE could include in that the block assignments it has received. In turn, that info could be used in support of automation and sharing.
-
Issues
-
Can a CNA include attributes in JSON files when the current spec doesn’t mention them? In theory, anyone parsing the information should pull out the attributes of interest to them and ignore
any others in the files.
-
How safe can this data be?
-
Suggestion made to assume that it will not be entirely safe but the organization should be taking preventive steps to prevent malicious attacks.
-
There is no clear documentation on what is allowed versus what is not allowed in the JSON data itself.
-
Actions
-
Kurt will send his proposal for handling embargoed ids to board for approval before starting to put into practice.
-
The conversation about Kurt’s proposal will be moved to AWG for further discussion.
-
The working group will continue development of the cnalist draft and send it to the Board when ready.
-
Board Decisions
-
The Board believes that more documentation and discussion is needed in regard to ingest and creation of JSON data.
2:25 – 2:45: CNA Update
DWF – Kurt Seifried
-
Issues
-
Actions
-
Kurt is using structured template to request IDs. He will share template with the board that has made his process easier.
-
Kurt continues to catch up on the back log.
-
Board Decisions
General – Jonathan Evans, Nick Caron
-
Issues
-
CNA contact requirement needs to be clear on what is required to become an CNA, specifically whether every CNA needs to have a public email point-of-contact.
-
MITRE will need to adapt training examples and include other examples that cross different industries.
-
Actions
-
Training with Hikvision and Facebook. With some book keeping and administrative processes to iron out before becoming official CNAs.
-
Board Decisions
2:45 – 3:30: CNA Report Card Briefing and Discussion – Chris Coffin
-
Comments from Quarterly report:
-
What are the increases due to process or automated processes changes?
-
Can we determine if increases in CVE Entries are due to an increase in requests?
-
Could number of reserved CVE IDs help?
-
Could number of unique MITRE CNA requesters help?
-
Others?
-
Need to ensure we are capturing the data that can answer the future questions we want to ask.
-
Board asks for a few different representations of current quarterly report charts for better understanding.
-
Need a chart for Reserved CVE IDs All Years
-
Speed from public to populated for the past 4-5 years
-
Slowest CNAs to populate for established CNAs (disregard new CNAs)
-
Replace “10 Slowest CNAs to Populate CVE Entries for the Quarter before Last” with a net change chart. If CNA was sending details within 24 hours but then suddenly slowed down to within 30 days
we would want to represent that here. Would also be good to see the inverse to understand who was getting better.
-
Board asks for complete list of what has been done for each CNA. The Board would like to see a separate spreadsheet that includes all CNAs and their time from public to populated. We may want
to extend this to other CNA-specific charts as well.
3:30 – 3:45: Continuation of the discussion on CVE Board Membership, alternates, and succession planning – Chris Coffin
-
This topic will be moved to the next board meeting agenda.
3:45 – 3:55: CVE CNA Summit Update – Joe Sain
-
The following will continue to be discussed on the board mailing list:
3:55 – 4:00: Action items, wrap-up – Chris Coffin
-
Add pascal to SPWG mailing list
-
Kurt to start documentation for git pilot JSON format handling.
Significant Decisions:
None
