CVE Board Meeting
25 August 2016, 2:00 p.m. EST
The CVE Board met via teleconference on 25 August 2016.
Board members in attendance were:
Andy Balinsky (Cisco)
Harold Booth (NIST)
Kent Landfield (Intel)
Scott Lawler (LP3)
Pascal Meunier (CERIAS/Purdue University)
Kurt Seifried (Red Hat)
Members of the MITRE CVE Team who attended the call are as follows:
2:00 – 2:05: Introductions, action items from the last meeting
2:05 – 2:15: DWF Update
2:15 – 2:45: CVE Board Charter; vote results and next steps
2:45 – 3:15: CVE Operations Update
3:15 – 3:45: CNA Update and CVE Outreach Discussion
3:45 – 3:55: Updated CVE Counting Rules Document
3:55: Action items, wrap-up
The meeting began with an announcement that Alan Paller (SANS) has stepped down as a member of the Board since he has been unable to participate recently.
All action items from last week have been resolved. A new version of the Counting Document was sent to the Board list on Wednesday, August 24th, and the latest version of the Charter was sent on August 22nd.
DWF has been training a new analyst, and that training is now complete. A discussion on Service Level Agreements (SLAs) is needed to ensure CNAs, including DWF, are maintaining a suitable level of service and focusing on measuring “things that matter”. The start of this discussion will be posted to the Board list and will include:
CVE Board Charter; vote results and next steps
The latest version of the Charter went out for feedback on Monday, August 22nd. The Board was comfortable with moving forward with the vote based on the current draft of the Charter. The Charter will be sent out Friday, August 25th with a two-week voting period through September 8th.
CVE Operations Update
MITRE recently announced they would be moving away from CVE email requests and instead use a web form for collecting CVE requests. One goal is to make CVE communications easier between the CVE team and other stakeholders. This will be a significant improvement to MITRE’s operational environment. The new web form will be in place Monday, August 29th; however, the CVE email requests will continue for a short period of time until CVE requesters are made aware of the CVE web form.
The Board expressed some concern over how the news of the change was generally communicated. That said, the Board was happy to see automation and structure in the CVE request system.
MITRE considers the format of the web form to be an early version which will be improved upon in short order. MITRE plans to monitor the use of the form in the first few weeks of its implementation, derive lessons-learned from that use, and plan for improvements quickly.
The Board was informed that they were welcome to test the web form and provide feedback to MITRE.
The cve-assign email account will remain open for a short time after the web form is put into production. Any messages sent to the account will receive an auto-response informing people that they should use the new CVE web form. Each request made through the web form will have a confirmation number, and that number will be provided in a message from the new cve-requests email address to the requester.
CNA Update and CVE Outreach Discussion
Intel and Apache were recently brought on as CNAs. The scope for Intel will be better defined on the CVE web site once Intel has discussed their CNA processes with their partner organizations.
The Board discussed developing a long term strategy for CVE and the CNA program. DWF was the first CNA to be created as a federated CNA. Federation will facilitate growth of the CVE program over time with MITRE as the coordinator. The Board needs to consider how they would advise the CNA program be organized going forward. The Board then needs to act on those ideas. One main question that must be answered is, “Where does the Board want CVE to be in two or three years as CVE further develops?” Right now the federation is starting to crawl. What can be done internally to support this evolution?
The Board felt setting up a Working Group to hash through some of these things is a good idea. The Board needs to have conversations regarding what a federated environment will look like in three years.
The CNA Rules document is going through final revision and will be ready next week. This document describes the federated structure and operational tasks and governance.
Assuming that a Working Group can be created after the Charter vote, the Board wanted to begin the discussions informally and then bring them to the Working Group once it has formed. In addition, the Board proposed holding face-to-face working meetings. Plans for scheduling such meetings will begin immediately, including a meeting for the CNAs to gather and work through training and other CNA-specific issues. A call for participation will be sent out over the Board mailing list for the pre-Working Group and Working Group.
Updated CVE Counting Rules Document
The current draft of the CVE Counting Rules Document was sent out Wednesday, August 24th. Some comments were received from the Board. Based on comments received the document will be revised, and a new version will be distributed. The conversations on the Board mailing list will continue and any new thoughts are appreciated. A new update will be shared within the next few days.
Concern was expressed over the way the vulnerability definition is framed. The definition seems to exclude hardware vulnerabilities, which was not the intention. The Board wants to ensure that the definitions used do not inadvertently limit the potential of CVE as it expands its scope.
An update on the creation of a vulnerability taxonomy by NIST was requested, and that taxonomy will be presented in the next few weeks. Feedback from the CVE web form and verbiage in the taxonomy will be aligned as identified in the community. The Board will expand the taxonomy as needed. Development of the second version of the CVE web form will be around the same time as feedback from the taxonomy. The description alignment should be right on target.
¨ MITRE will send out a new version of the CNA Rules document to reflect the changes suggested by the Board.
¨ A vote on adoption of the revised Charter will be initiated by MITRE on Friday, August 26. There will be a two week voting period that ends on Thursday, September 8. Results of the vote will be announced at the CVE Board meeting later that day.
¨ Kent Landfield will develop an announcement on the formation of a CNA Working Group.
¨ Harold Booth will send a vulnerability description to the MITRE CVE Content team.
The next Board Meeting will be held on September 8th.