[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE Board Meeting Minutes, 18 October 2017



CVE Board Meeting 18 October 2017

 

Board Members in attendance:

William Cox (Black Duck)

Scott Lawyer (LP3)

Kent Landfield (McAfee)

Andy Balinsky (Cisco)

Kurt Seifried (Red Hat/DWF)

Taki Uchiyama (JPCERT)

Pascal Meunier (Purdue University)

Ken Williams (CA Technologies)

Art Manion (CERT-CC)

Members of MITRE CVE in attendance:

Dan Adinolfi

George Theall

Chris Coffin

Jonathan Evans

Joe Sain

Anthony Singleton

Alex Tweed

Agenda

 

2:00 – 2:15 - Introductions, action items from the last meeting – Chris Coffin

 

2:15 – 2:30 - Working Groups

 

            Strategic Planning – Kent Landfield

                        Issues

                        Actions

                        Board Decisions

 

            Automation – George Theall

                        Issues

                        Actions

                        Board Decisions

 

2:30 – 2:45 - CNA Update

 

            DWF – Kurt Seifried

                        Issues

                        Actions

                        Board Decisions

 

            General – Dan Adinolfi

                        Issues

                        Actions

                        Board Decisions

 

2:45 – 3:15 – Q3 Report Card presentation (Chris Coffin, Dan Adinolfi)

 

3:15 – 3:20 – How should links with defunct domains be handled? (George Theall)

 

3:20 – 3:30 – CVEs for Services (Andy Balinsky)

 

3:30 – 3:40 - Disposition of Board members who have not responded regarding their continuing participation – (Chris Coffin)

 

Action items, wrap-up – Chris Coffin

 

Review of Action Items from last meeting

PREVIOUS ACTION ITEM: Kurt Seifried will put together a container item. Will setup a meeting on adding CVE tags (categories) (med_device, IT automotive, etc.) to CVE JSON fields.

STATUS:  Kurt sent email 10/18/17 1:58 pm to board list.

PREVIOUS ACTION ITEM: Andy Balinsky will send email to the list for review of the CVEs for services document

STATUS: Completed

PREVIOUS ACTION ITEM:  Agenda item in next call for discussion with Andy on CVEs for services

STATUS: Completed

PREVIOUS ACTION ITEM: MITRE will add prior action items to the meeting agenda email moving forward.

STATUS: Completed

PREVIOUS ACTION ITEM: Automation WG to add action item for ci/travis integration in future git pilot phase.  Dave will email the Automation WG list with ideas for this.

STATUS: Discussed ci/travis integration in the 10/16 Automation WG meeting and work is moving forward. MITRE will communicate with Dave about his ideas for the next phase of the pilot.

PREVIOUS ACTION ITEM: MITRE to find a place for collaborative document sharing; possibly Handshake, creating a presentation on this.

STATUS:  Going through transition internally and will create test cases to use with the board.

PREVIOUS ACTION ITEM: MITRE to send email to Board regarding status of Board members.

STATUS: Completed

PREVIOUS ACTION ITEM: Research tools for JSON development—query the CNAs for suggestions that would be helpful to them. What would the CNAs like to see as far as JSON tools? MITRE will email the CNA list for thoughts and plant the seed for a future CNA Summit discussion.

STATUS: Completed. Have received some feedback from community.

PREVIOUS ACTION ITEM: MITRE will make sure that the CVE submission requirements discussion continues on the Board list.

STATUS: Discussed internally and will move to the list soon.

 

 

Agenda Items:

Working Groups

 

Strategic Planning

 

Status: Discussed roles of Root and what Root means.

Issues:

Actions: Kent was going to send out a draft document that captures all of the recent discussions on strategy. This was an action item from the 10/16 Strategic Planning WG meeting.

Board Decisions:

 

Automation

 

Status: Lead off with affects containers in the JSON schema.

Discussion:  Public CVE GitHub repository was launched on 10/16 and begins Phase 2 of the Git pilot.

Issues:   None

Action: Continue to work with CNAs during Phase 2.

Board Decisions: None

 

CNA Update

CNA DWF

Status: None

Discussion:  None

Issues: None

Action:  None

Board Decisions: None

 

CNA MITRE

 

Status: Sent out CNA Rules updates. Added NetApp as new CNA.

Issues: None

Actions: Web site now lists new CNA Rules (v2.0). The rules are available but are properly noted as not taking effect until Jan 1, 2018.

Board Decisions: None

 

Q3 Report Card presentation

 

Status: Presented the 2017 Q3 CVE Quarterly Program Review and CNA Report. Asked for feedback/comments on Presentation.

Issues: None

Actions: A few minor suggestions by Board will be included in future reports.

Board Decisions: None

Note: Presentation has been recorded and slide deck has been shared with the board private list.

Discussion:  Add GitHub statistics, How can the board aid in recruiting vendors from other Domains?

 

How should links with defunct domains be handled?

 

Status: Kurt believes we should keep the urls and follow a process like Wikipedia uses in archive.org.

Issues: The urls can be reused and pointed to explicit material that is not CVE related.

Actions: An Board email thread will be used to continue the discussion.

Board Decisions: None

 

CVEs for Services

 

Status: Andy Balinsky presented his report on cases on CVEs for Services.

Issues: How does the CVE program handle situations where the root cause is not entirely clear, what if there are many root causes or one single root cause.

Actions: The Board should consider what kind of process to follow for this type of domain. Claimed-based or policy based.

Board Decisions: Moving conversation back to the thread to decide whether Cisco to be the head of the pilot for CVEs for services. Reach out to HackerOne to gauge their interest in CVEs for services.

Note: Document used for presentation can be found at https://github.com/CVEProject/Board-Discussions/blob/master/CVE_IDs_for_Services.md

 

Disposition of Board members who have not responded regarding their continuing participation

 

Status: Some Board members have not replied to the annual pole for participation on the CVE Board. These members have until the end of the month to reply or else they will be removed.

Issues:

Actions:

Board Decisions: Board will try to contact missing members if they have additional contact information.

 

 

Summary of Action Items

 

  • Continue discussing defunct domain issue for references using a Board email thread.
  • Category/tag discussion with Kurt – Board to review and provide thoughts via a Board email thread.
  • Send email to HackerOne to gauge their interest in issuing CVE IDs for Services.
  • MITRE will continue to work putting together ideas and thoughts for collaborative document sharing.

 

 

Significant Decisions, Policy Changes, or Events

 

  • None

 

Attachment: CVE Board Meeting Minutes 18 October 2017.docx
Description: CVE Board Meeting Minutes 18 October 2017.docx

Attachment: Q3 2017-10172017_r2.pptx
Description: Q3 2017-10172017_r2.pptx


Page Last Updated or Reviewed: October 31, 2017