CVE Board Meeting Summary - 30 May 2018

CVE Board Meeting 30 May 2018

Board Members in Attendance

William Cox (Black Duck Software)

Beverly Finch (Lenovo)

Kent Landfield (McAfee)

Scott Moore (IBM)

Kurt Seifried (RedHat)

Taki Uchiyama (Panasonic)

Andy Balinsky (Cisco)

Members of MITRE CVE Team in Attendance

Chris Coffin

Christine Deal

Jonathan Evans

George Theall

Agenda

2:00 – 2:15: Introductions, action items from the last meeting – Chris Coffin

2:15 – 2:30: Working Groups 

·       Strategic Planning – Kent Landfield

·       Automation – Chris Johnson, Dave Waltermire

2:30 – 2:45: CNA Update

·       DWF – Kurt Seifried

·       MITRE – Jonathan Evans, Nick Caron

2:45 – 3:15: Establishing the QA Working Group – Jonathan Evans

3:15 – 3:30: Amazon Alexa Vulnerability Update – Chris Coffin

3:30 – 3:50: Open Discussion

3:50 – 4:00: Action items, wrap-up – Chris Coffin

Review of Action Items from Last Meeting

• Previous Action Item: Send out email about Collaboration WG.
  • Status: In process (Kent Landfield drafting email).
• Previous Action Item: Draft an email for reaching out to CNAs on a regular basis for participation (MITRE).
  • Status: TBD.
• Previous Action Item: Send out revised version of charter with Pascal’s update (MITRE).
  • Status: Revised version has not been distributed to the Board; version 2.6 has been posted to cve.mitre.org.
• Previous Action Item: Work on CNA training to include white lists/black lists for descriptions and look into potential automation (MITRE).
  • Status: Ongoing.
• Previous Action Item: Need to update the announce mailing lists so they have more information. Update the way we submit them—adding more info along with links, incorporation of news articles, not sending as frequently (MITRE).
  • Status: Currently reworking the CVE-Announce format to be more newsletter-oriented.
• Previous Action Item: Add Chris Johnson to the public board mailing list.
  • Status: Completed.
• Previous Action Item: Share the CVE Board list rosters with CVE Board members.
  • Status: Completed.

Agenda Items

Board Working Groups

Strategic Planning Working Group (Chris Coffin / Kent Landfield)

ISSUES: MITRE CVE team is working the services as part of roles/structure of the program. Planning to get a start on the CONOPS this week; that will hopefully tie together the services and what roles are tied to the services. We need to prioritize the services we want to hand off to the AWG. We also put together a “save the date” to meet in Gaithersburg, MD the end of June (26-29 June). Also incorporating the user registry service into the user stories.

ACTIONS: N/A

BOARD DECISIONS: N/A

Automation Working Group (Chris Johnson / Dave Waltermire)

ISSUES: Chris Johnson asked that people review the issues (categorizing, tagging) in the GitHub tracker with the aim of parsing those out to the various project teams. There was an updated status on phase 3 of the git pilot. Providing updates of meetings to NVD folks about workflows was discussed and there was a discussion about how to start up the project teams—who would be participating in those. Board vote on the charter is due on 5/31 but it is not an official vote (silence begets acceptance, since only MITRE can call for a vote).

ACTIONS: Chris C has an action item to check with Chris Johnson to verify the process for the Automation WG Charter approval process.

BOARD DECISIONS: N/A

 CNA Updates

DWF (Kurt Seifried)

STATUS: Working on making Xen and PHP CNAs.

ISSUES/DISCUSSION: N/A

ACTIONS: N/A

MITRE (CVE Team)

STATUS: Jonathan contacted the four CNAs who have not been in contact in a long time; got a response from two. Those two (Qihoo 360 and MarkLogic) would like to remain CNAs and one (Qihoo 360) expressed an interest in expanding their coverage; if that happens, they would be more active. Kurt said they have released reports on other products (Xen) and they are very good and high quality and detailed reports. Taki also said he has worked with 360 and agreed that they provide good reports.

The email bounced on notifications Jonathan sent to two of the CNAs in question, but the public email was still active in both cases.

ABB (Swiss) requested to become a CNA; they do robotics for industrial production.

DISCUSSION: N/A

ACTIONS: None

Establishing the QA Working Group (Jonathan Evans)

DISCUSSION: At the last Board meeting, we discussed issues with including CVSS scores/vectors in descriptions, and that expanded into a discussion on what the quality of a description should be. Perhaps we should develop a group that can make those decisions rather than just MITRE making all of the decisions. Based on what I originally wrote, CVSS vectors would have been permissible in a description. We could split this off and create a WG that discusses quality issues. They could propose new rules for what’s allowed in a description and also produce guidance documents. Kent: Would this be a description WG or a QA WG? Jonathan: It wouldn’t just be for descriptions. A CVE entry isn’t just for descriptions. It would oversee the quality of all parts of a CVE ID. Kurt: A part of creating a good CVE is getting in good information about what the vulnerability is; might be helpful to have guidelines on what to ask for in order to get a good (well written) CVE. Maybe it should be a CVE usability group—broader scope than just quality. There is (should be?) a minimum data set required to supply the assigner before a CVE will be assigned.

Kent: I am hearing a couple of different things—you are looking for quality of descriptions but also the quality of other aspects of a CVE entry and also what are the guidelines for CVE submission before it goes to the next stage.

Jonathan: Does it make sense to create that group? Is there any interest?

Kurt: I’m definitely interested in this.

Kent: I don’t have any issues if you guys want to do it. What’s required by the Charter?

Chris C: Any Board member can create a group; safe thing to do would be to send an email out to the list to make sure there are no major issues. We can create a draft charter and send out to the Board list for approval. Are we okay with the QA WG or do we need a different name?

Kurt: Maybe make it just CVE Quality WG.

ACTION: Send an email out to the list to make sure there are no major issues. We can create a draft charter and send out to the Board list for approval.

Amazon Alexa Vulnerability Update (Chris Coffin)

DISCUSSION: We are planning to populate the Amazon Alexa vulnerability by the end of the day. I’m planning to go with Tom’s update to Kurt’s proposed version. The CVE entry will be populated at 5pm ET.

Kurt: The CSA is interested in working with the CVE Board on the CVE services stuff—it dovetails with the work they are doing on security, trust, and automation. (Cloud Securities WG: https://cloudsecurityalliance.org/group/cloud-vulnerabilities/#_overview).

ACTION: Kurt to send out email to Board about cloud services discussion.

Open Discussion

N/A

Summary of Action Items

• Check with Chris Johnson on the status of the AWG charter; Board input and changes should be ending 5/31 (Chris Coffin will send a message to Chris Johnson)
• Send out note to the Board on the CVE Quality WG; send out a draft charter (either in that email or separate one)
• Kurt to send out a follow up on the cloud services discussion
• Send out email about Collaboration WG to the CNAs
• Draft an email for reaching out to CNAs on a regular basis for participation (MITRE)
• Work on CNA training to include white lists/black lists for descriptions and look into potential automation (MITRE)
• Need to update the announce mailing lists so they have more information. Update the way we submit them—adding more info along with links, incorporation of news articles, not sending as frequently (MITRE).

Significant Decisions:

None