CVE Board Meeting Minutes - 25 January 2017

["Adinolfi, Daniel R" <dadinolfi@mitre.org>]

CVE Board Meeting

25 January 2017, 2:00 p.m. EST

 

The CVE Board met via teleconference on 25 January 2017.

 

Board members in attendance were:

Harold Booth (NIST)

Kent Landfield (Intel)

Scott Lawler (LP3)

Pascal Muiener (CERITAS/Purdue University)

Art Manion (CERT-CC)

Kurt Seifried (Red Hat)

Taki Uchiyama (JP CERT)

William Cox (Black Duck)

 

Members of the MITRE CVE Team who attended the call are as follows:

Dan Adinolfi

Chris Coffin

Jonathan Evans

Anthony Singleton

George Theall

 

Agenda

 

2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin

2:05 – 2:25: Working Groups

            Strategic Planning - Kent Landfield

                        Issues

                        Actions

                        Board Decisions

            Automation - Harold Booth

                        Issues

                        Actions

                        Board Decisions

2:25 – 2:50: CNA Update

            DWF – Kurt Seifried

                        Issues

                        Actions

                        Board Decisions

            General - Dan Adinolfi

                        Issues

                        Actions

                        Board Decisions

2:50 – 3:00: Board Call Schedule - Dan Adinolfi

3:00 – 3:10: Voting results for William Cox inclusion in the Board - Dan Adinolfi

3:10 – 3:20: 2016 Statistics - Chris Coffin

3:20 – 3:40: CVE Errors on the Internet - Dan Adinolfi

3:40 – 3:50: Documentation Develop Process - Chris Coffin

3:50 – 3:55: Open discussion – CVE Board

3:55 – 4:00: Action items, wrap-up – Chris Coffin

 

The meeting began with discussing last meetings action items:

• MITRE began considering how to design a testing set of information. After some discussion, the Board moved the issue to the Automation Working Group’s agenda.
• MITRE was to send a message to Board stating metric accomplishments covered below in 2016 stats. A more formal reporting structure is still under development, though some statistics were shared on the call.
• MITRE began investigating how to make use of social media outlets for outreach and communication. This investigation is ongoing.
• MITRE will review publicly posted content on the CVE website and the related Wikipedia page to ensure it is correct and up to date. This is still to be completed.
• A mailing list to support the Naming Working Group will be created by MITRE. The mailing list has been populated and work will soon begin.

 

CVE Strategic Planning Working Group Update

The recommendations made to the Board by the Strategic Planning Working Group have been accepted by the Board. The Working Group will continue working on the agenda described by the recommendations.

The Working Group will share some documentation with the Board, including a presentation that describes a CVE strategy document and some other discussion materials.

 

DWF Update

DWF has made some progress with operational issues, though it still has significant work to be done. Developing the new JSON format through the Automation Working Group continues.

 

Automation Working Group

The Automation Working Group continues to develop version 4 of the JSON format. The Working Group has the goal that, after the next meeting, there will be a final draft of the specification which can then be offered to the community as a whole for a 30-day comment period. After incorporating that feedback, the format will be codified and version 4.0 will be considered set.

The Automation Working Group’s next meeting was to be 30 January.

 

General CNA

MITRE has been working with some of the CNAs to resolve some operational issues, mostly related to CVE ID submission formatting or content.

TIBCO is now a CNA. MITRE has begun the on-boarding process for Cybersecurity Malaysia, Qihoo 360, Synology, and KR-CERT.

A document tree describing the documentation needed to support the CNA program is under development. This was discussed later in the meeting.

 

Board Call Schedule

To accommodate the geographic spread of Board members, the schedule for CVE Board meetings will be adjusted. Board meetings will be scheduled in the early morning or late evening Eastern Time to allow easier participation from those in Asia and Europe. MITRE will propose a new schedule on the Board mailing list.

 

Voting Results for William Cox inclusion in the Board

William Cox of Black Duck Software has been formally added to the Board.

 

2016 Stats

MITRE shared the following statistics with the Board.

• 14969 CVE IDs were assigned in 2016.
• 7104 CVE IDs were published to the CVE list.
• MITRE published 6000 CVE IDs themselves.
• 622 CVE IDs came from CNAs.
• From the CVE Request web form, 261 requests were made that resulted in an update to the CVE list.

 

CVE Errors on the Internet

Occasionally, a CVE ID will be incorrectly cited on the Internet outside of MITRE or CNA control. MITRE asked the Board how to deal with these events, specifically if any incorrectly cited CVE ID should be rejected. The Board suggested that MITRE follow a consistent policy for these issues, and that policy should not attempt to reconcile every single instance where someone may have mistakenly (or maliciously) cited a CVE ID. Instead, there should be a threshold for when MITRE should react. MITRE will develop this policy.

 

Documentation Development Process

MITRE has developed a plan for creating the documentation necessary for CNA operations. This documentation includes program descriptions, training, operation documents, and outreach materials. MITRE shared a draft documentation tree that described the documents and their relationships with the Board. The Board will review this documentation plan and offer feedback.

 

For each document, MITRE will share an outline with the appropriate group for their discussion over a week. Once a draft is ready for review, that review period will be two weeks, and MITRE will then have the final draft completed within two weeks of that. When the draft is finalized, it will be submitted to the Board for approval.

The Board will review general CVE documents themselves over the Board mailing list. Documents that directly affect CNA operations will be reviewed on the cve-cna-list mailing list. Documents that are related to automation will be reviewed on the Automation Working Group mailing list. MITRE will maintain the document masters and act as editor. These masters will be maintained in GitHub.

 

Open discussion

MITRE asked the Board if MITRE should direct anyone requesting a CVE ID through the oss-security mailing list to the CVE Request web form. The Board stated that MITRE should follow a consistent process. They ask that any message to the mailing list describing the change be reviewed by the Board first. MITRE will draft that message and share it with the Board.

 

Action Items:

• MITRE will produce formal process for documentation review and publication.
• MITRE will propose a new Board meeting schedule on the Board mailing list.
• MITRE will develop a policy to guide when and how a response should be made regarding incorrect CVE references found online.
• MITRE will draft a letter to the oss-security mailing list describing the new process for obtaining CVE IDs and submit it to the Board for review.

 

The next CVE Board meeting will be Wednesday, February 8, 2017.

 

Attachment: CVE Board Meeting_1_25_17.docx
Description: CVE Board Meeting_1_25_17.docx