CVE Board Meeting
11 August 2016, 2:00 p.m. EDT
Dan Adinolfi, MITRE
Jon Baker, MITRE
Andy Balinsky, Cisco
Harold Booth, NIST
Steve Boyle, MITRE
Chris Coffin, MITRE
Mark Cox, Red Hat
Christine Deal, MITRE
Jonathan Evans, MITRE
Kent Landfield, Intel
Scott Lawler, LP3
Art Manion, CERT
Meghan Manley, MITRE
Pascal Meunier, CERIAS/Purdue University
Joe Sain, MITRE
Anthony Singleton, MITRE
George Theall, MITRE
Donna Trammell, MITRE
Dave Waltermire, NIST
Ken Williams, CA Technologies
The meeting began with a brief update on the CVE Counting Rules document. No feedback was received from the Board during the review period (via the email list). Concerns were raised that the wording as it is now gives CNAs significant latitude when deciding whether or not an issue should be considered a vulnerability for CVE purposes. Specifically, a CNA can determine suitability for CVE based on their own security policies, which could differ from common practice. The result of this being that a legitimate vulnerability could be considered acceptable (i.e., not a vulnerability) based on a lax definition of security policy by the affected vendor.
Since the Primary CNA (MITRE) will remain the CNA of last resort, if the community feels that there are problems with a CNA’s assignment and assignment practices, the matter can be escalated up to the Primary CNA for adjudication.
MITRE gave an update on the new CVE Board Charter citing the recent Board voting results, there was a good response rate to the vote (only five Board members did not respond). The voting results were:
· Who makes the decision to award Emeritus status?
o 0 votes: The Board Moderator
o 2 votes: The Board, through a Board vote
o 10 votes: The Board Moderator, but the Board can overrule the decision with a Board vote
During voting, additional language was proposed as follows:
· How much time should be provided to Board members to vote on a given issue?
o 0 votes: One week
o 5 votes: Two weeks
o 8 votes: Time frames in which to cast a vote may vary as circumstances require, but must be at least one-week long. Two weeks is the recommended time frame for most votes, but is not required.
· Do you support adding the statements below to the Charter?
Board members have a responsibility to participate by voting. Members will lose voting privileges if they do not vote in at least one of the three previous (consecutive) Board votes. Votes to abstain count toward participation and toward a quorum. Members may regain voting privileges by asking to have their voting privileges reinstated through the private mailing list or during a Board meeting. If Members have not voted in the past year, they can be removed from the Board by Board vote, following the procedures for forced removal.
o 13 votes: Yes
o 0 votes: No
During voting, additional/alternate language was proposed as follows:
MITRE will send the revised Charter and voting results to the Board on 8/12 and requested feedback by 8/19. A clean copy of the Charter will then be disseminated on 8/19, giving the Board a week to review. By the next Board meeting (8/25), the Board can decide if the Charter is ready for a final vote of approval.
The new TOU would allow DWF (or anyone else) to send the descriptions of CVE assignments directly into the CVE list, but this may be delayed due to some technical issues that are being actively worked between MITRE and DWF. Also, the minimum set of content that must be included in a CVE entry will be publicly documented very soon, as will technical methods for sending description content directly to the CVE list.
To satisfy the request that Board voting participation be monitored by the Board, MITRE offered that the current Charter voting results are being tracked in a spreadsheet and that information, along with future voting, will be tracked and shared with the Board.
With staff changes within MITRE occurring occasionally, MITRE will introduce new staff members as they join the CVE team and ensure everyone on the call (including MITRE staff) will be listed on the minutes.
The Black Hat and DEF CON conferences gave MITRE an opportunity to perform significant outreach and give some additional public exposure for the CVE program. Part of this included increasing awareness of the growing CNA program, and new contacts and new potential CNAs were identified.
The Board stated the need for an outreach plan. The plan would include details that would allow the Board to be in alignment with MITRE when in the public and attempting to recruit new CNAs and grow awareness of the program. The Board will stand up an outreach working group to address this need. The goals of this working group would include developing content and presentations that could be used by members of the Board when performing outreach tasks. Also, MITRE will keep the Board apprised of progress made in recruiting CNAs and collaborate with the Board on developing a strategy for targeting potential CNA candidates.
1. CNA counting document (counting decision tree)—Expecting feedback by COB 8/22
2. Charter—clean copy out 8/12, along with voting results. Feedback from Board by 8/19; send clean copy out on 8/19 and decide on 8/25 if Charter is ready to be voted on
3. Add MITRE staff in attendance to minutes.
The next Board meeting will be held on August 25.