[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE Board Meeting Minutes - 3 May 2017

CVE Board Meeting

3 May 2017, 2:00 p.m. ET


The CVE Board met via teleconference on 3 May 2017.


Board members in attendance were:

Harold Booth (NIST)

Art Manion (CERT/CC)

Kent Landfield (McAfee)

Kurt Seifried (Red Hat/DWF)

William Cox (Black Duck)

Pascal Meunier (Purdue)

Scott Lawler (LP3)

Dave Waltermire (NIST)


Members of the MITRE CVE Team who attended the call are as follows:

Dan Adinolfi

Chris Coffin

Jonathan Evans

Anthony Singleton

George Theall



CVE Board Meeting 3 May 2017



2:00 – 2:05: Introductions, action items from the last meeting - Chris Coffin

2:05 – 2:35: Interview Board Member Candidate - CVE Board

2:35 – 2:55: Working Groups

            Strategic Planning - Harold Booth/Art Manion/Kent Landfield



                        Board Decisions

            Automation - Harold Booth/Kurt Seifried



                        Board Decisions

2:55 – 3:20: CNA Update

            DWF – Kurt Seifried



                        Board Decisions

            General - Dan Adinolfi



                        Board Decisions

3:20 – 3:30: CNA Report Card for First Quarter 2017 Follow-up - Dan Adinolfi

3:30 – 3:40: Formal CNA Rules Change - 24-hour notification limit upon CVE ID used publicly - Chris Coffin

3:40 – 3:55: Discussion: Three potential topics:

                        1) Should CNAs assign CVE IDs to bundled third-party components where the component isn't in their scope, strictly speaking? Should they instead assign through the DWF for OSS, for example? 

                        2) We will consider whether Working Groups can run pilots without the Board's permission, and in what form should that permission come?

                        3) There is a suspicion that most people they do not know how to interact with the Board (e.g., just email random members?), so contacting MITRE and doing it via MITRE seems reasonable, but also a potential conflict of interest as it were. The Board should start a laundry list of process/procedural things that might need fixing.

3:55 – 4:00: Action items, wrap-up – Chris Coffin


Interview Board Member Candidate - CVE Board

The CVE Board interviewed a prospective Board member.


Introductions and review of previous action items

  • Anonymized CNA report card is still under development.
  • Follow-up regarding HP’s disclosure policy
    • CNAs should self-attest as to what kinds of vulnerabilities they will assign to within their scope. This will be included as a proposed change to the CNA Rules in the next revision.


Working Groups

  • Strategic Planning – Kurt Landfield
    • Issues
      • There were no updates from the Strategic Planning Working Group.
    • Actions
      • The next Strategic Planning WG meeting will be rescheduled. A Doodle poll will be shared with the Board to land on a new time. It will be every other week, opposite the Board meetings. The poll will pick a day and time.
    • Board Decisions
      • There was no additional Board Discussion.
  • Automation - Harold Booth
    • Issues
      • The WG had a meeting 1 May 2017, and some notes from the meeting were posted to the Automation WG mailing list.
      • The WG is discussing the terminology used for the state of a CVE entry.
      • The WG is discussing minimum data sets for CVE IDs beyond the currently specified minimum standard.
    • Actions
      • The WG fleshed out a plan for an information sharing experiment using git and will share this with the Board.
    • Board Decisions
      • The Board needs to clear the bi-directional sharing Pilot. The WG will post a proposal for the sharing Pilot to the Board list and give the Board a week to review it.


CNA Update

  • DWF – Kurt Seifried
    • Issues
      • More CVE requests will be submitted by the DWF this week.
      • Some CVE ID requesters are not replying to the DWF’s email messages (especially those asking for acceptance of the CVE Terms of Use), which is slowing the publishing process. DWF is looking for more reliable ways to do this.
    • Actions
      • More infrastructure will be developed in the next week.
    • Board Decisions
      • There was no additional Board Discussion.
  • General - Dan Adinolfi
    • Issues
      • IOActive and Elastic are now CNAs.
      • Mozilla has been slow to respond to some issues brought up to MITRE from a third party. This may become a Board agenda item at the next meeting.
    • Actions
      • None.
    • Board Decisions
      • There was no additional Board Discussion.


CNA Report Card Update – Dan Adinolfi

After the Board’s review of the CNA Report Card during the last Board meeting, and after some additional email discussion, the Board was given an opportunity to have a follow-up discussion. The Board felt no additional discussion was needed beyond the recommendation that an anonymized version of the Report Card be shared with the CNAs. MITRE is developing that version of the Report Card and hopes to have a draft available to the Board before the next Board meeting.


Changing the CNA Rules to Enforce the 24-hour publishing expectation – Dan Adinolfi

Will begin the review cycle for the CNA Rules and include the 24-hour rules. This should be starting in June with a 3-month development process.


Working Group Process – CVE Board

Any significant, organized development by a Board Working Group should be treated as any other change to the CVE program. Therefore, before beginning such efforts, the Working Group in question should post a description of the effort to the public Board list with the statement, including the goals and general process the effort will follow. The Board would then have an opportunity to discuss the effort, come to a consensus on it, and either accept or reject the proposal within a specific time limit.

This process will be included in the Board Charter during the next Charter revision.


Communications with CVE – CVE Board

CVE Program directs stakeholder to the CVE Request web form or to cve@mitre.org for communicating with the CVE program. The Board wondered if a separate contact method was needed for those looking to reach the CVE Board directly. With almost no such communications coming through the regular communication methods, the Board decided against this.

Instead, MITRE will share with the Board some general info and trends that we see in our communications with stakeholders.


Action items, wrap-up – Chris Coffin

  • The Automation WG will email the Board to get permission for the Automation WG pilot.
  • MITRE will provide the anonymized report draft the middle of next week.
  • MITRE will begin work on creating an update to the CNA Rules for the Board’s deliberation in June.
  • In future Board meetings, MITRE will provide a brief summary of trends or issues that surface in its operations work and interface with the community.




Attachment: CVE Board Meeting 3 May 2017.docx
Description: CVE Board Meeting 3 May 2017.docx

Page Last Updated or Reviewed: June 01, 2017