[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE Board Meeting Minutes - 14 December 2016



CVE Board Meeting

14 December 2016, 2:00 p.m. EST

 

The CVE Board met via teleconference on 14 December 2016.

 

Board members in attendance were:

Andy Balinsky (Cisco)

Harold Booth (NIST)

Kent Landfield (Intel)

Scott Lawler (LP3)

Pascal Meunier (CERIAS/Purdue University)

Ken Williams (CA Technologies)

Kurt Seifried

Members of the MITRE CVE Team who attended the call are as follows:

Dan Adinolfi

Chris Coffin

Jonathan Evans

Anthony Singleton

George Theall

Christine Deal

Jon Baker

 

 

Agenda

 

2:00 – 2:05: Introductions, action items from the last meeting – Daniel Adinolfi

2:05 – 2:10: CVE Strategic Planning Working Group Update – Kent Landfield

2:10 – 2:40: DWF Update – Kurt Seifried

2:40 – 2:50: Automation Working Group - Kurt Seifried and Harold Booth

2:50 – 3:20: MITRE CNA adoption of CNA rules - Jonathan Evans

3:20 – 3:40: Pain Points - Daniel Adinolfi

3:40 – 3:55: Open discussion – CVE Board

3:55 – 4:00: Action items, wrap-up – Daniel Adinolfi

 

The meeting began with a review of the action items from the previous Board meeting. There were four action items. First, MITRE confirmed that they will be sending a CVE representative to RSA. They will be available to participate in the presentation and talk planned to announce the CVE Mentor program. Also, the Vulnerability Naming Working Group is still to be created, and MITRE will complete this task. The JSON schema was shared with the Automation Working Group. Finally, the December 28, 2016, Board meeting has been cancelled due to the holiday.

 

CVE Strategic Planning Working Group Update

At the previous meeting of the Strategic Planning Working Group (WG), the group discussed the potential impact of the planned CVE Mentor Program being developed by Kurt Seifried and Kent Landfield. (As mentioned above, the Mentoring Program will be formally announced at RSA 2017 in February.) The Mentor Program, as with other parts of CVE, must be built to allow for the flexibility required to work across multiple domains and CNA roots.

Also, the WG will be doing additional work on comparing NIST’s vulnerability ontology with the data elements of the proposed JSON scheme to ensure that both efforts are heading in the same or compatible direction.

 

DWF Update

The DWF has been performing a clean-up of data submitted through its web form. They found that much of the data was not well-formatted, clearly stated, or sufficient. Also, having submitters acknowledge their acceptance of the terms of use has been a challenge. The hope is for the Mentor Program to help train submitters to include well-formatted and proper data.

Also, the DWF will continue to work through their backlog, which mostly involves obtaining affirmation of acceptance of the Terms of Use.

The DWF is also looking at identity management schemes to facilitate identifying users, authorizing their roles within DWF, and generating a clear history of their participation.

 

Automation Working Group

The Automation Working Group met on December 6, 2016. The WG reviewed the and commented on the JSON format. The strengths and weaknesses of using the format were discussed, and that discussion is ongoing, both within the WG and on the automation and CNA mailing lists.

The WG is waiting on explicit permission from Intel to make use of their excellent counting spreadsheet so that it can act as a starting point for further automation development.

The next meeting of the WG will be scheduled soon.

 

MITRE CNA Adoption of CNA rules

MITRE has been reviewing its operational procedures to bring them into alignment with the CNA Rules. The Board considered the implications of changing the requirements that MITRE places on CVE ID requests to ensure MITRE can follow the CNA Rules. For example, MITRE has assigned a CVE ID to a vulnerability before it becomes public and then is not notified when the vulnerability is made public. This leaves the CVE ID entry listed as “RESERVED” in the CVE list and without a description, even though the details about the vulnerability are public, which causes confusion by CVE consumers.

MITRE will continue to investigate options for reducing the occurrence of this and related issues.

 

Pain Points

The CVE Board discussed a recent incident on the CNA mailing list involving a Board member acting unprofessionally and inappropriately. The Board agreed that any response should be as transparent as possible.            

MITRE, speaking on behalf of the CVE Board, will send a public message to the CNA list that calls out the unacceptable behavior. It will explain that such repeated behavior will result in removal from the CNA list.

MITRE, speaking on behalf of the CVE Board, will send a direct warning to the Board member with the Private Board mailing list CC'd. That warning will explain to the individual that disciplinary actions will be taken, up to and including, removal from the CNA list if there is any further unacceptable behavior. The Board member will not be removed at this time.

The Board will be updating the Board Charter to include more specific language regarding what is considered appropriate for a Board member. It was suggested that the Board adopt the Contributor Covenant as a Code of Conduct: http://contributor-covenant.org/version/1/4/.

This is used for DWF's Code of Conduct. MITRE will create some updated language for the Charter by the next Board meeting, and that proposed language will be discussed.

The Charter already has what it needs to censure or remove a Board member, but this update will reinforce what is already included.

 

Open Discussion

  • Takayuki Uchiyama with JPCERT/CC has been added to the CVE Board.

 

Action Items:

  • MITRE will review publicly posted content on the CVE website and the related Wikipedia page to ensure it is correct and up to date.
  • A mailing list to support the Naming Working Group will be created by MITRE.
  • MITRE will develop a strategy and suggested implementation plan for the creation of CVE ID blocks that could be used for testing.
  • The Strategic Planning WG meeting scheduled for December 21, 2016, may be cancelled due to the holiday. This will be confirmed on the WG mailing list.
  • A response to the questionable content posted to the cve-cna-list mailing list will be implemented as described above.
  • CVE will schedule the next Automation Working Group meeting.
  • The Board will check with Intel to verify that their CVE assignment spreadsheet can be shared with the larger community.

The next Board Meeting will be held on January 11, 2017.

 

Attachment: CVE Board Meeting_12_14.docx
Description: CVE Board Meeting_12_14.docx


Page Last Updated or Reviewed: December 22, 2016