CVE Board Meeting Summary - 5 September 2018

Board Members in Attendance

William Cox, Synopsys, Inc.

Kent Landfield, McAfee

Art Manion, CERT/CC (Software Engineering Institute, Carnegie Mellon University)

Pascal Meunier, CERIAS/Purdue University

Kurt Seifried, Cloud Security Alliance

David Waltermire, National Institute of Standards and Technology (NIST)

Members of MITRE CVE Team in Attendance

Jo Bazar

Chris Coffin

Jonathan Evans

Joe Sain

George Theall

Other Attendees

Chris Johnson (NIST)

2:00 – 2:15: Introductions, action items from the last meeting – Chris Coffin

2:15 – 2:30: Working Groups 

·       Strategic Planning – Kent Landfield / Chris Coffin

·       Automation – Chris Johnson / Dave Waltermire

2:30 – 2:45: CNA Update

·       DWF – Kurt Seifried

·       MITRE – Jonathan Evans

·       JPCERT – Taki Uchiyama

2:45 – 3:50: Open Discussion

3:50 – 4:00: Action items, wrap-up – Chris Coffin

1. Previous Action Item: MITRE (Chris C/Jonathan) to send out an email to the Board list to initiate the CNA Rules revision process (regarding inclusion).
   • Status: Not Done
2. Previous Action Item: CNA rules discussion—MITRE will start putting together a list of things to discuss in follow up calls.
   • Status: Not Done
3. Previous Action Item: Send out note to the Board on the CVE Quality WG (MITRE).
   • Status: Not Done
4. Previous Action Item: Lisa Olson (Microsoft) to investigate sharing a paper as a place to start with CNA scope work.
   • Update: Lisa provided document 9/5/18 at 12:11pm Lisa's email is archived at https://cve.mitre.org/data/board/archives/2018-09/msg00001.html
5. Previous Action Item: MITRE will contact HackerOne to inquire about WordPress vulnerability and contact Kurt Seifried (CSA).
   • Status: Told Kurt that he should reach out to HackerOne directly on this and let us know if he had any issues in doing so.
   • Update: Kurt explained that he didn’t not receive response from the front-line staff and appeared to be unsure that WordPress was a customer/Product of HackerOne.
     • There was a lengthy discussion resulting from this action item about Root and CNA Scope and duplicative CVE assignment, see details below (Topics 4 thru 6).

·       The group agreed that Kurt will assign a CVE for this vulnerability.

6. Previous Action Item: Set up another discussion for Appthority as a researcher CNA.
   • Status: Done. Appthority is cleared to become a CVE CNA. We will have another call for Appthority and some Board members to discuss further.
   • Concern: The group expressed concern because they are considered researcher CNA, reference researcher CNA discussion below for details (Topic 6).
7. Previous Action Item: Continue discussion to define set of product types, define value, determine whether it can be automated, and the effort involved in doing so (tagging).
   • Status: Not Done
8. Previous Action Item: Marketing message for CVE—send out CVE 101 to group and use as starting point (may need to customize for different audiences).

·       Status: Not Done

1. Strategic Planning – Kent Landfield / Chris Coffin

• Status: No Updates/Working Groups not conducted

2. Automation – Chris Johnson / Dave Waltermire

• Status: No Updates/Working Groups not conducted
• Remarks from Board members:
  • Kent Landfield explained we need to get the Automation working groups going, so we need to finalize the requirement documents, so we can get the infrastructure in place and determine where we are going to do the work, so industry can contribute as well.
  • Chris Johnson – Email communications with Beverly Miller (Finch) as she expressed interest in leading CVE ID allocation services work. A follow-on conversion with Beverly will be next week and our next meeting on the 17^th of September to discuss CVE ID allocation and user registry service documents.
    • Kent added that Microsoft wanted to participate as well.
    • Chris C. explained that Kurt is chairing the CVE user registry, Beverly is hopefully going to chair the CVE ID allocation.
    • Recommendation - SPWG resulted in requirements documents - Kent suggested walking through the working group participants through the service documents, to clarify intent and answer questions.

