CVE Board Meeting Minutes, 12 July 2017

["Adinolfi, Daniel R" <dadinolfi@mitre.org>]

CVE Board Meeting Minutes – 12 July 2017

Board Members in attendance:

Taki Uchiyama (JPCERT/CC)

David Waltermire (NIST)

Kent Landfield (McAfee)

Art Manion (CERT/CC)

Andy Balinsky (Cisco)

Members of MITRE CVE in attendance:

George Theall

Chris Coffin

Dan Adinolfi

Lynne Miller

Alex Tweed

 

Agenda:

2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin

2:05 – 2:25: Working Groups

            Strategic Planning - Art Manion/Chris Coffin

                        Issues

                        Actions

                        Board Decisions

            Automation - George Theall

                        Issues

                        Actions

                        Board Decisions

2:25 – 2:50: CNA Update

            DWF – Kurt Seifried

                        Issues

                        Actions

                        Board Decisions

            General - Dan Adinolfi

                        Issues

                        Actions

                        Board Decisions

2:50 – 3:30: CNA Report Card for CY17 Q2

3:30 – 3:55: Open discussion – CVE Board

3:55 – 4:00: Action items, wrap-up – Dan Adinolfi

 

Review of Action Items from last meeting:

Previous Action Item:  Talk to apple on issues regarding SQL light and duplicates

Status: MITRE has not heard back from Apple

Issues: None

Actions: Continue trying to contact Apple

Board decisions: None

Previous Action Item:  MITRE to follow up with Scott Moore on redirect IBM X-Force references

Status: Turned out was it was not possible, MITRE put result in news article and has begun to update references, fixing about 5000 references on Monday.  No feedback from community yet.

Previous Action Item: CNA Rules Update

Status: First review meeting was held on Tuesday. MITRE reported that the meeting was well attended. Discussion mainly centered on processes. MITRE reviewed the review process and schedule.  Comments and suggestions can be added to document on GitHub.  MITRE will set up issue tracker in GitHub to capture discussions on issues. The next meeting is next Thursday.  After Thursday’s meeting, will decide if another meeting is necessary.  MITRE will build schedule by beginning of Aug to address suggestions/issues.

Discussion: There was discussion around the use of issue tracker in GitHub, and if reviewers should post new issues.  MITRE is in the process of setting up issues from current suggestions/comments. Expected to result in 30-40 issues. Right now trying to get all suggestions in one place.  Suggestions were made to help facilitate the discussion of CNA Rules.  Important to make raising an issue as easy as possible.  Want this to be a continual improvement process, giving the community a forum to post issues as they arise.  There may be changes that can be made outside of the annual review cycle (requires more conversations).

Action:  Get issue tracker set up for ongoing issue tracking after current review of rules doc.

Action: MITRE to get issues created in GitHub as soon as possible.

Agenda Items:

Strategic Planning

Status: The Strategic Planning Working Group met this week and worked to redefine the group’s purpose.  Four areas/objectives for focus were identified.  Group wants to focus on future facing items, with short term tactical issues being part of other work groups.

Discussion: Sometimes short term issues can be strategic, don’t want to set arbitrary constraints on scope and create unnecessary working groups.

Actions: The WG will flesh out its goals and share with the Board to get buy-in. Kent to send out previous slides and notes to Board.

Decisions: None

Automation

Status: MITRE updated Board on GIT pilot. There was a concern about max size of the GIT repository.  The MITRE admins responsible for the Git server  confirmed there is no maximum limit. 

Discussion: The Board discussed how to evaluate the outcome of pilot, and the need for acceptance criteria. It was noted that Kurt was going to do that work for the GIT pilot and the test ID work, need to check with him. 

Action: MITRE to follow up with Kurt.

Decisions: None

Issue: Using JSON format going forward – on CNA Rules call there was general agreement to transition to JSON as only format for data exchange.

Discussion: There was discussion on impact to downstream consumers with transition to JSON only format. What is impact to timeliness of getting information. MITRE stated that the git repository is synched with the master CVE List at the top of every hour.  Any delay from current updates would be minutes.

Action: Needs to be additional conversation on timeframe for transition.

Decisions: None

CNA updates

Status –Pending set of commits Kurt is sending. Around 100 ids that should be added soon.

