CVE Board Meeting
05 October 2016, 2:00 p.m. ET
The CVE Board met via teleconference on 05 October 2016.
Board members in attendance were:
Andy Balinsky (Cisco)
Harold Booth (NIST)
Kent Landfield (Intel)
Scott Lawler (LP3)
Art Manion (CERT-CC)
Pascal Meunier (CERIAS/Purdue University)
Kurt Seifried (Red Hat/DWF)
David Waltermire (NIST)
Ken Williams (CA Technologies)
Members of the MITRE CVE Team who attended the call are as follows:
2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin
2:05 – 2:10: CVE Strategic Planning Working Group Update – Kent Landfield
2:10 – 2:40: DWF Update – Kurt Seifried
2:40 – 2:50: Finalized CNA Rules – Dan Adinolfi, Chris Coffin
2:50 – 3:40: CVE Team Pain Points - Chris Coffin
3:40 – 3:55: Open discussion – CVE Board
3:55: Action items, wrap-up – Kent Landfield, Chris Coffin
Regarding action items from the previous Board meeting, the Board and MITRE are continuing efforts to develop a list of guidance documentation to supplement the CNA rules. This includes operational guidance as well as a list on what standards are considered important or useful to CVE and how those standards are used within CVE. A presentation to kick off the Strategic Planning Working Group was delivered at the beginning of last week’s Working Group meeting (9/28). Also, MITRE continues to review options for improving Board meeting logistics and will report back at the next Board meeting. A mailing list has been established for the Strategic Planning Working Group.
CVE Strategic Planning Working Group Update
The members of the Strategic Planning Working Group (WG) met on Wednesday, September 28. The discussion covered items that should be included in meeting agendas going forward. The group will review the list of stakeholders, desired end states, and possible governance models. Deliverables from the group will include outreach presentations, white papers describing the CVE program, and some possible technical directives. The WG will record their meetings and make those available to the rest of the Board. The group will meet every two weeks. The next WG meeting is scheduled for October 12th, and the agenda will be posted before then.
CVE CNA Rules update
The new version of the CNA Rules and CVE Counting documentation has been finalized. CNAs are using the new CNA Rules and Counting rules as of October 10, 2016. The implementation of these rules will be monitored closely, and a formal revision process will begin in 3-6 months. Also, quality assurance (QA) and guidance documentation will be created very soon to help CNAs understand how to implement the rules more effectively and consistently across the CNA program.
CVE Team Pain Points
The CVE Team discussed one pain point with the Board; specifically, how to expand the CVE scope. Some of this discussion will occur within the Strategic Planning Working Group. Ultimately, the question that must be answered is how CVE can expand scope in a scalable way that serves the broader community best.
During the open discussion, a number of topics were discussed.
The CNA Summit is scheduled for November 8-9 at the NCCoE facility in Gaithersburg, MD. All CNAs and Board members are invited. The Board was invited to present at the meeting, and some space may be made available for the Board or the Strategic Planning Working Group to meet in person.
There is a need to further develop tools that allow for more streamlined CVE entry processing. An Automation Working Group was proposed, and the Board agreed to follow-up on its creation.
Vulnerability researchers acting as CNAs creates a number of complexities for the CNA program. This is especially the case when formalizing or understanding the scopes that each researcher may cover. The inclusion of researchers in the CNA program will be discussed in the Strategic Planning Working Group.
· The Board and MITRE will create an Automation Working Group, schedule its meetings, and provision the infrastructure needed to support the Working Group.
· The next Strategic Planning Working Group meeting will be October 12.
· MITRE will continue to update the CNA community and the Board regarding the plans for the CNA Summit.
· MITRE will share draft documentation that has been developed to support the strategic aspects of the CVE program, including a draft “CVE 101” document.
· MITRE will continue to investigate what technologies may be available to meet the needs of Board meeting logistics (meeting recordings, for example).
The next Board Meeting will be held on October 19th.