1. DWF – Kurt Seifried
   • None
2. MITRE – Jonathan Evans
   • New CNA Request - Independent Security Evaluator requested to be a researcher CNA.
   • Taiwan Cert got back to us, after months of no activity.
3. JPCERT – Taki Uchiyama
   • No updates

1. Chris Coffin - Distribute CVE 101 PowerPoint
2. Chris Levendis - Distribute MITRE congressional slides once submitted to Congress.
3. Chris Coffin – Communicate to researcher CNAs – new CNA are hold. Explain that clarifications need to be made about roles and responsibilities before new CNA’s are confirmed.
4. Joe Sain – Reach out to HackerOne about why Front door is not working.
5. Jonathan Evans - metrics on how many researcher CNAs compared to Vendor CNAs
6. Kurt Seifried – Provide the names of those participating in the CVE User Registry project and set up a requirements kickoff meeting.
7. Chris Coffin – Send a note to the CNA group email soliciting participation in Automation Working Group projects.
8. Chris Levendis/Chris Coffin – Distribute CVE Root discussion slides to the Board.

1.     The Board gave approval to Kurt Seifried (CSA, DWF) to assign a CVE ID to the WordPress vulnerability that he had attempted to coordinate with HackerOne.

1. How can we better communicate our future vision of the CVE program? How can we better market the CVE program and communicate the great changes that are taking shape?
2. How do we provide more status information to the public around metrics and ongoing activities we are engaged in?
3. CNA Process – Front Door or Back Door; How should CNAs communicate with each other, and how would that information be managed?
   1. Set up an excel spreadsheet to share contact info amongst the CNAs?

4)   CNA Scope Issues 

      The Board discussed that CNA documentation around roles and responsibilities are needed, current documentation is not clear, CNA assign CVE within their scope. Scope may or may not cover CVE for their customers.

o   CNA Rules State - The rules state CNAs are supposed to be responsive but does not provide a specific timeframe. The rules state if you are going to assign CVE for a vulnerability not in one of your products, you are supposed to contact the vendor.  The vendor is supposed to make a determination.

o   New Approach to CNAs and Roots - A given Root has a scope, a portion of the scope gets delegated to a CNA (i.e. product or area of research. If a portion of the scope is not delegated to a CNA, that scope stays with the Root. It is the Root’s responsibility to do the CVE assignment as a last resort.

o   Action Item – CNA Rules need to be updated to reflect this new approach

5)   Eliminate duplication CVE assignment discussion

o   The Board discussed that specifying CNA scope will help eliminate duplication CVE assignment. Art explained that having open communication with other CNAs when making CVE assignments, asking if anyone has any one asked anyone else for CVE’s, keeping this at the CNA level (not at Root/Primary level). Adding this extra operational step will help with duplication.

o Recommendation 1: Process recommendation needs to be added to CNA training.

o Recommendation 2: CNA rules need to be updated to minimize duplicate assignments.

o   Johnathan explained that duplication of CVE assignments occurs the most with DWF

6)   Researcher CNAs

o   The Board discussed researcher CNAs that have with ambiguous scopes. These CNAs have issued thousands of CVEs.

o Recommendation 1: Avoid adding any new researcher CNA’s until there are specific qualifications and guidelines for what qualifies as a researcher CNA. This includes defined scope rules yet to be discussed.

o Recommendation 2: Make the scope naturally programmatic for researcher CNAs.

o Recommendation 3: Change the process for researcher CNAs. Who is responsible for coordinating the assignment of the IDs? Who issues the CVE ID and who populates the information? There should be an easier way for companies to request an CVE ID.

o Recommendation 4: Better define roles and responsibilities for researcher CNAs

o Recommendation 5: Need to address the researcher CNA ambiguous scope issue before we sign up any more researcher CNAs.

o Recommendation 6: Explore the possibility of researchers participating in the CNA program without becoming CNAs.

o Recommendation 7: Need a testing/certification program for CNAs to make sure they can adequately perform their role, especially researchers.

o   The Board agreed to explore better solutions regarding researcher CNAs ambiguous scope issue.

7)    Operationalize Root CNAs effectively

o   Further discussion around how we can operationalize Root CNAs more effectively.

o   MITRE’s role in operationalizing roots.

8)     Product Type Tagging/Categorization

o   As the production numbers for CVEs go up, there will be an increasing need to view a subset of the overall CVE master list

o   Define a list of common product areas/domains to be used for categorizing CVE entries (i.e., Medical devices, automotive, industrial, etc.)

o   The tags/categories should be attached to the products and not the CVE entries directly.

o   Product listings in CVE User Registry would be a potential location

• Can it be automated?

Meeting recordings available here:

https://handshake.mitre.org/file/group/15069086/all#15210954