[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Editorial Board Teleconference January 8, 2013





Andy Balinsky, Cisco

Kent Landfield, McAfee

Harold Booth, NIST

Adam Shostack, Microsoft

Art Manion, CERT/CC

Ken Williams, CA


FIRST Kyoto Summit


    The GVR summit discussion, hosted by JPCERT-CC / IPA, was one of two tracks going on at the

FIRST Technical Colloquium, held on November 13 - 15.  There were over a hundred people at

the colloquium, and the GVR summit received good attendance.  Harold Booth, Kent Landfield,

and Steve Christey were in attendance.


Some of the presentations and discussion are restricted to FIRST only.


Main takeaways

* Participation in the GVR discussion is worthwhile.

* The international discussion is just getting started.

* There was not a big focus on CVE as the solution.

* There are wide variations in development among regions.

* Disclosure practices definitely vary across markets.

* Language barriers could be a challenge.

* Regional vulnerabilities can have global implications.

* A new FIRST SIG will continue the work.


Day 1


    Day 1 reviewed the history and current state of vulnerability reporting.  Several of the

board members gave talks this day.  Harold Booth started off the day by giving an overview

of the current reporting landscape and how NVD handles vulnerability reporting.


    Kent Landfield gave a vendor's view of the current state of vulnerability reporting.  Kent

emphasized that without a way of referencing a vulnerability that everyone can understand,

vendors have great difficulty identifying and integrating vulnerabilities into their

products.   Many regions do not have an identification system, or where they do, it is usually immature. 

Vendors have been focused on CVE, which primarily focuses on the English speaking world. 

Vendors cannot aid in verification and correlation of reports when they do not know about the

vulnerability in the first place.


    Steve Christey's talk went over CVE's history and the lessons learned from running the

project.  Steve emphasized that CVE is not the solution to the GVR discussion but its

experience in the field could help avoid some of the pitfalls CVE identified.  Steve discussed the

evolution of the content decisions and the difficulties that caused the changes.  Steve

explained how CVE's content decisions reflect its mission as coordinator.  The decisions cause


CVEs to be written in a way that is somewhere between advisories and specific bugs, not perfect

for any particular group but good enough for most.


Day 2


    Day 2 was taken up by the Japanese (IPA, JPCERT/CC), Koreans (KrCERT/CC, KISA), and Thais

(ThaiCERT), who discussed their vulnerability handling and reporting practices. Each

demonstrated how vulnerability reporting practices vary from region to region.  The two


presentations gave a detailed description of JPCERT's CVE adoption process and their current

vulnerability ID practices.  JPCERT issues several identifiers for the vulnerabilities they



    Most of the presentation by Soranun Jiwasurat (ThaiCERT) is restricted to FIRST members, but

it did prompt the creation of CVE-2012-6498, which demonstrates how a local vulnerability can

have global impact.  CVE-2012-6498 is for an unrestricted file upload in Atomymaxsite, a

Thai-based CMS.  A demonstration of an exploit in Arabic was uploaded to YouTube and became

actively exploited.  This prompted the ThaiCERT to create an advisory



    HongSoon Jung (KrCERT/CC, KISA) discussed the Korean reporting environment in his

presentation, which is also restricted.  Three different Korean government organizations were

listed as handling vulnerability information: KISA under the Korea Communications Commission

for the private sector, National Intelligence Service (National Cyber Security Center) for the

public sector, and Ministry of National Defense (National Cyber Command & Control Center) for

the military.  A Korean law, Article 47-4, requires vendors to notify users twice within one

month.  Publication to a web site is sufficient notification.  KrCERT/CC deals privately with

vendors but does not publish vulnerabilities to their website.  KISA provides advisories for

major international products but does not publish technical details.  KISA (KrCERT/CC) has an

easy vulnerability reporting process.  They confirm the issue and coordinate with the vendor. 


In October 2012 they implemented a reward program that seems to be having some success.


Day 3


    The third day focused on framing the problem of global vulnerability reporting, discussing

best practices, and possible solutions.  These discussions had less participation than

desired.  Several reasons for this were suggested, such as the language barrier or the participants being

too new to the problem.  It was suggested that greater participation may be found through email

as the members will have time to process and compose responses.  We will need to be mindful of

such issues for subsequent events.


    Two items came out of Day 3, a GVR Sharing mind-map and a plan to create the Vulnerability

Reporting and Data eXchange (VRDX) FIRST Special Interest Group (SIG).  The mind-map

captures many of common concepts and discussion points around the GVR discussion.  Kent

Landfield sent the mind-map to the Board on January 18, 2013.  The SIG will be co-chaired by

Masato Terada (IPA) and Art Manion (CERT/CC).  The SIG is still in the information gathering

and planning phase.  Further conversation on the GVR issue will be held through the SIG, and

the CVE team will keep the Editorial Board apprised of the developments.


CVE ID syntax change update


    Steve Christey announced that the CVE team would be doing a downselect based on the Board's

feedback on the proposed option.  There will then be a public call for feedback on the

selected options.  The CVE team will announce the public call on CVE Announce, certain

security focused mailing lists, and to the CNAs.  Kent Landfield proposed that CVE should

contact tool vendors directly, and Steve agreed.  After the public comment period, there

will be a formal Editorial Board vote, at which time an official option will be selected.  

Around RSA is the target time for the final decision to be made.  We have not yet reached

the point to discuss transition strategies.

Page Last Updated or Reviewed: October 03, 2014