CVE Board Meeting Minutes - 19 October 2016

CVE Board Meeting

19 October 2016, 2:00 p.m. EST

The CVE Board met via teleconference on 19 October 2016.

Board members in attendance were:

Harold Booth (NIST)

Art Manion (CERT-CC)

Kurt Seifried (Red Hat)

Dave Waltermer

Members of the MITRE CVE Team who attended the call are as follows:

Dan Adinolfi

Jon Baker

Tiffany Bergeron

Steve Boyle

Chris Coffin

Christine Deal

Jonathan Evans

Anthony Singleton

George Theall

Agenda

2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin

2:05 – 2:10: CVE Strategic Planning Working Group Update – Kent Landfield

2:10 – 2:40: DWF Update, DWF assignment issues – Kurt Seifried and Harold Booth

2:40 – 3:10: Updating Large Blocks of Old CVE IDs (see email to Board list 10/14 "URL update for marc mailing list archive) – Chris Coffin

3:10 – 3:20: New Handshake Group - Daniel Adinolfi

3:20 – 3:40: Automation Working Group - Kurt Seifried and Harold Booth

3:40 – 3:55: Open discussion – CVE Board

3:55 – 4:00: Action items, wrap-up – Chris Coffin

The meeting began with an update on all action items from the previous Board meeting.

• The Automation Working Group vision brief is still under development.
• MITRE is still internally vetting a CVE 101 brief that will be shared with the Board. The Board was given a location for archiving Board meeting artifacts and work products, per request of the Board. CNA Summit planning continues.

CVE Strategic Planning Working Group Update

The Strategic Planning Working Group (WG) met on 10/12. The growth of the CNA program was discussed, and the WG believes that the existing queue of CNAs should complete the on-boarding process, but additional expansion should be paused until a more coherent strategy is formed for that expansion. A communications plan will be developed and executed along with this strategy development to ensure the community stays aware of the progress of that work. The WG will prepare an agenda for a face-to-face meeting at the upcoming CNA Summit.

DWF Update

A new version of the JSON schema used within DWF was shared with the Board. DWF is looking for continued feedback on the schema. Some changes will be made based on recent feedback.

DWF continues to train its CVE requesters regarding proper format, process, and content. There are a number of existing DWF entries that are malformed or incomplete. NIST observed these quality issues, and the Board discussed how to communicate quality issues throughout the CNA program. Also, the Board considered whether untested vulnerabilities should receive CVE ID assignment, though no definitive conclusion was made.

NIST will be opening issue tickets for the problematic DWF entries that have become CVE entries. DWF will use the list of issues to clean up the problems.

To facilitate the quality assurance process, some kind of labeling that indicates the source of the CVE entry will be added to future CVE entries. The specific format of that labeling will be developed by MITRE.

Updating Large Blocks of Old CVE IDs

MITRE updated a large number of old CVE IDs with updated reference URLs that were identified externally. (The website that held a large number of URL references had its hostname changed.) The changes were reflected in NIST’s CVE change log, which was much larger than usual. Neither NIST nor MITRE have received any reports of problems caused by the updates.

New Handshake Group

To satisfy the Board’s request to have a location for storing recordings of Board meetings and other artifacts in a private location, MITRE created a private Handshake group on its public Handshake server. Group invitations were sent to the Board this past week. The Board was invited to join and consider what functionality might be useful in the group.

Automation Working Group

A new Automation Working Group is forming. The group will be sharing a slide deck that spells out the goals and benefits of working more automation into CVE processing. They will consider various automation technologies, such as AI, to reduce the workload related to vulnerability counting and description writing. The Board felt that any effort put into streamlining CVE assignment with technology was worth investigating and investing in.

Action Items:

• Share CVE 101 document with the Board for review. - MITRE
• DWF’s JSON assignment schema will be updated and shared with the Board for comment. – Kurt Seifried
• The Automation Working Group will complete their initial brief and begin documenting their work. – Automation Working Group

The next Board Meeting will be held on November 2, 2016.