CVE Board Meeting Summary - 16 May 2018

CVE Board Meeting 16 May 2018

Board Members in Attendance

Chris Johnson (NIST)

Kent Landfield (McAfee)

Scott Moore (IBM)

Kurt Seifried (RedHat)

Dave Waltermire (NIST)

Taki Uchiyama

Members of MITRE CVE Team in Attendance

Chris Coffin

Christine Deal

Jonathan Evans

Joe Sain

George Theall

Agenda

2:00 – 2:20: Introductions, action items from the last meeting – Chris Coffin

2:20 – 2:40: Working Groups 

·       Strategic Planning – Kent Landfield

·       Automation – Chris Johnson, Dave Waltermire

2:40 – 2:50: CNA Update

·       DWF – Kurt Seifried

·       MITRE – Jonathan Evans, Nick Caron

2:50 – 3:15: Process for handling unresponsive CNAs – Jonathan Evans, Nick Caron

3:15 – 3:30: Board Charter Update Discussion – Kent Landfield, Pascal Meunier, Chris Coffin

3:30 – 3:50: Open Discussion

3:50 – 4:00: Action items, wrap-up – Chris Coffin

Review of Action Items from Last Meeting

• Previous Action Item: The Amazon Alexa vulnerability discussion will be summarized in a post to the CVE Board email list (MITRE).
  • Status: Discussion initiated on Board list May 2. Vote on the issue expected following the Board meeting. (Kurt asked if it’s possible to assign a REJECT CVE if it is decided to not assign a CVE. Alternatively, it could get a CVE sooner, and if it’s decided later that it’s not a vulnerability, the CVE could be rejected. Kent said we want to avoid low quality CVEs, which would dilute the perceived value of CVE.)
• Previous Action Item: Development of the user stories will continue, and the briefing charts will be updated (MITRE).
  • Status: Work is in progress; presented updates in Strategic Planning Working Group on 14 May.
• Previous Action Item: Email to the Board regarding the beginning of step 4 of the Charter update process (MITRE).
  • Status: Done. Version 2.6 of the Board Charter is now approved.
• Previous Action Item: Email to be sent to the CNA list regarding the establishment of the CNA Working Group after the CVE Charter has been approved (MITRE).
  • Status: Board Charter approved May 9; Kent will share a draft of the email with the Board soon.
• Previous Action Item: Jonathan Evans to contact JPCERT to determine their progress as a Root CNA, including who from JPCERT is going to work with the board on the ROOT CNA.
  • Status: Complete; to be discussed in the CNA Update. JPCERT said they’d like to continue to be the Root CNA. They suggested Taki remain the POC.
• Previous Action Item: Set a date for the review of the Automation Working Group Charters by the CVE Board.
  • Status: Not yet done. Chris Johnson needs to put together an email and send to Chris Coffin.
• Previous Action Item: MITRE will send an email to the Board to ask them for input regarding the value of assigning CVE IDs for older vulnerabilities or vulnerabilities that will never be patched.
  • Status: Not yet done.
• Previous Action Item: MITRE will communicate with the CNAs about the tagging of reserved CVE IDs with the CNA name. The pros and cons of tagging or not tagging will also be included and CNAs will be encouraged to add their thoughts and concerns.
  • Status: Not yet done.

Agenda Items

Board Working Groups

Strategic Planning Working Group (Kent Landfield)

ISSUES: Spent a majority of the meeting discussing MITRE’s updates and changes to the three services they took ownership of; the changes and updates can be used as a template for creating additional services and was sent to the working group for review. Focus has been on user stories and functional requirements.

ACTIONS: N/A

BOARD DECISIONS: N/A

Automation Working Group (Chris Johnson / Chris Coffin)

ISSUES: There were a number of different discussions, including the schedule for Git Pilot Phase 3 capabilities. The concern is that we are approaching a deadline for having phase 3 capabilities ready to deploy by the end of the month—we are not in a place to do that. Need to identify a reasonable date for when we can have it ready. There was an action item for getting an updated schedule in place. Another area of discussion was around updates to JSON schema; NVD team has been doing ongoing testing in terms of being able to turn that capability on in production. Would require some fairly significant changes on the MITRE side in order to get CNAs and content submitters to provide the refsource and name fields in the master list. An added concern is, are there other aspects of validation that may not be happening?

Working on project documentation so that the processes will be available on the GitHub site for reference.

There is ongoing development of use cases and requirements.

Working to prioritize the 33 issues that exist on the Automation Working Group project list.

ACTIONS: Chris Johnson will send out an email to Chris Coffin later today regarding the updated charter.

BOARD DECISIONS: N/A

 CNA Updates

DWF (Kurt Seifried)

STATUS: No updates

ISSUES/DISCUSSION: N/A

ACTIONS: N/A

JPCERT

STATUS: JPCERT said they’d like to continue to be the Root CNA. They suggested Taki remain the POC. Taki will reach out to JPCERT.

ISSUES:

ACTIONS:

MITRE (CVE Team)

STATUS: No updates

DISCUSSION: N/A

ACTIONS: None

Process for Handling Unresponsive CNAs (Jonathan Evans, Nick Caron)

DISCUSSION: There are about 4 CNAs who have not reserved an ID in over a year or populated or published an ID in over a year. Jonathan will contact them to see if they still want to be a CNA. If they do want to be a CNA still, is that okay?

