CVE Board Meeting Minutes - 8 February 2017

CVE Board Meeting

8 February 2017, 2:00 p.m. EST

The CVE Board met via teleconference on 8 February 2017.

Board members in attendance were:

Kent Landfield (Intel)

Art Manion (CERT-CC)

Kurt Seifried (Red Hat)

Taki Uchiyama (JP CERT)

William Cox (Black Duck)

Members of the MITRE CVE Team who attended the call are as follows:

Dan Adinolfi

Chris Coffin

Jonathan Evans

Anthony Singleton

George Theall

Jon Baker

Matt Hansbury

Stephen Boyle

Agenda

2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin

2:05 – 2:25: Working Groups

            Strategic Planning - Kent Landfield

                        Issues

                        Actions

                        Board Decisions

            Automation - Harold Booth

                        Issues

                        Actions

                        Board Decisions

2:25 – 2:50: CNA Update

            DWF – Kurt Seifried

                        Issues

                        Actions

                        Board Decisions

            General - Dan Adinolfi

                        Issues

                        Actions

                        Board Decisions

2:50 – 3:00: RSA Planning and Priorities - Dan Adinolfi

3:00 – 3:10: CNA Documentation - Dan Adinolfi

3:10 – 3:55: Open discussion – CVE Board

3:55 – 4:00: Action items, wrap-up – Chris Coffin

The meeting began with review of previous action items.

Introductions, action items from the last meeting – Chris Coffin

The question as to how best to create a group of CVE IDs for testing was deferred to the Automation Working Group.

MITRE still has the review of public CVE pages and what information about CVE is available elsewhere to be done.

MITRE will be sending out a new Board meeting schedule to accommodate a wider geographic array of members.

MITRE will be developing a new version of the reservation guidelines.

Any oss-security mailing list CVE requests will be directed to the CVE Request form (and, eventually, the DWF).

Working Groups

• Strategic Planning - Kent Landfield
  • Updates
    • The WG will organize questions to drive topics to begin process of completing goals.
  • Actions
    • The WG sent out a presentation to cover confirmation of suggestions made by the WG.
    • The WG will continue working on developing. topics to create conversations
    • Once questions are created conservations can be made and decisions there in will potentially be made.
  • Board Decisions
    • None.
• Automation – Kurt
  • Updates
    • More updates were made to version 4 of the JSON schema.
    • Many artifacts tracked in GitHub were cleaned up or addressed.
  • Actions
    • The WG will consider using Unicode.
    • The WG is working on documentation for use of the JSON format.
    • Once that documentation is created, a request for review will be sent to the group mailing list.
  • Board Discussion
    • The Board suggested that the WG should not look into using CVRF or CASF at this time. Instead, it should focus on getting something out the door that solves our problems now and not wait on something to has not been created yet.

CNA Update

• DWF – Kurt Seifried
  • Issues
    • The question of how a process for escalation should be developed and what it should look like must be addressed.
    • There is a need to create a framework for the reservation process of open source issues.
  • Actions
    • New CVE mentors have been brought onto the project.
    • Some work is being done to allow Sub-CNAs to be given their CVE ID reservations.
    • The DWF will be maintaining list of CNAs within GitHub.
  • Board Decisions
    • The Board want to ensure that there are appropriate lines of communication between root CNA and sub CNAs, especially within DWF and other Root CNAs.
• General - Dan Adinolfi
  • Issues
    • MITRE talked with Apple to begin formulating a plan that will result in Apple submitting CVE assignment information using a format that CVE can easily process. This will take some time (possibly a year).
  • Actions
    • MITRE is working with CNAs to polish CVE assignment data that is submitted.
    • MITRE is developing a CNA report card to present back to the Board.
    • MITRE has reached out to ICS-CERT to help them improve their assignment and communications processes with CVE.
  • Board Decisions
    • The Board asked for the status of JP-CERT becoming a root CNA. JP-CERT is ready to bring on their first Sub-CNA, and is working with MITRE to develop the necessary processes.

RSA Planning and Priorities - Dan Adinolfi

CVE will have a presence at the 2017 RSA conference. Kent Landfield and Kurt Seifried will be presenting on how the DWF has been developed as well as lead a discussion session. Dan Adinolfi will be presenting at the CERT Vendor Meeting to inform CERTs and drum up interest in the creation of new CNAs.

CNA Documentation - Dan Adinolfi

MITRE presented a CNA documentation list and diagram asking for the Board to help prioritize the list. The items on the list are intended to help educate and inform CNAs and those interested in CVE. The Board asked for more information on each document before deciding on priority. The Board also requested that the documents be developed in GitHub to allow for easier co-development.

Open discussion – CVE Board

There is a draft of the CPE for CVE use cases that MITRE would like the Board’s feedback on.

Action items, wrap-up – Chris Coffin

• MITRE will send a notification to the oss-security mailing list describing the new process for submitting CVE ID requests.
• The Board will follow up with Harold Booth regarding the review of JSON v4.
• MITRE will produce descriptions each document in proposed CNA document list.
• MITRE will create a home for the CNA documentation work in GitHub.
• The status of vulnerability efforts will be added to the Board call agenda once a month.