|
|
CVE Board Meeting 18 October 2017 Board Members in attendance: William Cox (Black Duck) Scott Lawyer (LP3) Kent Landfield (McAfee) Andy Balinsky (Cisco) Kurt Seifried (Red Hat/DWF) Taki Uchiyama (JPCERT) Pascal Meunier (Purdue University) Ken Williams (CA Technologies) Art Manion (CERT-CC) Members of MITRE CVE in attendance: Dan Adinolfi George Theall Chris Coffin Jonathan Evans Joe Sain Anthony Singleton Alex Tweed Agenda 2:00 – 2:15 - Introductions, action items from the last meeting – Chris Coffin 2:15 – 2:30 - Working Groups Strategic Planning – Kent Landfield Issues Actions Board Decisions Automation – George Theall Issues Actions Board Decisions 2:30 – 2:45 - CNA Update DWF – Kurt Seifried Issues Actions Board Decisions General – Dan Adinolfi Issues Actions Board Decisions 2:45 – 3:15 – Q3 Report Card presentation (Chris Coffin, Dan Adinolfi) 3:15 – 3:20 – How should links with defunct domains be handled? (George Theall) 3:20 – 3:30 – CVEs for Services (Andy Balinsky) 3:30 – 3:40 - Disposition of Board members who have not responded regarding their continuing participation – (Chris Coffin) Action items, wrap-up – Chris Coffin Review of Action Items from last meeting PREVIOUS ACTION ITEM:
Kurt Seifried will put together a container item. Will setup a meeting on adding CVE tags (categories) (med_device, IT automotive, etc.) to CVE JSON fields. STATUS:
Kurt sent email 10/18/17 1:58 pm to board list. PREVIOUS ACTION ITEM:
Andy Balinsky will send email to the list for review of the CVEs for services document STATUS:
Completed PREVIOUS ACTION ITEM:
Agenda item in next call for discussion with Andy on CVEs for services STATUS:
Completed PREVIOUS ACTION ITEM:
MITRE will add prior action items to the meeting agenda email moving forward. STATUS:
Completed PREVIOUS ACTION ITEM:
Automation WG to add action item for ci/travis integration in future git pilot phase. Dave will email the Automation WG list with ideas for this. STATUS:
Discussed ci/travis integration in the 10/16 Automation WG meeting and work is moving forward. MITRE will communicate with Dave about his ideas for the next phase of the pilot. PREVIOUS ACTION ITEM:
MITRE to find a place for collaborative document sharing; possibly Handshake, creating a presentation on this. STATUS:
Going through transition internally and will create test cases to use with the board. PREVIOUS ACTION ITEM:
MITRE to send email to Board regarding status of Board members. STATUS:
Completed PREVIOUS ACTION ITEM:
Research tools for JSON development—query the CNAs for suggestions that would be helpful to them. What would the CNAs like to see as far as JSON tools? MITRE will email the CNA list for thoughts and plant the seed for
a future CNA Summit discussion. STATUS:
Completed. Have received some feedback from community. PREVIOUS ACTION ITEM:
MITRE will make sure that the CVE submission requirements discussion continues on the Board list. STATUS:
Discussed internally and will move to the list soon.
Agenda Items: Working Groups Strategic Planning
Status: Discussed roles of Root and what Root means. Issues:
Actions:
Kent was going to send out a draft document that captures all of the recent discussions on strategy. This was an action item from the 10/16 Strategic Planning WG meeting.
Board Decisions:
Automation Status:
Lead off with affects containers in the JSON schema.
Discussion: Public CVE GitHub repository was launched on 10/16 and begins Phase 2 of the Git pilot. Issues:
None Action: Continue to work with CNAs during Phase 2. Board Decisions:
None CNA Update CNA DWF Status: None Discussion: None Issues: None Action: None Board Decisions: None CNA MITRE Status: Sent out CNA Rules updates. Added NetApp as new CNA. Issues: None Actions: Web site now lists new CNA Rules (v2.0). The rules are available but are properly noted as not taking effect until Jan 1, 2018. Board Decisions: None Q3 Report Card presentation Status: Presented the 2017 Q3 CVE Quarterly Program Review and CNA Report. Asked for feedback/comments on Presentation. Issues: None Actions: A few minor suggestions by Board will be included in future reports. Board Decisions: None Note: Presentation has been recorded and slide deck has been shared with the board private list. Discussion: Add GitHub statistics, How can the board aid in recruiting vendors from other Domains?
How should links with defunct domains be handled?
Status: Kurt believes we should keep the urls and follow a process like Wikipedia uses in archive.org. Issues: The urls can be reused and pointed to explicit material that is not CVE related. Actions: An Board email thread will be used to continue the discussion. Board Decisions: None
CVEs for Services Status: Andy Balinsky presented his report on cases on CVEs for Services. Issues: How does the CVE program handle situations where the root cause is not entirely clear, what if there are many root causes or one single root cause.
Actions: The Board should consider what kind of process to follow for this type of domain. Claimed-based or policy based. Board Decisions: Moving conversation back to the thread to decide whether Cisco to be the head of the pilot
for CVEs for services. Reach out to HackerOne to gauge their interest in CVEs for services. Note:
Document used for presentation can be found at
https://github.com/CVEProject/Board-Discussions/blob/master/CVE_IDs_for_Services.md
Disposition of Board members who have not responded regarding their continuing participation Status: Some Board members have not replied to the annual pole for participation on the CVE Board. These members have until the end of the month to reply or else
they will be removed. Issues:
Actions:
Board Decisions: Board will try to contact missing members if they have additional contact information.
Summary of Action Items
Significant Decisions, Policy Changes, or Events
|
Attachment:
CVE Board Meeting Minutes 18 October 2017.docx
Description: CVE Board Meeting Minutes 18 October 2017.docx
Attachment:
Q3 2017-10172017_r2.pptx
Description: Q3 2017-10172017_r2.pptx