[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Agenda for CVE Board Meeting March 8 (Wednesday)



My throat is mostly packed up today, so mostly what I have to report:

1) need to CNA/CVE training material to mint more CVE Mentors (since I can't just use existing trained people =)
2) there is definitely interest in CVEMentors becoming CNAs for third party projects (e.g. Adam Caudhill doing wordpress)

One thing that I forgot to mention on the CVE automation WG yesterday but is worth thinking about both for them and the board:

CNA's are required to push data to their parents and ultimately to MITRE, BUT:

how does data from MITRE or data that goes directly to MITRE filter back up the patch? 

E.g. DWF CNA creates CVE-XXXX-YYYYYYY and pushes to the DWF which pushes it to MITRE. Then an existing root CNA, say a commercial one, comes along and updates the CVE root level description. How does that updated description go back up the chain to the DWF/child CNA? Do we care? My concern is ending up with different versions of a CVE that become difficult to merge (e.g. a DWF sub CNA updates the root description and then tries to send that up the line to MITRE). 

This won't be a problem for sometime I suspect, but it will become a problem eventually.

On Wed, Mar 8, 2017 at 11:59 AM, Adinolfi, Daniel R <dadinolfi@mitre.org> wrote:

All,

 

I apologize for the late arrival of the agenda for this week's CVE Board meeting. It is below.

 

Thanks.

 

-Dan

 

 

CVE Board Meeting 8 March 2017

 

Agenda

 

2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin

2:05 – 2:25: Working Groups

            Strategic Planning - Kent Landfield

                        Issues

                        Actions

                        Board Decisions

            Automation - Harold Booth

                        Issues

                        Actions

                        Board Decisions

2:25 – 2:50: CNA Update

            DWF – Kurt Seifried

                        Issues

                        Actions

                        Board Decisions

            General - Dan Adinolfi

                        Issues

                        Actions

                        Board Decisions

2:50 – 3:00: FIRST PSIRT Meeting - Dan Adinolfi

3:00 – 3:10: CNA Documentation - Dan Adinolfi

3:10 – 3:20: CNA Report Card - Chris Coffin

3:20 – 3:40: Twitter and LinkedIn Presences - Chris Coffin

3:40 – 3:50: Pain Points - Chris Coffin

            - CVE entry sources.

3:50 – 3:55: Open discussion – CVE Board

3:55 – 4:00: Action items, wrap-up – Chris Coffin

 

 




--

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Page Last Updated or Reviewed: March 09, 2017