[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE Board Meeting Minutes, 9 August 2017



CVE Board Meeting 9 August 2017

 

Board Members in attendance:

Taki Uchiyama (JPCERT/CC)

David Waltermire (NIST)

Kent Landfield (McAfee)

Pascal Meunier (Purdue)

Beverly Finch (Lenovo)

William Cox (BlackDuck)

Art Manion (CERT-CC)

Members of MITRE CVE in attendance:

Dan Adinolfi

George Theall

Chris Coffin

Jonathan Evans

Alex Tweed

Anthony Singleton

 

Agenda

 

2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin

2:05 – 2:25: Working Groups

            Strategic Planning – Kent Landfield/Chris Coffin

                        Issues

                        Actions

                        Board Decisions

            Automation – Kurt Seifried/George Theall/Chris Coffin

                        Issues

                        Actions

                        Board Decisions

2:25 – 2:50: CNA Update

            DWF – Kurt Seifried

                        Issues

                        Actions

                        Board Decisions

            General – Dan Adinolfi

                        Issues

                        Actions

                        Board Decisions

2:50 – 3:00: Assigner field for CVEs – Chris Coffin

3:00 – 3:10: Automation WG Git Pilot - Chris Coffin/George Theall

3:10 – 3:20: Discussions on Board Mailing List - Chris Coffin

3:20 – 3:40: Black Hat/DEF CON after-action report – Dan Adinolfi/Anthony Singleton

3:40 – 3:55: Open discussion – CVE Board

3:55 – 4:00: Action items, wrap-up – Chris Coffin

 

Review of Action Items from last meeting

PREVIOUS ACTION ITEM: The issue of Root CNA needs and documentation will be part of Strategic Planning Working Group.

STATUS: Strategic Planning group will be releasing information on plan on how to resolve this problem.

PREVIOUS ACTION ITEM: MITRE will request feedback from the CNA list about adding CNA information to rejected CVEs

STATUS: Went into effect this morning (8/9) CNAs are now being listed in the CVE master list on the web site, including rejected IDs.

PREVIOUS ACTION ITEM: MITRE to setup Atom demonstrations and discussion with NIST and the Board.

STATUS: MITRE and NIST will coordinate to set up meeting to process this action item.

PREVIOUS ACTION ITEM: MITRE to send out announcement that change in “rejected” status has become effective. 

STATUS: MITRE sent out announcement that rejected IDs can now change state. Included in twitter and other publication lists.

PREVIOUS ACTION ITEM: MITRE to include policy or other significant CVE changes to the CVE announce list for all types of changes going forward.

STATUS: MITRE has implemented this change.

 

Agenda Items:

Working Groups

 

Strategic Planning

 

Status:  Need to discuss priorities:

  • Artifact lists
    • Documentation, training docs, information for researchers, and videos
  • MITRE should share their list of priorities.
  • Board members should get involved in creating video on how to properly use CVE.
  • More focus on JSON effort with Automation Working Group (AWG)
  • Talked about need for CVE 101, CVE for Researchers, Counting Rules, Outreach documentation, FAQ, and Success stories.

             

Issues: Find a way to work current efforts into Board communication and to allow AWG overlap to be more efficient.

Actions: Will any board members be willing to take time to contribute to outlining and documentations.

Board Decisions: MITRE will send mail to board asking for comments and participation on listing priorities.

 

Automation

 

Status:  Current status of GIT pilot is to end Aug 21st.Discussions in progress around setting character limits on JSON fields.

Discussion:  A lot of positive feedback from CNAs about git repo. AWG would like to more it to a public state and allow more testing. 77 pull requests have been made by CNAs with 7 declined and only 4 pending. Do we need character limits in certain JSON fields?

Issues:  Pilot has not be operationalized. Current pilot has been successful phase one. And there is still need for more testing and researching to resolve remaining issues AWG members have brought up. Idea of having a phase 2 that would allow automatic pull request from CNAs. Next efforts will focus on automation and scaling.

Actions: AWG write up to board asking for extension. MITRE will submit GitHub tracker issue that talks about character limits (moving to 4 thousand characters) in submissions.

Board Decisions: AWG should flush out requirements and present solutions to board. The Git Pilot will be receiving a temporary extension.

 

CNA Update

CNA DWF

Status: None

Discussion:  None

Issues: None

Action:  None

Board Decisions: None

 

CNA MITRE

 

Status: New CNAs; Autodesk, Qnet, Airbus, Alibaba.

Issues: None

Actions: Continuing efforts on onboarding and reaching out to potential CNAs. Talking to Mediatech. Had CNA meet up at DEFCON, 13 CNAs participated.

Board Decisions: None

 

Assigner field for CVEs

Status: Task has gone operational. IDs will have known CNA assignment information published. This includes rejected IDs as well.

Discussion: None

Issues: None

Action: MITRE will send mail discussing the operational status of this task.

Board Decisions:  None

 

 

 

Automation WG Git Pilot

 

Status: Phase 1 was successful. The deadline for the end of the pilot is in two weeks.

Discussion:  Board feels that the pilot should elevate to another phase and focus on issues that relate to automation and scaling.

Issues: Board believes more work needs to be spent in researching the value of this pilot as they compare it to short term solutions and long term solutions for the program.

Actions:  AWG will work on proposal for the next phase of the project.

Board Decisions: None

 

Discussions on Board Mailing List

 

Status: Board believes this topic should be deferred to the Strategic working group to further flesh out the issues and what the best possible solutions are available to the program.

Issues: None

Actions: This topic will be pushed to the Strategic working group for further discussion.

Board Decisions: Deferring to Strategic Working group to take on and formulate list of to-dos and how to better organize these important discussions.

 

Black Hat/DEF CON after-action report

 

Status:  MITRE participated in both conferences. MITRE presented slide deck on how to get CVE IDs at the DEFCON Wall of Sheep.

Discussion:  MITRE reported having multiple discussions with vendors and researchers, spreading word about the mission of CVE and its goals. Also petitioned ideas and issues/resolutions from these focused groups to gather data on effectiveness of the program.

Issue: None

Action: MITRE is following up with contacts from Conferences.

Board Decisions: None

 

Open discussion

 

Status:  CNA rule updating is taking place on GitHub.

Discussion:  Plan is to have comments during each session of review be incorporated and decided upon before the start of the next session.

Issue:

Action: If you have any comments or changes, please submit to site.

Board Decisions: MITRE will post current copy of CNA rules to GitHub for people to begin process on.

 

Status:  New version of the 2017 Q2 Quarterly Performance Report was sent to the Board 

Discussion:  This version is updated based on comments and feedback from the July 12 Board meeting. Plan is to use this version as a template moving forward.

Issue:

Action: If you have any comments or changes, please reply to the Board list.

Board Decisions: MITRE sent the updated version prior to the Board meeting.

 

Summary of Action Items

 

  • AWG/MITRE will send a write up to board asking for extension for Git Pilot.
  • MITRE will submit GitHub tracker issue that talks about character limits (moving to 4 thousand characters) in JSON submissions.
  • MITRE will send mail discussing the operational status of adding assigner field to corpus.
  • AWG will work on proposal for the next phase of the project.
  • Strategic working group will put together a to-do list for prioritizing Mailing list discussions.

 

Significant Decisions, Policy Changes, or Events

  • Assigning CNA field is now displayed in the CVE master list on the CVE web site. It will contain the CNA organization name for Populated and REJECT CVE entries.

Attachment: CVE Board Meeting Minutes 09 August 2017.docx
Description: CVE Board Meeting Minutes 09 August 2017.docx


Page Last Updated or Reviewed: August 21, 2017