CVE Board Meeting
30 November 2016, 2:00 p.m. EST
The CVE Board met via teleconference on 30 November 2016.
Board members in attendance were:
Andy Balinsky (Cisco)
Harold Booth (NIST)
Kent Landfield (Intel)
Scott Lawler (LP3)
Art Manion (CERT-CC)
Pascal Meunier (CERIAS/Purdue University)
Ken Williams (CA Technologies)
Members of the MITRE CVE Team who attended the call are as follows:
2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin
2:05 – 2:10: CVE Strategic Planning Working Group Update – Kent Landfield
2:10 – 2:40: DWF Update – Kurt Seifried
2:40 – 2:50: Automation Working Group Update - Kurt Seifried and Harold Booth
2:50 – 3:20: Creation of Naming Working Group - Jonathan Evans
3:20 – 3:40: JSON Format - Chris Coffin
3:40 – 3:55: Open discussion – CVE Board
3:55 – 4:00: Action items, wrap-up – Chris Coffin
The meeting began with a review of the action items from the previous Board meeting. There were three action items. First, MITRE was to share a list of action items coming out of the CNA Summit, which they did. Second, the Board was to investigate the possibility of having a Board meeting at the RSA conference in February, which is still under investigation. Finally, MITRE was to query the CNA and Board mailing lists to ask who would like to participate in the new Automation Working Group, which they did.
CVE Strategic Planning Working Group Update
The Strategic Planning Working Group (SPWG) had met on 22 November 2016. During that meeting, the SPWG debated the need for a council related to the Board that would focus on operational issues. Also, the SPWG discussed the idea that any vision of the future of CVE must include the needs of global vulnerability management across all sectors and what that might mean for strategy development. Related to this, there is a need for improved search capabilities to support this collaboration and interconnection with other stakeholders.
There was no update for the DWF for this meeting. The Board is aware of the ongoing operational activity and the development of the mentoring program, but no new information was available.
Automation Working Group
The mailing list for the Automation Working Group (AWG) has been populated with those interested in participating. The first order of business was scheduling a regular meeting, and a Doodle poll was sent out to schedule the initial meetings. The results of that poll will be announced to the group within a few days.
Creation of Naming Working Group
After a lengthy discussion of the need for alternative names for vulnerabilities or classes of vulnerabilities, MITRE suggested that a Working Group be created to address this issue. The Working Group would determine if CVE can or should establish a standard for alternate names for existing CVE ID-assigned vulnerabilities and how to document those. The Working Group will consider the work already being done by other working groups outside of CVE to determine how CVE should collaborate with them. This Working Group is open to CNAs, the Board, and other members of the larger vulnerability management community, such as the CWE and CAPEC teams at MITRE. A mailing list will be established to facilitate the discussion.
The JSON schema being developed to facilitate automated submission of CVE ID requests and sharing of CVE ID information is close to being complete. Its development will be shifted to the Automation Working Group. The AWG will look at developing tools that will work with the schema once the schema itself has been formally set. There was some discussion of making use of YAML, but that discussion was tabled and will be picked up by the AWG.
Due to the number of Board members who will be unavailable on December 28, the CVE Board meeting scheduled for that day will be canceled.
Kurt Seifried will be using the hashtag #cvementor on Twitter to tag any discussion related to the CNA mentoring program he and others are developing.
At the start of the new year, the Board should poll its membership to see if the scheduled times for Board meetings should be changed.
Kent Landfield is preparing to nominate Takayuki (Taki) Uchiyama from JPCERT to the CVE Board. Once the details of such a nomination have been settled within JPCERT, the official nomination will be submitted to the Board for consideration.
The next Board Meeting will be held on December 14th.
CVE Board Meeting_11_30.docx
Description: CVE Board Meeting_11_30.docx