[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE Board teleconference summary - July 14, 2016

CVE Board Meeting

14 July 2016, 2:00 p.m. EST


The CVE Board met via teleconference on 14 July 2016. The meeting included an update on DWF, the CVE Counting Rules document update, Charter revisions, and CNA rules. Members of the MITRE CVE Team also attended the call. Board members in attendance were:



Kurt Seifried, Red Hat

Harold Booth, NIST

Andy Balinsky, Cisco

Scott Lawler, LP3

Pascal Meunier, CERIAS/Purdue University


Action items from the previous Board meeting were reviewed:

-          Board Charter (MITRE)

o   The voting form for the outstanding charter issues was distributed

o   Results of the vote were incorporated into the charter and discussed during the meeting

-          CVE Counting Rules (MITRE)

o   Incorporated comments received and discussed the changes during the meeting

The meeting began with a DWF update. DWF has started assigning CVE IDs.  Red Hat proposed that, for the higher profile CVEs (for software that is commonly used), Red Hat’s CVE ID pool should be used so that the CVE’s are “normal” as opposed the longer ones from DWF. This sparked some discussion to try and understand the relationship between DWF and Red Hat. It was confirmed that DWF is a standalone CNA, and not under the purview of Red Hat (i.e., Red Hat is not the root CNA of DWF).

Changes to the Counting Paper were then discussed.  Feedback was collected from Board Members prior to the meeting, and some changes were discussed in detail:

1.      Overall, the document was made to be less specific to MITRE.

2.       The wording of “U.S. IT Sector” was changed to “Scope of Authority,” examples of which can be found in the newly added Appendix A.

3.      A new section was added to describe the process for correcting counting issues (including reject, merge, split, and dispute).

Next week, an update to this CVE Counting document will be distributed. Additionally, a separate document will be sent to everyone that includes some distilled counting rules as an appendix to a larger document on CNA rules.

The discussion turned to a recent change to the public website. To coincide with the Board’s focus on the individual (rather than the organization), the website was re-organized to list Board members as individuals followed by organization (whereas before, the Board members were listed under their organization). In line with the emphasis on individuals, voting members from the MITRE team will be listed on the website (project lead, task lead, communication lead) rather than “The MITRE Team” as used in the past.

The four items that were up for vote related to the Charter were discussed:

·         The name of the board is now “CVE Board.” There were nine votes in favor of the CVE Board; three in favor of Advisory Board; none in favor of Editorial Board.

·         Removing Sections 1.3.1 – 1.3.4. The majority vote (11 members) was to remove those sections. One member voted to not remove the sections. The information is still available, but will not be a part of the charter proper.

·         Two-thirds vote required for forced removal rather than simple majority. Ten voted yes, two voted no. A lot of discussion entailed regarding the need for a quorum for the matter of forced removal; it was generally agreed that a quorum of 50 percent is reasonable to ensure a fair vote.

·         Creating working groups. Three members voted that no approval should be needed; nine voted that the Board Moderator should approve; none said a board vote is required. It was also recommended that the Charter specify that the working group can recommend actions to the Board, but they are not allowed to make the final decision regarding actions that impact the broader CVE Program; the Board still needs the opportunity to vote as needed. Some discussion ensued regarding a minimum amount of time for voting. The Board decided to add that there will be a one-week minimum, and two-week target period for voting. With regard to sensitive voting issues (i.e., forced removal of a Board member), the time will be two weeks with a reminder message after one week.

The group was reminded that the Charter was slated to go out for vote the next day (July 15), as outlined in the previous Board Meeting.  One attendee voiced that additional review and discussion time should be provided prior to a vote.  The attendees were asked if anyone else would also like the vote delayed, but no other attendees responded.  Board members were encouraged to use the mailing list to discuss any concerns regarding the Charter revisions.

The final topic discussed was the CNA rules document, which is in the process of being drafted. The document includes CNA rules and responsibilities—CNAs are encouraged to create and sustain their own internal processes. The rules were written from the perspective of the IT domain; they may need to change in order to apply to other domains, as needed. The responsibilities section describes the reciprocal relationship between primary and root CNAs.

Action items:

1.      Update to CVE counting document—out to board by late next week

2.      The charter—we will incorporate the feedback from the vote and the changes suggested today. The revised charter will go out tomorrow (7/15) for voting through 7/27

3.      Tally on previous vote will be distributed with charter tomorrow (7/15)


The next CVE Board meeting will be held on July 28.


Attachment: CVE_Board_Meeting_20160714.pdf
Description: CVE_Board_Meeting_20160714.pdf

Page Last Updated or Reviewed: July 27, 2016