MITRE CNA side

Status: MITRE reported they are continuing to bring in some new candidate CNAs. There are approximately 10 waiting to come on board. Most recently, ZTE was added.  They manufacture cameras/IOT from China.  It was noted documentation still needs to be developed around being a Trusted CNA or Root.

Discussion: There was discussion around the training materials available to new CNAs, and what level of training is currently being given to new CNAs.  MITRE reported that training is based on the needs of the new CNAs.  Training is always available by request.  MITRE is also planning to create some training videos.  In addition, the first few assignments by a new CNA are submitted to the MTIRE content team who provides feedback to the CNA.  There was a question of when the training deck will be available for the public.  MTIRE responded that there is currently no timeline.  Board suggested they can help review the materials.

Action: Set timelines/milestones and add milestones and status for CVE training materials to the Board’s agenda.

Discussion: There was discussion around adding a new Root CNA in Europe and the difficulties they may face.  There was also discussion about how to determine if a CNA should become a Root, or consequences if a Root is not performing. 

Action: Discussion of future requirements for being a Root and governance of Root CNAs should be addressed by Strategic Working Group.  MITRE should present the current state and discuss what is working and where there the challenges.

Decisions: None

RSS Feed Update

Status: MITRE reported there are two feeds, one for new CVEs and a second for CVE mods.  Mods include any changes in status of CVE entry. Try to report what has changed – info of old value and new value. Struggling with how far back to go.   

Action: MITRE to send out link after call to private Board message. Board members can provide feedback to email.

Decisions: None

Review of CVE Quarterly Program Review

Status: MITRE reviewed quarterly progress slides. 

Discussion: There was discussion on how to incentivize CNAs to do better instead of thinking punitively for under-performance. 

Action: Strategic Working Group to discuss the identification of publicly disclosed vulnerabilities that do not have a CVE ID or reported to MITRE.   This includes getting a better idea on sources and methods of where disconnect is for public not reporting vulnerabilities to CVE.

Action: MITRE to include the Board on some communication/outreach conversations.

Suggestions on slide deck:

Slide 1- Remove years prior to 2014 on CVE ID Reserved YTD.  Identifying By CNA would be helpful. 

Slide 12 - Update disclaimer to: Web scrapping used, list may not be complete.

Slide 13 – top 10 largest delayers would be more helpful – or how many CVEs issued in a month.  Function of volume.

Slide 14 – show curve of number of CVEs published by CNA in list.

Slide 15 –Suggest using top 10 percent and bottom 10 percent. Need to work on graphics – hard to read. Limit graph by volume.

Slide 16 – area for discussion of strategic working group – how do selection for Roots

Slide 17 –need discussion around governance aspect of adding CNAs quickly. What is cost of doing business with new CNAs and what is impact to the data we are providing.  If someone is a bad “citizen” it will drop some numbers in other areas of concern.

Discussion on outreach to new domains and sectors.  Need to determine where do we want to go, and scale outreach.  Concern adding too many CNAs too quickly puts too much on MITRE to coordinate.

Slide 21 benefit from showing unused by CNA – have this graph follow other one

 

Actions items (repeated from above):

• MITRE will continue trying to contact Apple in regards to discussed issues
• MITRE will work towards having GitHub Issues setup for all CNA Rules change
• Kent to send out previous Strategic Planning WG slides and notes to Board
• MITRE to follow up with Kurt on git pilot plans and Test ID work
• Need an additional conversation on timeframe for JSON transition (add to agenda for Board or Strategic Planning WG)
• MITRE to work on setting timelines/milestones for CVE training materials to the Board’s agenda
• Need a discussion of future requirements for being a Root and governance of Root CNAs (add to agenda for Strategic Planning WG)
• MITRE to send out email and links for proposed RSS feeds
• Discuss closing the gap of publicly disclosed vulnerabilities that are not reported to the CVE program (add to agenda for Strategic Planning WG)
• MITRE to update quarterly report card based on Board feedback

 

Significant decisions or policy changes:

• None

 

 

 

 

 

 

Attachment: CVE Board Meeting 12 July 2017[1].docx
Description: CVE Board Meeting 12 July 2017[1].docx