|
|
Editorial Board Teleconference – January 8, 2013 ================================================= Participants Andy Balinsky, Cisco Kent Landfield, McAfee Harold Booth, NIST Adam Shostack, Microsoft Art Manion, CERT/CC Ken Williams, CA FIRST Kyoto Summit The GVR summit discussion, hosted by JPCERT-CC / IPA, was one of two tracks going on at the
FIRST Technical Colloquium, held on November 13 - 15. There were over a hundred people at
the colloquium, and the GVR summit received good attendance. Harold Booth, Kent Landfield,
and Steve Christey were in attendance. Some of the presentations and discussion are restricted to FIRST only. Main takeaways * Participation in the GVR discussion is worthwhile. * The international discussion is just getting started. * There was not a big focus on CVE as the solution. * There are wide variations in development among regions. * Disclosure practices definitely vary across markets. * Language barriers could be a challenge. * Regional vulnerabilities can have global implications. * A new FIRST SIG will continue the work. Day 1 Day 1 reviewed the history and current state of vulnerability reporting. Several of the
board members gave talks this day. Harold Booth started off the day by giving an overview
of the current reporting landscape and how NVD handles vulnerability reporting. Kent Landfield gave a vendor's view of the current state of vulnerability reporting. Kent
emphasized that without a way of referencing a vulnerability that everyone can understand,
vendors have great difficulty identifying and integrating vulnerabilities into their
products. Many regions do not have an identification system, or where they do, it is usually immature.
Vendors have been focused on CVE, which primarily focuses on the English speaking world.
Vendors cannot aid in verification and correlation of reports when they do not know about the
vulnerability in the first place. Steve Christey's talk went over CVE's history and the lessons learned from running the
project. Steve emphasized that CVE is not the solution to the GVR discussion but its
experience in the field could help avoid some of the pitfalls CVE identified. Steve discussed the
evolution of the content decisions and the difficulties that caused the changes. Steve
explained how CVE's content decisions reflect its mission as coordinator. The decisions cause
CVEs to be written in a way that is somewhere between advisories and specific bugs, not perfect
for any particular group but good enough for most. Day 2 Day 2 was taken up by the Japanese (IPA, JPCERT/CC), Koreans (KrCERT/CC, KISA), and Thais
(ThaiCERT), who discussed their vulnerability handling and reporting practices. Each
demonstrated how vulnerability reporting practices vary from region to region. The two
Japanese presentations gave a detailed description of JPCERT's CVE adoption process and their current
vulnerability ID practices. JPCERT issues several identifiers for the vulnerabilities they
handle. Most of the presentation by Soranun Jiwasurat (ThaiCERT) is restricted to FIRST members, but
it did prompt the creation of CVE-2012-6498, which demonstrates how a local vulnerability can
have global impact. CVE-2012-6498 is for an unrestricted file upload in Atomymaxsite, a
Thai-based CMS. A demonstration of an exploit in Arabic was uploaded to YouTube and became
actively exploited. This prompted the ThaiCERT to create an advisory
(http://thaicert.or.th/alerts/admin/2012/al2012ad025.html).
HongSoon Jung (KrCERT/CC, KISA) discussed the Korean reporting environment in his
presentation, which is also restricted. Three different Korean government organizations were
listed as handling vulnerability information: KISA under the Korea Communications Commission
for the private sector, National Intelligence Service (National Cyber Security Center) for the
public sector, and Ministry of National Defense (National Cyber Command & Control Center) for
the military. A Korean law, Article 47-4, requires vendors to notify users twice within one
month. Publication to a web site is sufficient notification. KrCERT/CC deals privately with
vendors but does not publish vulnerabilities to their website. KISA provides advisories for
major international products but does not publish technical details. KISA (KrCERT/CC) has an
easy vulnerability reporting process. They confirm the issue and coordinate with the vendor.
In October 2012 they implemented a reward program that seems to be having some success. Day 3 The third day focused on framing the problem of global vulnerability reporting, discussing
best practices, and possible solutions. These discussions had less participation than
desired. Several reasons for this were suggested, such as the language barrier or the participants being
too new to the problem. It was suggested that greater participation may be found through email
as the members will have time to process and compose responses. We will need to be mindful of
such issues for subsequent events. Two items came out of Day 3, a GVR Sharing mind-map and a plan to create the Vulnerability
Reporting and Data eXchange (VRDX) FIRST Special Interest Group (SIG). The mind-map
captures many of common concepts and discussion points around the GVR discussion. Kent
Landfield sent the mind-map to the Board on January 18, 2013. The SIG will be co-chaired by
Masato Terada (IPA) and Art Manion (CERT/CC). The SIG is still in the information gathering
and planning phase. Further conversation on the GVR issue will be held through the SIG, and
the CVE team will keep the Editorial Board apprised of the developments.
CVE ID syntax change update Steve Christey announced that the CVE team would be doing a downselect based on the Board's
feedback on the proposed option. There will then be a public call for feedback on the
selected options. The CVE team will announce the public call on CVE Announce, certain
security focused mailing lists, and to the CNAs. Kent Landfield proposed that CVE should
contact tool vendors directly, and Steve agreed. After the public comment period, there
will be a formal Editorial Board vote, at which time an official option will be selected.
Around RSA is the target time for the final decision to be made. We have not yet reached
the point to discuss transition strategies. |