[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE Board Meeting Summary - 23 August 2017



CVE Board Meeting Summary – 23 August 2017

 

Board Members in attendance:

David Waltermire (NIST)

Kent Landfield (McAfee)

Kurt Seifried (Red Hat)

Pascal Meunier (Purdue)

William Cox (Black Duck)

 

Members of MITRE CVE in attendance:

Anthony Singleton

Alex Tweed

Dan Adinolfi

George Theall

Jonathan Evans

Joe Sain

Lynne Miller

 

Agenda

 

Introductions, action items from the last meetingJoe Sain

Working Groups

  • Strategic Planning – Kent Landfield/Dan Adinolfi
    • Issues
    • Actions
    • Board Decisions
  • Automation – Kurt Seifried/George Theall
    • Issues
    • Actions
    • Board Decisions

CNA Update

  • DWF – Kurt Seifried
    • Issues
    • Actions
    • Board Decisions
  • All CNAs – Dan Adinolfi
    • Issues
    • Actions
    • Board Decisions

 Open DiscussionCVE Board

 Action Items, Wrap-UpJoe Sain

 

Review of Action Items from last meeting:

Previous Action Item: AWG/MITRE will send a write up to board asking for extension for Git Pilot.

Status:  Completed. 

Issue: Are git submissions limited to Root CNAs or do subs also have access.

Action:  The Automation Working Group will review different approaches for git pilot submissions for Roots and sub roots

 

Previous Action Item: MITRE will submit GitHub tracker issue that talks about character limits in JSON submissions.

Status: Completed.  MITRE proposed initial limits on the description and references to start discussion. Have not heard of any issues with proposed limits.  Entries needing specific formatting may be supported in future with expanded description field.

 

Previous Action Item: MITRE will send mail discussing the operational status of adding assigner field to corpus.

Status:  MITRE sent note to Board earlier this month that started this discussion. 

 

Previous Action Item: AWG will work on proposal for the next phase of the project.

Status:  Still in progress.

Previous Action Item: Strategic working group will put together a to-do list for prioritizing Mailing list discussions.

Status:  Replaced with new action.

Issue:  This action item should be assigned to MITRE, not SWG.

Action: MITRE to send documentation and operational priorities to Board list for discussion. 

 

Strategic Planning Working Group

Status: Strategic Working Group met and discussed areas for focus, especially need for Root CNA guidance, how to implement federated hierarchy, and need to address Root and sub Root properly in CNA rules. 

Issues: None

Actions: None

Decisions: None

 

Automation Working Group

Status: MITRE presented stats from first phase of git pilot. Data will be sent to Board later this week.  Goals and scope of the next phase of pilot are currently being developed by MITRE.

Discussion: Discussion of making repository public on GitHub and the issues around potential for release of private information. It was suggested that the GitHub repository begin as private to ensure that information that is not currently in the public domain is not exposed on the repository. Private GitHub repositories must be paid on a per-user basis, and can get expensive quickly; it may be difficult to justify this expenditure.

Issues: None

Action: None

Decisions: None

 

CNA updates

DWF Status – Working through backlog

Issue:  Need to discuss potential CNAs that would assign CVEs and provide vulnerability information to paying customers before vulnerability is made public.

Action: Kurt will send email to Board to start discussion around paying customers and CVE assignments.

Decisions: None

 

MITRE Status

Status: Airbus, Kaspersky, and QNAP have been added as CNAs. 

Tom Millar requested some edits to an existing working document to make it appropriate for a wider audience. We are working with Tom Millar on editing and adding content.  The document will be shared with the SWG and Board list.  This documentation is to provide guidance to national level CSIRTS. 

Work continues on review of CNA rules.  Issues we are working through and the schedule are all on GitHub. 

MITRE is working on outlines of CVE and CNA training modules.  When these outlines are ready, MITRE will work with Board to further refine them.

Issues: None

Action: None

Decisions: None


 

Summary

Actions items (repeated from above):

  • The Automation Working Group will review different approaches for git pilot submissions for Roots and sub roots
  • MITRE to send documentation and operational priorities to Board list for discussion. 
  • Kurt will send email to Board to start discussion around paying customers and CVE assignments.

Significant decisions or policy changes:

  • None

 

 

Attachment: CVE_Board_Meeting_Summary_08282017.pdf
Description: CVE_Board_Meeting_Summary_08282017.pdf


Page Last Updated or Reviewed: September 06, 2017