|
|
CVE Board Meeting 6 September 2017 Board Members in attendance: Taki Uchiyama (JPCERT/CC) David Waltermire (NIST) Kent Landfield (McAfee) William Cox (BlackDuck) Art Manion (CERT-CC) Andy Balinsky (Cisco) Scott Lawyer (LP3) Kurt Seifried (Red Hat) Members of MITRE CVE in attendance: Dan Adinolfi George Theall Chris Coffin Jonathan Evans Anthony Singleton Agenda 2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin 2:05 – 2:25: Working Groups Strategic Planning – Kent Landfield/Chris Coffin Issues Actions Board Decisions Automation – Kurt Seifried/George Theall/Chris Coffin Issues Actions Board Decisions 2:25 – 2:50: CNA Update DWF – Kurt Seifried Issues Actions Board Decisions General – Dan Adinolfi Issues Actions Board Decisions 2:50 – 3:00: URL Update Status – George Theall/ Chris Coffin 3:00 – 3:30: Service Vulnerabilities – Andy Balinsky 3:30 – 3:55: Open discussion – CVE Board 3:55 – 4:00: Action items, wrap-up – Chris Coffin Review of Action Items from last meeting PREVIOUS ACTION ITEM:
The Automation Working Group will review different approaches for git pilot submissions for Roots and sub roots
STATUS: No updates at the moment. Meeting scheduled for 9/7. Will notify board of outcome by late next week. PREVIOUS ACTION ITEM:
MITRE to send documentation and operational priorities to Board list for discussion.
STATUS: Working on edits and will post to the board soon.
PREVIOUS ACTION ITEM: Kurt will send email to Board to start discussion around paying customers and CVE assignments.
STATUS: Kurt is waiting for contact to reach back to him with more information.
Agenda Items: Working Groups Strategic Planning
Status: No updates Issues:
None Actions:
Group is still working to put information together Board Decisions: Waltermire will respond to Millar’s board email post to facilitate conversation on topic of Strategic objectives for CVE. Automation Status:
Working on next phase of pilot program.
Discussion: Some JSON data fields have been implemented with limits (see
https://github.com/CVEProject/automation-working-group/pull/44). Updated
the CVE_JSON_4.0_min.schema
to limit the length of a description (3999), length of a given reference (500), and the number of references (500).
No comments received from the community on the current data field size changes. Issues:
Action: Board Decisions:
CNA Update CNA DWF Status: None Discussion: None Issues: Issue with reference material in embargo assignments and public entries from DWF. Action: Kurt is still cleaning data for his workflow. Board Decisions: Kurt will email Chris Coffin and George Theall to further discuss work flow for DWF assignment and publication. CNA MITRE Status: CNA rules revisions continue. Currently in week 5. Issues: Need to figure out a better solution to track the progress/completion of any given issue or effort. Actions: MITRE intends to add content to CVE website in regards to how to submit requests to the web form. Board Decisions: Please include link to resolved webpage in the issue tracker that was closed. URL Update Status Status:
MITRE has gone through 30k url for X-Force references, urls that are broken and IBM not willing to change. Discussion: Can the remaining references to be repaired be done in one swoop or should batches continue to be used. Issues: Action: 20k in total that need to be repaired remaining. Board Decisions: Waltermire will consult with the NVD team regarding whether a limit on the number of changes is still needed and rely the answer to
MITRE. Service Vulnerabilities Status: Andy proposes that CVEs be assigned to vulnerabilities that reside in services. Discussion: Board discusses ideas and counter ideas.
Issues: What is the value of assigning IDs to these issues? Actions: Board email list contains discussion in more detail. Board Decisions: Andy will provide to the board the escalation process and format of the advisories in relation to vulnerabilities in services.
Open discussion Discussion: Work flow of changing CVE Reject status / Reservation status
Issue: When there is a provenance issue MITRE historically notes in the entry reason describing the issue. Action: Kurt asks board to consider a variation of publishing guidelines of CVE IDs that are under embargo. Board Decisions:
Discussion:
Issue: Action:
Board Decisions:
Summary of Action Items
Significant Decisions, Policy Changes, or Events
|
Attachment:
CVE Board Meeting 06 September 2017.docx
Description: CVE Board Meeting 06 September 2017.docx