CVE Board Meeting Summary - 25 April 2018

CVE Board Meeting 25 April 2018

Board Members in Attendance

Andy Balinsky (Cisco)

William Cox (Black Duck Software)

Kent Landfield (McAfee)

Scott Lawler (LP3)

Art Manion (CERT/CC)

Scott Moore (IBM)

Taki Uchiyama (Panasonic)

Members of MITRE CVE Team in Attendance

Chris Coffin

Christine Deal

Jonathan Evans

George Theall

Agenda

2:00 – 2:10: Introductions, action items from the last meeting – Chris Coffin

2:10 – 2:30: Working Groups 

• Strategic Planning – Kent Landfield
• Automation – Chris Johnson, Dave Waltermire

2:30 – 2:50: CNA Update

• DWF – Kurt Seifried
• JPCERT – Taki Uchiyama
• MITRE – Jonathan Evans, Nick Caron

2:50 – 3:15: Takeaways from RSA Conference – The Board

3:15 - 3:30: Quarterly Program Review and CNA Report – Chris Coffin and Jonathan Evans

3:30 – 3:50: Open Discussion

3:50 – 4:00: Action items, wrap-up – Chris Coffin

Review of Action Items from Last Meeting

• Previous Action Item: Ongoing action items for Strategic Planning working group will hopefully be wrapped up in 2 weeks. The European Regulation conversation is ongoing.
  • Status: We are working on the objectives and requirements for the Service items that Chris Levendis agreed to take on. We should have a draft by Monday, April 30. The GDPR discussions are ongoing with MITRE legal.
• Previous Action Item: In the Automation Working Group, Joe Sain will continue with the effort to define a proper directory structure for the CVE Project Github.io site for project artifacts, as well as generating a list of all CVE and WG-related repos.
  • Status: A decision was made to let the working groups define the structure as they see fit.
• Previous Action Item: Kurt Seifried will develop documentation for how to submit via the Git Pilot before the next Board call.
  • Status: In progress and a draft was sent. https://docs.google.com/document/d/1kEGvdLt4Se6zkvOIUukhxJGbRHd5ZEdR6bDBXFEzG2w/edit
• Previous Action Item: MITRE will generate test material for CNA training, while also providing said training every other week for CNAs and pre-CNA entities.
  • Status: In progress.
• Previous Action Item: MITRE will generate a draft press release to announce the approaching 100th CNA onboarded, highlighting the growth and improvement of the CVE program as a whole.
  • Status: In progress.
• Previous Action Item: The concept of bringing in outside people to work on working group projects will be proposed to the CNA List. If met with approval, it should be codified in the board charter.
  • Status: The charter does not stop that from happening—question is do we want to codify it in the charter and leave as it is now? We never came up with a decision. Chris Coffin has an action to talk to the Board about this via the email list.

Agenda Items

Board Working Groups

Strategic Planning Working Group (Kent Landfield)

ISSUES: No updates

ACTIONS: N/A

BOARD DECISIONS: N/A

Automation Working Group (Chris Johnson / Chris Coffin)

ISSUES: No updates

ACTIONS: N/A

BOARD DECISIONS: N/A

 CNA Updates

DWF (Kurt Seifried)

STATUS: No updates

ISSUES/DISCUSSION: N/A

ACTIONS: N/A

JPCERT (Taki Uchiyama)

STATUS: N/A

ISSUES/DISCUSSION: N/A

ACTIONS: N/A

MITRE (CVE Team)

STATUS: Palo Alto Networks and Hillstone are now CNAs; we are close to announcing Avaya and maybe TWCERT/CC. Naver (Korean company) would like to become a CNA. We also have talked to GE and GitLab about becoming a CNA. Gitlab has withdrawn their request to become a CNA because using the MITRE CNA to request CVE IDs is sufficient for their needs.

DISCUSSION: N/A

ACTIONS: None

Takeaways from RSA Conference (Board Members)

DISCUSSION: Kent—heard a number of people speaking about CVE in a positive way. He did a presentation on patching (in a game show format) at RSA. One of the things he heard from the audience is that they are using CVE very effectively and (sadly) they were using CVSS as a threshold and focusing on CVEs and correcting those things that had reached a certain threshold. Someone was wearing a “We Speak CVE” button.

Chris Coffin said we got about 10-15 companies that came forward with interest as becoming a CNA.

Kent: There was a vulnerability meeting on Wednesday and we had a really good conversation on how to improve CVE (regarding the roles); how to change the focus from a technical and political perspective. Art Manion: Another thread that was discussed in the meetings was regarding medical devices and the fact that they do receive CVEs.

