|
|
CVE Board Meeting 25 July 2018 Board Members in Attendance Andy Balinski (Cisco) William Cox (Black Duck Software) Beverly Finch (Lenovo) Scott Lawler (LP3) Art Manion (CERT-CC) Scott Moore (IBM) Kurt Seifried (RedHat) Taki Uchiyama (Panasonic) Members of MITRE CVE Team in Attendance Chris Coffin Christine Deal Jonathan Evans Other Attendees Chris Johnson (NIST) Agenda 2:00 – 2:15:
Introductions, action items from the last meeting – Chris Coffin 2:15 – 2:30:
Working Groups
·
Strategic Planning – Kent Landfield
·
Automation – Chris Johnson, Dave Waltermire
2:30 – 2:45:
CNA Update
·
DWF – Kurt Seifried
·
MITRE – Jonathan Evans
·
JPCERT – Taki Uchiyama
2:45 – 3:15:
2018 Q2 Quarterly Program Review and CNA Report Card – Chris Coffin 3:15 – 3:50:
Open Discussion 3:50 – 4:00:
Action items, wrap-up – Chris Coffin Review of Action Items from Last Meeting
Agenda Items Board Working Groups Strategic Planning Working Group (Chris Coffin / Kent Landfield) ISSUES: Talked about current state
of Services documents, which are mostly complete. Waiting on final feedback and review from SPWG members and chair.
ACTIONS:
N/A
BOARD DECISIONS:
N/A
Automation Working Group (Chris Johnson / Dave Waltermire) ISSUES:
Met on Monday and discussed several topics, including the use of 2 digits vs. 3 digits for ISO language code for CVE entries and the need to come to an agreement about which code
is preferable. Some scenarios were introduced on emergent issues, including publishing of CVEs and the possible workflows that would happen from such a capability. Also discussed the NVD CPE assignment process—how it happens, what data is used to craft the
CPEs (container data or vendor sources)—will look into the process. The group also talked about getting together to plan for phase 3 pilot; there were some activities that were supposed to happen that haven’t yet happened—do those need to be addressed under
a follow on phase? A quick status on CONOPS for Services coming out of SPWG was given. Kurt Seifried provided an update on some of the activities he did in getting the CVE User Registry project off the ground. Scott Moore indicated he was unable to join via Skype so Chris Coffin will look into that before the next meeting.
Kurt stated that there are rules about how we ingest data (CVE guidelines); with the language issue—when he looked
at the ISO standard, he picked the newer 3 digit one because it supports more language. But do we have rules for how others publish data? Within the CVE ecosystem, there are a lot of people who consume the data and re-publish it. He wants to confirm that there
are no rules/guidelines on how people publish the data (e.g., changing the date format). Chris Coffin said he’s not aware of any formal guidelines as long as they’re following the Terms of Use. Kurt wants to know if we need to state somewhere that the originally
formatted canonical source of the CVE master list is on the MITRE CVE web site, but that the data may be slightly altered if viewed from a different source.
BOARD DECISIONS:
N/A CNA Updates DWF (Kurt Seifried) STATUS:
Working on minting some new CNAs and one of them identified some problems he had to fix. Trying to streamline the process a bit. ISSUES/DISCUSSION:
N/A ACTIONS:
N/A MITRE (CVE Team) STATUS:
Had a few people request to become CNAs:
DISCUSSION:
N/A ACTIONS:
None JPCERT Status: Nothing to report. 2018 Q2 Quarterly Program Review and CNA Report Card (Chris
Coffin) DISCUSSION: Discussed the general
topics and covered some of the highlights of the data from the 2nd quarter of 2018. There was a 40% reduction in the number of Reserved but Public (RBP) CVE IDs. The average time to populate rose a bit in the past quarter, but this was due to multiple
CNAs populating CVE entries from their backlogs. ACTION: Board to review at their leisure
and provide comments Open Discussion Regarding publicly disclosed but unpopulated CVE IDs:
How do we incentivize CNAs to handle their backlog? We have guidance for a 24-hour rule for getting the information to MITRE once a CVE ID is published. Next time they ask for IDs, perhaps we could request that they first give us information on their backlog.
Instead of giving them another set of IDs, we ask them to provide a number of items from their backlog and then we will give them that same amount of new CVE IDs (i.e., a one-for-one trade). Kurt feels that would elicit a very negative reaction from some CNAs,
but it may be what is needed to fix the problem. Asked Kurt to take a look at the CVE User Registry Charter:
As the chair of the first Automation WG project, Kurt will review the charter to see if it meets his needs. Kurt edited the file on the automation WG from CVE Registry to CVE User Registry—that file makes sense in general. He will update the documentation
to reference that. Does MITRE support setting up a public discussion list for the CVE User Registry? Yes, that seems reasonable.
Summary of Action Items
Significant Decisions:
|