|
|
CVE Board Meeting Summary – 23 August 2017 Board Members in attendance: David Waltermire (NIST) Kent Landfield (McAfee) Kurt Seifried (Red Hat) Pascal Meunier (Purdue) William Cox (Black Duck) Members of MITRE CVE in attendance: Anthony Singleton Alex Tweed Dan Adinolfi George Theall Jonathan Evans Joe Sain Lynne Miller Agenda Introductions, action items from the last meeting –
Joe Sain Working Groups
CNA Update
Open Discussion –
CVE Board Action Items, Wrap-Up
– Joe Sain Review of Action Items from last meeting: Previous Action Item: AWG/MITRE will
send a write up to board asking for extension for Git Pilot. Status:
Completed.
Issue:
Are git submissions limited to Root CNAs or do subs also have access. Action:
The Automation Working Group will
review different approaches for git pilot submissions for Roots and sub roots
Previous Action Item: MITRE will submit GitHub tracker issue that talks about character limits in JSON submissions.
Status:
Completed. MITRE proposed initial limits on the description and references to start discussion. Have not heard of any issues with proposed limits. Entries needing specific formatting may
be supported in future with expanded description field.
Previous Action Item: MITRE will send mail discussing the operational status of adding assigner field to corpus.
Status:
MITRE sent note to Board earlier this month that started this discussion.
Previous Action Item: AWG will work on proposal for the next phase of the project. Status:
Still in progress. Previous Action Item: Strategic working group will put together a to-do list for prioritizing
Mailing list discussions. Status: Replaced with new action. Issue: This action item should be assigned to MITRE, not SWG. Action: MITRE to send documentation and operational priorities to Board list for discussion.
Strategic Planning Working Group
Status: Strategic Working Group met and discussed areas for focus, especially need for Root
CNA guidance, how to implement federated hierarchy, and need to address Root and sub Root properly in CNA rules.
Issues:
None
Actions: None Decisions: None Automation Working Group
Status:
MITRE presented stats from first phase of git pilot. Data will be sent to Board later this week. Goals and scope of the next phase of pilot are currently being developed by MITRE. Discussion: Discussion of making repository public on GitHub and the issues around potential
for release of private information. It was suggested that the GitHub repository begin as private to ensure that information that is not currently in the public domain is not exposed on the repository. Private GitHub repositories must be paid on a per-user
basis, and can get expensive quickly; it may be difficult to justify this expenditure.
Issues:
None Action:
None Decisions:
None CNA updates DWF Status –
Working through backlog.
Issue:
Need to discuss potential CNAs that would assign CVEs and provide vulnerability information to paying customers before vulnerability is made public. Action: Kurt will send email to Board to start discussion around paying customers and CVE
assignments. Decisions: None MITRE Status Status:
Airbus, Kaspersky, and QNAP have been added as CNAs.
Tom Millar requested some edits to an existing working document to make it appropriate for a wider audience. We are working with Tom Millar on editing and adding content.
The document will be shared with the SWG and Board list. This documentation is to provide guidance to national level CSIRTS.
Work continues on review of CNA rules. Issues we are working through and the schedule are all on GitHub.
MITRE is working on outlines of CVE and CNA training modules. When these outlines are ready, MITRE will work with Board to further refine them. Issues:
None Action:
None Decisions: None Summary Actions items (repeated from above):
Significant decisions or policy changes:
|
Attachment:
CVE_Board_Meeting_Summary_08282017.pdf
Description: CVE_Board_Meeting_Summary_08282017.pdf