ACTION: N/A

Quarterly Program Review and CNA Report (Chris Coffin and Jonathan Evans)

DISCUSSION: The latest report card was sent out on April 16 for 2018 Q1 (sharing screen and going through the slides). Kent believes that open source CVE ID assignment (and CNA) requests need to be transferred to DWF. George Theall mentioned that Kurt Seifried can now only work on DWF on the weekends (he needs support).

Kent asked if the Board could be given the CNA data; the Board should have access to data (doesn’t have to be in graph form; just raw data is fine). He thinks the Board should have access to data that tells them who is getting better, who is slow, who is improving, etc. May not need all the charts and graphs going forward; the data in a spreadsheet may be just as useful.

Art Manion said it would be great to be able to show some of this information publicly; quite a bit of value showing the improvements that a project has made in a couple of years. Anything that doesn’t name a CNA specifically could be used.

ACTION: Chris Coffin will reach out to Kurt to find out more and figure out what MITRE can do to find support for DWF. Jonathan and Chris Coffin will discuss how to get some raw data to the Board.

Open Discussion

CNA Collaboration WG: Kent would like to get the Charter approved so that we can move forward. Jonathan mentioned the move of email to exchange groups—not sure what the impact of that will be. Chris Coffin said the list names will change; he will find out if there are other impacts from Joe Sain tomorrow.

Jonathan said we had an issue with Hikvision—because they’re in China, their public advisory was only accessible to people in China; we could not validate the advisory because of this. What do we do if China decides to block GitHub? Art: we should be concerned, but we have a blind spot regarding a lot of the Chinese software/vulnerabilities. The CERT/CC tries to help bootstrap PCERT capabilities or teams. We regularly go to conferences where the western world is, but I don’t really know what’s going on in China or India, for example. It is a question of reaching those markets in any way. The most tangible resource I have is to be able to present and/or attend certain conferences where Chinese software developers might be present.

Is the focus on trying to find the right person in the Chinese government to have these conversations with? Art—not sure we are near that point yet. We are open to talking to C-CERTS, CNVD, industry groups, government, customers, etc. We are trying to get the message out to software development companies that they should be assigning CVE IDs to their vulnerabilities. Kent may be able to facilitate a meeting in-country; he will work on it.

Jonathan said there is still the issue of what happens if we can’t access the CNA’s advisory.  We won’t be able to validate there is a public reference for the submitted entries.  This may become moot if we drop this check during automation.

Jonathan has had a couple of CNAs ask if they should assign a CVE ID—they don’t think an ID should be assigned because it was fixed a year ago but now the researcher wants it to go public. It would be nice if Jonathan could get some assistance writing a paper to show the downstream effects of CVE IDs to show why assigning an ID is important (asking for the Board’s help in creating a document). Jonathan will send out a couple of sentences to the Board mailing list to ask for assistance in writing a document to show the importance of assigning CVE IDs.

If something is not in scope for CVE ID, but through a chain of events, causes a vulnerability—what should be done? Nothing in the Rules to address this scenario. Also, Jonathan recommends renaming “Counting Rules” to “Assigning Rules.”

There are a couple of instances where researches have gone public before the CNA is ready. One interpretation is that the CNAs must populate the entry as soon as it becomes public; another interpretation is that the CNAs must populate the entry as soon as they (the CNAs) make it public. A related process issue that results from this is that if someone contacts MITRE to ask who the CNA is (if a researcher publishes the CVE), Jonathan cannot tell them who the CNA is (for privacy reasons). MITRE is put in the middle in many circumstances. Is it possible to have something that points to a private database?

Jonathan: Do we want to make it a rule that reservations are tagged with the CNA, or do we want to keep it as a voluntary basis? Kent reminds everyone that we cannot force the CNAs to do anything, as it is a voluntary program. This is a matter of communication and needs to be handled on a case-by-case basis. We need to ask the CNA list (and document to make it official) about the issue discussed above regarding tagging a CVE with CNA. As a CNA, Kent does not feel that CVE ID reservations should be tagged with the reserving CNA name. However, for the process issue described, Kent had no concerns with giving external folks who inquired about a reserved but public CVE ID the name of the assigning CNA and pointed their way in these cases.

Summary of Action Items

• Send email to the Board list to get opinions on a potential Charter update in regards to opening WG participation to anyone, not just Board members and CNAs. Is a Charter update needed to describe this or does the Board feel this is already implied.
• MITRE to talk to Kurt about DWF resources and helping him where needed
• Jonathan and Chris to discuss getting the Board some of the raw data that informs CNA report cards
• MITRE will send an email to the Board to ask them for input in regards to the value of assigning CVE IDs for older vulnerabilities or vulnerabilities that will never be patched.
• MITRE will communicate with the CNAs about the tagging of reserved CVE IDs with the CNA name. The pros and cons of tagging or not tagging will also be included and CNAs will be encouraged to add their thoughts and concerns.

Significant Decisions:

None