[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

November 1 CVE Board Meeting Summary

CVE Board Meeting 1 November 2017

Board Members in Attendance

William Cox (Black Duck)

Kent Landfield (McAfee)

Andy Balinsky (Cisco)

Kurt Seifried (Red Hat/DWF)

Taki Uchiyama (JPCERT)

Dave Waltermire (NIST)

Ken Williams (CA Technologies)

Members of MITRE CVE Team in Attendance

Dan Adinolfi

George Theall

Chris Coffin

Jonathan Evans

Alex Tweed


2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin

2:05 – 2:25: Working Groups

            Strategic Planning – Kent Landfield



                        Board Decisions

            Automation – George Theall



                        Board Decisions


2:25 – 2:50: CNA Update

            DWF – Kurt Seifried



                        Board Decisions

            General – Dan Adinolfi



                        Board Decisions

2:50 – 2:55: Board Membership - Chris Coffin

2:55 – 3:05: Handling Defunct References - George Theall and Chris Coffin

3:05 – 3:20: Documentation: CNA Processes - Dan Adinolfi

3:20 – 3:45: Discussion: Problematic assignments for subpar reports via CVE request form - Chris Coffin and Jonathan Evans

            Email thread on Board mailing list 10/23-10/26.

3:40 – 3:55: Open Discussion

3:55 – 4:00: Action items, wrap-up – Chris Coffin

Review of Action Items from Last Meeting

  • PREVIOUS ACTION ITEM: Getting a thread started for defunct domain issue
    • STATUS: Email was sent to the Board on 10/31 and there are a few responses. This item is also on today’s agenda
  • PREVIOUS ACTION ITEM: Category and Tag Discussion (Kurt)
    • STATUS: A thread has been initiated; MITRE will propose a path forward.
  • PREVIOUS ACTION ITEM: Send email to HackerOne to gauge interest in issuing CVE IDs
    • STATUS: Has not been completed. MITRE will continue this as an action item for next call.
  • PREVIOUS ACTION ITEM: Develop ideas for collaborative document sharing.
    • STATUS: MITRE will present a briefing at the next Board meeting (Joe Sain).


Agenda Items

Board Working Groups

Strategic Planning Working Group (Kent Landfield)

STATUS: Kent is currently assembling a document that captures recent conversations on strategy, questions that need to be answered, and what the ideas are on a path forward.

Automation Working Group (George Theall)

STATUS: Ideas for phase 3 were discussed within the working group. These discussions will continue and will be presented to the Board near the end of phase 2. The consensus within the working group is that the new Github site is working well.


CNA Updates

DWF (Kurt Seifried)

STATUS: Work continues on the backlog of DWF requests. DWF is planning a fork of the CVE GitHub repository, which will result in the submission of pull requests. The current DWF repository will be deleted.

ISSUES/DISCUSSION: There was a discussion regarding whether a child CNA could publish directly to MITRE rather than going through its parent CNA. Some members felt that if the child CNA is submitting good requests they should be able to talk directly to MITRE. This could be a way to reduce the amount of overhead in the process. Commits going to MITRE would be signed, and MITRE would pull this data in periodically as part of the Continuous Integration (CI) process.

There were concerns regarding how this would scale for parent CNAs. The Board stated that if a hierarchy could be followed and responsibility could be delegated, some of the scaling concerns could be addressed.

The Board also feels that MITRE should make it clearer in the CNA guidelines that there are a set of rules that apply to everyone, and that there are some rules that are expressed as a goal. The mandatory rules need to be explicitly stated, and must be differentiated from roles expressed as goals.

Based on this discussion, the Board believes that the hierarchy should be followed and that CVE publication details should flow up the chain through each Root CNA, as opposed to allowing sub-CNAs the ability to publish directly to MITRE. The main reason for using the hierarchy is that it allows more flexibility as the program becomes less centralized. Also, the Root CNA is always in the best position to determine what content is acceptable or not. If a Root CNA decides that a sub-CNA under them does not need content review because they have a very good record of submitting quality content, the Root CNA can choose to automatically push those CVE details up the chain when submitted.

Link to rules: https://github.com/CVEProject/docs/tree/cna-documents/cna/CNA%20Rules/CNA%20Rules%20Development

ACTIONS: Go back through and comment on rules accordingly—see which ones are required and which ones are flexible. See which ones are more guidelines. (Dave)


MITRE (Dan Adinolfi)

STATUS: Node.js has joined as a CNA. Facebook and GitHub have also expressed interest in becoming an CNA, and Booz Allen Hamilton would like to join as a researcher. The Board expressed some concern regarding the onboarding of researchers and their relative value to the CVE effort as opposed to CNAs.

DISCUSSION: There was a discussion regarding CVE coverage of additional domains and at the same time understanding how these new CNAs fit into a larger hierarchy. The Board recommended taking a more measured approach to onboarding new CNAs to ensure that a solid management structure is in place. CVE outreach should be directed to expanding the base (i.e., identifying and bringing on Root CNAs), working with the current CNAs to help define their role, and ensuring that there is sufficient clarity regarding what is expected of them and what the associated workload will be.


  1. MITRE will invite representatives from Github to a future Board discussion.
  2. MITRE will initiate a conversation about additional technical domains and areas that should have CVE coverage.
  3. Discussion will continue on building the base. The CVE team will consider a potential shift in resources from CNA onboarding to Root CNA identification and development.

Board Membership Change

STATUS/ISSUE: October 31st was the cutoff date for responding to the call for continuing Board participation. 3 members did not respond--Mike Prosser (Symantec), Tom Stracener, and Elizabeth Scott (Microsoft).

ACTIONS: They will be removed from board list, public website, and meeting invites within the week.

Open Discussion

ISSUE: How should CVE handle references with invalid hyperlinks?

DISCUSSION/NOTES: It has been observed that a number of older CVEs contain references that include hyperlinks that are no longer valid. It is important to retain the reference as it contains valuable information. The Board discussed several options:

  • Remove the hyperlink, mark in a different way, maybe have a reference to a web archive.
  • Leave the reference in place as archived history and mark it as broken.
  • Don’t remove the reference but remove the hyperlink.
  • Ask the downstream users if they actually care if the URLs are broken.

ACTIONS: The Board is fine with the options presented for handling the CVE web site broken references in a recent email. The main point was that we don’t want to completely remove the reference, we just want to make it clear that it’s broken. A later Board email discussion will be started to talk about how these references could be marked within the CVE downloads and JSON. The team could also create a blog post to get downstream users’ opinions.


Summary of Action Items

  • Dave Waltermire volunteered to review current CNA rules for required items and flexible items.
  • MITRE will schedule a Board meeting that will include the representatives from Github.
  • MITRE will start a discussion about additional technical domains and areas that should have CVE coverage.
  • The discussion on building the base (i.e., identifying and onboarding Root CNAs) will be discussed by the Strategic Planning WG.
  • The discussion on broken links and handling them with the CVE downloads and JSON will continue in a Board email thread.
  • Dave Waltermire will develop a list of CNAs that have quality issues.


Significant Decisions:

Sub-CNAs cannot submit or communicate CVE details directly to the Primary CNA or maintainer. They must submit through their Root CNA according to the rules defined by their Root. See the notes above for more details.


Attachment: CVE_Board_Meeting_Summary_for_review_11012017.docx
Description: CVE_Board_Meeting_Summary_for_review_11012017.docx

Page Last Updated or Reviewed: November 14, 2017