CVE Board Meeting
21 September 2016, 2:00 p.m. ET
The CVE Board met via teleconference on 21 September 2016.
Board members in attendance were:
Andy Balinsky (Cisco)
Harold Booth (NIST)
Kent Landfield (Intel)
Scott Lawler (LP3)
Art Manion (CERT-CC)
Pascal Meunier (CERIAS/Purdue University)
Kurt Seifried (Red Hat/DWF)
Ken Williams (CA Technologies)
Members of the MITRE CVE Team who attended the call are as follows:
2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin
2:05 – 2:10: CVE Strategic Planning Working Group Update – Dan Adinolfi, WG members
2:10 – 2:40: DWF Update – Kurt Seifried
2:40 – 3:10: CVE Documentation updates –Chris Coffin, Dan Adinolfi
3:10 – 3:20: CVE Logistics discussion – Chris Coffin, Dan Adinolfi
3:20 – 3:55: Open discussion – CVE Board
3:55: Action items, wrap-up – Chris Coffin
All action items from the previous meeting have been resolved. A new version of the CNA Rules Document was sent to the Board list on Friday, September 16th, and the latest version of the Charter was sent on August 22nd.
A question was raised about how the ticketing system will handle embargoed items and discussed. The Board agreed to take the topic off-line so that some investigation could take place.
CVE Strategic Planning Working Group Update
The first meeting of the CVE Strategic Planning Working Group will be Wednesday, September 28 at 2PM-4PM ET. The agenda will be emailed to the members before the meeting, and that agenda will focus on setting goals for the near future. A mailing list for the working group will be created to facilitate the work.
In general, the Board feels that each working group should supplement the Board and not replace it. Working groups will perform work in small, focused groups and report back on that work regularly with the Board as a whole. Email conversations and other artifacts from the working groups will be made available to the Board and working group members, but they are not intended for the general public. These requirements will help frame what infrastructure is needed to support those groups and what expectations they should assume.
The DWF project asked for guidance regarding data embargo practices. The Board discussed the potential complexities related to CNAs maintaining embargoed information in general. The workflow and choice of tools would have significant effects on how embargoed information could be maintained. The discussion will move to the CNA mailing list.
In general, DWF is still working through a number of operational issues, including the general ticket workflow. Their public request site is functioning.
CVE Documentation Updates
The CNA Rules and Counting Rules documents are available on the CVE GitHub site. The current versions include a number of revisions, refinements, and feedback from the CNAs, the Board, and MITRE staff. MITRE is asking for final comments on the documentation by September 28, 2016, with the goal of finalizing this version of the document in the next two weeks.
After that initial release, MITRE will monitor how the rules are implemented and what problems or questions arise. That feedback will go into the first revision, which will happen between 3 and 6 months after they first go into effect.
Since development of quality assurance (QA) standards and rules has a good deal of interest by the community, QA documentation and processes, along with other guideline documents that will supplement the CNA Rules document, will be developed next by a working group. That working group will be established once the rules are fully vetted.
CVE Logistics discussion
MITRE asked the Board if they have any requirements or challenges regarding the infrastructure used to hold and archive Board meetings and future working group efforts. Mailing lists were a popular request. The Board also would like the ability to record meetings and have those recordings archived along with any artifacts related to the meetings. MITRE will investigate what resources are available that may satisfy the requirements.
NIST’s Vulnerability Description Ontology is coming soon. It is currently in draft, and it is being reviewed. The Board was encouraged to request a copy of the draft if they are interested in offering feedback.
The Board encouraged MITRE to utilize the members of the Board when dealing with operational challenges and strategic planning. The Board’s expertise, experience, and leverage could be beneficial. This would also help the CVE program be more transparent to the greater community. A number of these issues will be included in discussions within the Strategic Planning Working Group.
Also, to help inform their understanding of challenges and accomplishments, the Board requested that MITRE offer periodic metrics and statistics regarding CVE operations. MITRE will plan to share some metrics going forward.
· The Board and MITRE will develop a list of guidance documentation to supplement the CNA rules. This would include operational guidance as well as a list on what standards are considered important or useful to CVE and how those standards are used within CVE.
· A presentation to kick off the Strategic Planning Working group will be distributed by Kent Landfield before Working group meeting 9/28
· MITRE will review options for improving Board meeting logistics and report back next Board meeting. A mailing list will be established for the Strategic Planning Working Group before September 28.
The next Board Meeting will be held on October 5th.