CVE Board Meeting
19 October 2016, 2:00 p.m. EST
The CVE Board met via teleconference on 19 October 2016.
Board members in attendance were:
Harold Booth (NIST)
Art Manion (CERT-CC)
Kurt Seifried (Red Hat)
Members of the MITRE CVE Team who attended the call are as follows:
2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin
2:05 – 2:10: CVE Strategic Planning Working Group Update – Kent Landfield
2:10 – 2:40: DWF Update, DWF assignment issues – Kurt Seifried and Harold Booth
2:40 – 3:10: Updating Large Blocks of Old CVE IDs (see email to Board list 10/14 "URL update for marc mailing list archive) – Chris Coffin
3:10 – 3:20: New Handshake Group - Daniel Adinolfi
3:20 – 3:40: Automation Working Group - Kurt Seifried and Harold Booth
3:40 – 3:55: Open discussion – CVE Board
3:55 – 4:00: Action items, wrap-up – Chris Coffin
The meeting began with an update on all action items from the previous Board meeting.
CVE Strategic Planning Working Group Update
The Strategic Planning Working Group (WG) met on 10/12. The growth of the CNA program was discussed, and the WG believes that the existing queue of CNAs should complete the on-boarding process, but additional expansion should be paused until a more coherent strategy is formed for that expansion. A communications plan will be developed and executed along with this strategy development to ensure the community stays aware of the progress of that work. The WG will prepare an agenda for a face-to-face meeting at the upcoming CNA Summit.
A new version of the JSON schema used within DWF was shared with the Board. DWF is looking for continued feedback on the schema. Some changes will be made based on recent feedback.
DWF continues to train its CVE requesters regarding proper format, process, and content. There are a number of existing DWF entries that are malformed or incomplete. NIST observed these quality issues, and the Board discussed how to communicate quality issues throughout the CNA program. Also, the Board considered whether untested vulnerabilities should receive CVE ID assignment, though no definitive conclusion was made.
NIST will be opening issue tickets for the problematic DWF entries that have become CVE entries. DWF will use the list of issues to clean up the problems.
To facilitate the quality assurance process, some kind of labeling that indicates the source of the CVE entry will be added to future CVE entries. The specific format of that labeling will be developed by MITRE.
Updating Large Blocks of Old CVE IDs
MITRE updated a large number of old CVE IDs with updated reference URLs that were identified externally. (The website that held a large number of URL references had its hostname changed.) The changes were reflected in NIST’s CVE change log, which was much larger than usual. Neither NIST nor MITRE have received any reports of problems caused by the updates.
New Handshake Group
To satisfy the Board’s request to have a location for storing recordings of Board meetings and other artifacts in a private location, MITRE created a private Handshake group on its public Handshake server. Group invitations were sent to the Board this past week. The Board was invited to join and consider what functionality might be useful in the group.
Automation Working Group
A new Automation Working Group is forming. The group will be sharing a slide deck that spells out the goals and benefits of working more automation into CVE processing. They will consider various automation technologies, such as AI, to reduce the workload related to vulnerability counting and description writing. The Board felt that any effort put into streamlining CVE assignment with technology was worth investigating and investing in.
The next Board Meeting will be held on November 2, 2016.