• Kent: Is it okay that they don’t have vulnerabilities in their software products? Yes. Is it okay that they don’t assign CVEs to vulnerabilities that they have? No. We need to determine the difference.
• Kurt: Highly unlikely that they do not have any vulnerabilities. I think they are not doing security work anymore, or they’d find at least one vulnerability a year. At some point, there needs to be a cutoff. We need to determine a timeline.
• Dave: This may be an opportunity to get the POC information up to date.
• Chris C: How much overhead is there for us to have a CNA that’s inactive for a year?
• Jonathan: Not that much. It’s going to impact us when we start to add in automation and need information from them.
• Chris C: Part of the email communication to the CNAs (as a part of the email asking them if they still want to be a CNA) should include a list of expectations. What does everyone think about checking in with CNAs on an annual basis to ask if they still want to be a CNA?
• Kurt suggests emailing the CNAs quarterly to check in and see if they want to remain a CNA.
• Kent thinks doing it twice a year is better—quarterly may be too often and users may begin ignoring the emails.
• Jonathan: if it’s done quarterly, we could also remind them at that time to send the quarterly reports.
• Chris C: To keep email from getting dull, we could ask questions of the CNAs. Make sure they are responding. Should we create a rule in the CNA rules about this?
• Kent: yes, we need to keep the back channel information up to date. They need to know to expect this email request on a regular (quarterly, every six months, etc.) basis
• Kurt: We need to give them 30 days to reply
• Chris C: What do you do if they don’t respond after 30 days?
• Kurt: I would de-certify them as a CNA because they are not behaving like a CNA

The next group we may need to consider de-certifying as CNAs are those who repeatedly cannot/do not put their information in the correct format. Or they don’t put the product information in the description.

• Kurt: are these garbage CVEs or good CVE’s?
• Jonathan: Both.

• Kent: What I’m hearing is that I think we need to have a serious discussion on the Board calls about which CNAs are doing these things. We need to call out, explicitly, the CNAs causing the problems. There is some value to knowing who is doing what.
• Jonathan: One of the CNAs that have these issues is Qualcomm. When we try to get them to correct their information, they don’t. MITRE has tried correcting the entries and pushing them out. They’ve been doing this since they became a CNA.
• Kent: Sounds like an education issue. They need to some training.
• Jonathan: Also, Apple doesn’t provide us descriptions; MITRE has done them all.

ACTION: Jonathan and Chris Coffin can type up something to go in the CNA Rules to address this issue.

Board Charter Update Discussion (Kent Landfield, Pascal Meunier, Chris Coffin)

DISCUSSION: There are a couple of other updates that need to be added to the Board charter. Since we just had a vote and updated the Charter, we can add the issue that Pascal brought up to the queue to add in to the next Charter update.

ACTION:

Open Discussion

Item #1:
Dave: Talking to analysts with NVD; they mentioned they are increasingly starting to see CVE descriptions come through that have embedded CVSS scores and attributes embedded in the description. They said they have been seeing this more and more over the last year. They sent him some examples, which he sent to the Board list. Also, we have been working to enhance our CVE format to include a formal place for some of this structured vulnerability information. Concerned that including this in the description is a misuse of the description fields. We need to encourage the CNAs to use the proper fields. We are setting a bad precedent here. We need to have some best practices around this issue.

• Kent: Pleased to see that people are supplying CVSS scores, but this is not the right way to do it.
• Dave found about 1,293 instances of this. Most are coming from ICSCERT and Oracle. The problem isn’t that they are using CVSS language in the description; my concern is the inclusion of the additional data.
• Chris C: We may need a black list of things that should not be included in a description.
• Dave would like to see us develop some documentation around best practices for writing descriptions.
• Kurt: Make a list of things supported in the JSON that we want included in the description. Can’t we provide a white list of things that are allowed and a black list of things that are not allowed?
• Dave: I think what Kurt is suggesting may be one way to tackle this problem. We should work on developing some more robust documentation.

ACTION: Think about some training that includes what we’ve been discussing, given the potential for automation.

Item #2:
Chris C.: Kent mentioned in direct communication that the cve-announce mailing list newsletters are rather sparse on information and could be improved.

Kent: We have had discussion about how to reach our stakeholders?

Chris C: That list is fairly well received. We are always over 10k subscribers.

Kent: We need to reach those 10k subscribers with something beneficial. Let’s use it to educate them and share information about CVE.

Chris C: It’s pointing to the issues on the newsfeed.

Kent: We need to include an excerpt from the news stories and not just a link.

Chris C: And also you indicated it may be sent too frequently.

Kent: I think we need to send it out if there are things to announce. May be nice to have a conversation about this on the Board list. May be nice to have someone write a short article for it occasionally. May also be nice to include links to articles from outside news sources.

Chris C: We used to do more of that but we stopped because it got “noisy.” Maybe we should introduce it back, but keep it to articles that are specifically about CVE.

Item #3:
Chris C: Do we want to add Chris Johnson to the Board list (and eventually on the Board)?

Dave: I don’t have a problem adding him to the mailing list and eventually the Board.

Nobody on the call has an objection to him being added to the mailing list.

Kent: We have recently had people popping up on the mailing list who have no responsibility whatsoever except to write a check (sponsors). It would be good to know who is on the Board list. I don’t have a problem adding people, but I want to make sure I know who is a part of the list.

Chris C: I don’t think there is any issue with making the list public to members and notifying the list when there is add or drop.

Summary of Action Items

• Draft an email for reaching out to CNAs on a regular basis for participation
• Send out revised version of charter with Pascal’s update
• Work on CNA training to include white lists/black lists for descriptions and look into potential automation
• Need to update the announce mailing lists so they have more information. Update the way we submit them—adding more info along with links, incorporation of news articles, not sending as frequently
• Add Chris Johnson to the public board mailing list
• Share the public and private Board list members with the private Board list

Significant Decisions:

None