[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE Board Meeting Minutes, 6 September 2017

CVE Board Meeting 6 September 2017


Board Members in attendance:

Taki Uchiyama (JPCERT/CC)

David Waltermire (NIST)

Kent Landfield (McAfee)

William Cox (BlackDuck)

Art Manion (CERT-CC)

Andy Balinsky (Cisco)

Scott Lawyer (LP3)

Kurt Seifried (Red Hat)

Members of MITRE CVE in attendance:

Dan Adinolfi

George Theall

Chris Coffin

Jonathan Evans

Anthony Singleton




2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin

2:05 – 2:25: Working Groups

            Strategic Planning – Kent Landfield/Chris Coffin



                        Board Decisions

            Automation – Kurt Seifried/George Theall/Chris Coffin



                        Board Decisions

2:25 – 2:50: CNA Update

            DWF – Kurt Seifried



                        Board Decisions

            General – Dan Adinolfi



                        Board Decisions

2:50 – 3:00: URL Update Status – George Theall/ Chris Coffin

3:00 – 3:30: Service Vulnerabilities – Andy Balinsky

3:30 – 3:55: Open discussion – CVE Board

3:55 – 4:00: Action items, wrap-up – Chris Coffin


Review of Action Items from last meeting

PREVIOUS ACTION ITEM:  The Automation Working Group will review different approaches for git pilot submissions for Roots and sub roots

STATUS: No updates at the moment. Meeting scheduled for 9/7. Will notify board of outcome by late next week.

PREVIOUS ACTION ITEM: MITRE to send documentation and operational priorities to Board list for discussion.

STATUS:  Working on edits and will post to the board soon.

PREVIOUS ACTION ITEM: Kurt will send email to Board to start discussion around paying customers and CVE assignments.

STATUS:  Kurt is waiting for contact to reach back to him with more information.


Agenda Items:

Working Groups


Strategic Planning


Status:  No updates


Issues: None

Actions: Group is still working to put information together

Board Decisions: Waltermire will respond to Millar’s board email post to facilitate conversation on topic of Strategic objectives for CVE.




Status:  Working on next phase of pilot program.

Discussion:  Some JSON data fields have been implemented with limits (see https://github.com/CVEProject/automation-working-group/pull/44). Updated the CVE_JSON_4.0_min.schema to limit the length of a description (3999), length of a given reference (500), and the number of references (500). No comments received from the community on the current data field size changes.



Board Decisions:


CNA Update


Status: None

Discussion:  None

Issues: Issue with reference material in embargo assignments and public entries from DWF.

Action:  Kurt is still cleaning data for his workflow.

Board Decisions: Kurt will email Chris Coffin and George Theall to further discuss work flow for DWF assignment and publication.




Status: CNA rules revisions continue. Currently in week 5.

Issues: Need to figure out a better solution to track the progress/completion of any given issue or effort.

Actions: MITRE intends to add content to CVE website in regards to how to submit requests to the web form.

Board Decisions: Please include link to resolved webpage in the issue tracker that was closed.


URL Update Status

Status: MITRE has gone through 30k url for X-Force references, urls that are broken and IBM not willing to change.

Discussion: Can the remaining references to be repaired be done in one swoop or should batches continue to be used.


Action: 20k in total that need to be repaired remaining.

Board Decisions:  Waltermire will consult with the NVD team regarding whether a limit on the number of changes is still needed and rely the answer to MITRE.




Service Vulnerabilities


Status: Andy proposes that CVEs be assigned to vulnerabilities that reside in services.

Discussion: Board discusses ideas and counter ideas.

Issues: What is the value of assigning IDs to these issues?

Actions:  Board email list contains discussion in more detail.

Board Decisions: Andy will provide to the board the escalation process and format of the advisories in relation to vulnerabilities in services.


Open discussion


Discussion: Work flow of changing CVE Reject status / Reservation status

Issue: When there is a provenance issue MITRE historically notes in the entry reason describing the issue.

Action: Kurt asks board to consider a variation of publishing guidelines of CVE IDs that are under embargo.

Board Decisions:





Board Decisions:



Summary of Action Items


  • Waltermire will respond to Millar’s board email post to facilitate conversation on topic of Strategic objectives for CVE.
  • Kurt asks board to consider a variation of publishing guidelines of CVE IDs that are under embargo.
  • MITRE will open a Board mailing list discussion on CVE references and what purpose they serve.
  • MITRE to update board with git pilot phase 2
  • MITRE will send board prioritized artifact list and outlines.
  • Andy will share with us Cisco policy for vulnerabilities in services.
  • MITRE will consider solutions to better track issues resolution and progress.


Significant Decisions, Policy Changes, or Events


  • None


Attachment: CVE Board Meeting 06 September 2017.docx
Description: CVE Board Meeting 06 September 2017.docx

Page Last Updated or Reviewed: September 21, 2017