CVE Board Meeting
5 April 2017, 2:00 p.m. ET
The CVE Board met via teleconference on 5 April 2017.
Board members in attendance were:
Andy Balinsky (Cisco)
Harold Booth (NIST)
Art Manion (CERT/CC)
Kurt Seifried (Red Hat/DWF)
Taki Uchiyama (JPCERT/CC)
William Cox (Black Duck)
Pascal Meunier (Purdue)
Members of the MITRE CVE Team who attended the call are as follows:
Dan Adinolfi
Jonathan Evans
Anthony Singleton
George Theall
Agenda
CVE Board Meeting 5 April 2017
Agenda
2:00 – 2:05: Introductions, action items from the last meeting – Dan Adinolfi
2:05 – 2:25: Working Groups
Strategic Planning - Kent Landfield
Issues
Actions
Board Decisions
Automation - Harold Booth/Kurt Seifried
Issues
Actions
Board Decisions
2:25 – 2:50: CNA Update
DWF – Kurt Seifried
Issues
DWF Web Form confusion
Actions
Board Decisions
General - Dan Adinolfi
Issues
Actions
Board Decisions
2:50 – 2:55: CNA Report Card Update - Dan Adinolfi
3:00 – 3:10: CNA Documentation Update - Dan Adinolfi
3:10 – 3:55: Open discussion – CVE Board
3:55 – 4:00: Action items, wrap-up – Dan Adinolfi
Introductions and review of previous action items
- The CNA Report Card for the first quarter of this calendar year will be provided to the Board by the next Board meeting.
- The first document to be developed for the new CNA documentation will be shared in the next week.
- A summary of observations from the RSA Conference will be sent to the Board.
- Use cases for including services in the CVE list are still being developed by the Board.
Working Groups
- Strategic Planning – Dan Adinolfi
- Issues
- There were no updates from the Strategic Planning Working Group.
- Actions
- The next Strategic Planning WG meeting will be April 6, 2017 at 2PM ET. Future meetings will be held the Thursday after the first Board meeting each month.
- Board Decisions
- There was no additional Board Discussion.
- Automation - Harold Booth
- Issues
- Had a meeting 2 April 2017.
- MITRE is cleared to use the new minimal JSON format.
- The WG is still considering how to allow for bi-directional data flow of CVE Data between CNAs.
- Should there be a container around each CVE entry in the JSON format? Possibly, but the need to develop that should not hold up the use of the minimal specification.
- Actions
- Additional development will be done on the JSON format.
- Assigner information (an email address) will be included as a required field in the minimum specification.
- Question to be considered: How should transport or container standards be developed?
- Board Decisions
- Assigner will be included as a required field in the minimum JSON specification.
- MITRE is cleared to use the new minimal JSON format for CVE requests.
CNA Update
- DWF – Kurt Seifried
- Issues
- MITRE is receiving complaints that they are not receiving CVE ID assignments after submitting them through the DWF web form. DWF should be finishing the development of its
infrastructure by the end of next week.
- The Board reviewed the guidelines regarding how CVE ID pools are assigned within Root CNAs.
- DWF will be finishing validating their Terms of Use with their submitters.
- Actions
- More infrastructure will be developed in the next week.
- Board Decisions
- There was no additional Board Discussion.
- General - Dan Adinolfi
- Issues
- Qualcomm is now a CNA.
- Invitations for May’s CNA Training in Tokyo has been sent out. We know at least three CNAs that will be attending.
- Actions
- Board Decisions
- There was no additional Board Discussion.
CNA Report Card Update – Dan Adinolfi
The CNA Report Card and a corresponding summary slide deck is in its final draft and will be shared with the Board within the next week.
CNA Documentation Update – Dan Adinolfi
A final draft of the CVE 101 White Paper, the first document to be co-developed with the Board to support the CNA program, has been written and will be shared with the Board within the next week.
Open Discussion - Dan Adinolfi
- OASIS CSAP is working on CVRF version 2, and additional community feedback is welcomed.
- The CVSS v3 JSON specification is immanent, and the Automation Working Group should consider how best to accommodate it.
- The Board reviewed the active working groups and how to join. The active working groups are the Strategic Planning Working Group, the Automation Working Group, and the Naming
Working Group. Participation is open to anyone, and they can request inclusion on the group mailing lists and call invitations through MITRE.
- The Board discussed if Black Duck should be a CNA and how that may be done. Further discussion will be had.
Action items, wrap-up – Dan Adinolfi
- The CNA Report Card for the first quarter of this calendar year will be provided to the Board by the next Board meeting.
- The first document to be developed for the new CNA documentation will be shared in the next week.
- A summary of observations from the RSA Conference will be sent to the Board.
- Use cases for including services in the CVE list are still being developed by the Board.
- MITRE will send out the link to the development branch in GitHub for the CNA documentation.
- MITRE will investigate converting documents in the GitHub repository to markdown for easier editing.