[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE Board Meeting Minutes - 24 May 2017



(Our apologies for the delay in sending these out. - CVE Team)

 

CVE Board Meeting

24 May 2017, 2:00 p.m. ET

 

The CVE Board met via teleconference on 24 May 2017.

 

Board members in attendance were:

Harold Booth (NIST)

Beverly Finch (Lenovo)

Art Manion (CERT/CC)

Kent Landfield (McAfee)

Kurt Seifried (Red Hat/DWF)

William Cox (Black Duck)

Dave Waltermire (NIST)

Taki Uchiyama (JPCERT/CC)

Ken Williams (CA Technologies)

Andy Balinsky (Cisco)

 

Members of the MITRE CVE Team who attended the call are as follows:

Dan Adinolfi

Chris Coffin

Matt Hansbury

Anthony Singleton

George Theall

 

Agenda

CVE Board Meeting 24 May 2017

 

Agenda

 

2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin

2:05 – 2:25: Working Groups

            Strategic Planning - Harold Booth/Art Manion

                        Issues

                        Actions

                        Board Decisions

            Automation - Harold Booth/Kurt Seifried

                        Issues

                        Actions

                        Board Decisions

2:25 – 2:50: CNA Update

            DWF – Kurt Seifried

                        Issues

                        Actions

                        Board Decisions

            General - Dan Adinolfi

                        Issues

                        Actions

                        Board Decisions

2:50 – 3:20: Discussion of CVE ID statuses and states - Chris Coffin

            Continues conversation being had on the AWG mailing list

            Related: Should reserved CVE IDs be listed in the CVE List at all? If so, do we need types of reserved status in the list?

3:20 – 3:30: Anonymized CNA Report Card - Dan Adinolfi

3:30 – 3:45: Time limit for reserved CVE IDs? Should there be different time limits for the MITRE CNA, since their model is slightly different? - Dan Adinolfi

3:45 – 3:55: Open discussion – CVE Board

3:55 – 4:00: Action items, wrap-up – Chris Coffin

 

 

Introductions and review of previous action items

  • The Automation WG was to email the Board to get permission for the Automation WG pilot. This was done.
  • MITRE was to provide the anonymized report draft the middle of next week. This was done and feedback is being collected.

 

 

Working Groups

  • Strategic Planning – Kent Landfield
    • Issues
      • Working Group meetings will Mondays 1-2PM on the same weeks as the regularly scheduled Board meetings.
    • Actions
      • No actions.
    • Board Decisions
      • There was no additional Board Discussion.
  • Automation – Kurt Seifried
    • Issues
      • The WG had a meeting 15 May 2017, and some notes from the meeting were posted to the Automation WG mailing list.
      • The WG is going ahead with the Git-based pilot for pushing information to MITRE.
      • A list of the old and new sets of states (e.g., reject sub-state, reserved/assigned/allocated states, etc.) for CVE IDs will be sent via mail for discussion.
      • The WG discussed the idea that data sharing should be push-based. The responsibility for updating CVE data should be on the data contributor.

    • Actions
      • The WG fleshed out a plan for an information sharing experiment using Git and will share this with the Board.
    • Board Decisions
      • The Board needs to clear the bi-directional sharing Pilot. The WG will post a proposal for the sharing Pilot to the Board list and give the Board a week to review it.

 

CNA Update

  • DWF – Kurt Seifried
    • Issues
      • DWF is working through backlog of assignment requests.
      • More CVE requests will be submitted to MITRE by the DWF this week.
      • Some CVE ID requesters are not replying to the DWF’s email messages (especially those asking for acceptance of the CVE Terms of Use), which is slowing the publishing process. DWF is looking for more reliable ways to do this.
    • Actions
      • More infrastructure will be developed in the next week.
    • Board Decisions
      • There was no additional Board Discussion.
  • General - Dan Adinolfi
    • Issues
      • The two-day training in Tokyo went well. 9 groups attended. The language barrier was an issue, but the group worked past it. The more technical sections went well, and the content-writing part went well. The CNA program may want to consider translations of training materials.
    • Actions
      • None.
    • Board Decisions
      • There was no additional Board Discussion.

 

States Topic – Chris Coffin

See above in the Automation WG notes.

 

CNA Report Card Update – Dan Adinolfi

Based on Board feedback, the explanatory material should be expanded. The report card should be made it more self-contained, including more background material. Paragraph or two for each slide would be useful. MITRE will get back to the Board in two weeks with new version.

 

Time limit for reserved CVE IDs? Should there be different time limits for the MITRE CNA, since their model is slightly different? – Dan Adinolfi

 

An automated process for tracking this would be ideal. The goal would be to revoke a CVE ID assignment after a period of time or publish after a period of time, which will reduce the number of “stale” CVE IDs in the CVE list. MITRE will send a proposal to the Board with specifics.

 

Open Discussion – CVE Board

Can rejected CVE IDs be moved back into an active state?

The Board discussed this and agreed that CVE IDs should be able to change state to accommodate mistakes. Doing so would require notification and awareness that rejected CVE IDs can be changed. MITRE will issue a 30-day notice that this policy is changing and formalize the process to manage communication about problems as they arise.

 

Regarding MITRE’s response to Congress’ request for specific information about the CVE program, MITRE will look into sharing their response as soon as they can.

 

The Board discussed the use of “Undefined behavior” in vulnerability descriptions. If a vendor/developer asserts that a vulnerability that exhibits undefined behavior is legitimate, then the CVE ID should be assigned. Without that confirmation, a researcher should provide more proof that the undefined behavior represents a vulnerability. MITRE should push back on requesters who offer only “undefined behavior” as a description of the vulnerability.

 

MITRE is still working with HP to update the Board on questions related to their scope.

 

Action items, wrap-up – Chris Coffin

  • A list of the old and new sets of states for CVE IDs will be sent via mail for discussion.
  • Write up communication plan.
  • 2 weeks new anonymized report card
  • Write-up on time limits for reserved CVE IDs.

 

 

 

Attachment: CVE Board Meeting 24 May 2017.docx
Description: CVE Board Meeting 24 May 2017.docx


Page Last Updated or Reviewed: August 07, 2017