CVE Board Meeting Summary - 13 June 2018

CVE Board Meeting 13 June 2018

Board Members in Attendance

William Cox (Black Duck Software)

Kent Landfield (McAfee)

Scott Lawler (LP3)

Scott Moore (IBM)

Pascal Meunier (CERIAS/Purdue University)

Kurt Seifried (RedHat)

Taki Uchiyama (Panasonic)

Andy Balinsky (Cisco)

Members of MITRE CVE Team in Attendance

Chris Coffin

Christine Deal

Jonathan Evans

Joe Sain

George Theall

Agenda

2:00 – 2:15: Introductions, action items from the last meeting – Chris Coffin

2:15 – 2:30: Working Groups 

·       Strategic Planning – Kent Landfield

·       Automation – Chris Johnson, Dave Waltermire

2:30 – 2:45: CNA Update

·       DWF – Kurt Seifried

·       MITRE – Jonathan Evans, Nick Caron

2:45 – 3:15: Amazon Alexa Decision Summary – Chris Coffin

3:15 – 3:50: Open Discussion

3:50 – 4:00: Action items, wrap-up – Chris Coffin

Review of Action Items from Last Meeting

• Previous Action Item: Check with Chris Johnson on the status of the AWG charter. (Chris Coffin will send a message to Chris Johnson).

• Status: Not yet final but should be soon.
• Previous Action Item: Send out note to the Board on the CVE Quality WG (MITRE).
  • Status: TBD
• Previous Action Item: Kurt Seifried to send follow-up email on Cloud Services discussion.
  • Status: To be discussed (Kurt will send out something after call with CSA).
• Previous Action Item: Email to be sent to the CNA list regarding the establishment of the CNA Collaboration Working Group (MITRE).
  • Status: TBD. Draft is ready to go; Chris Coffin will send out to CNA list later today. In a separate email not yet written, we will ask for nominations for a board liaison.
• Previous Action Item: Continue work on CNA training.
  • Status: In process.
• Previous Action Item: Need to update the announce mailing lists so they have more information. Update the way we submit them—adding more info along with links, incorporation of news articles, not sending as frequently (MITRE).
  • Status: Done.
• Previous Action Item: Update the Board charter based on recommendation from Pascal Meunier (MITRE)
  • Status: TBD 

Agenda Items

Board Working Groups

Strategic Planning Working Group (Chris Coffin / Kent Landfield)

ISSUES: We started discussing how to write the CNA Collaboration Working Group announcement from the standpoint of getting the WG stood up. The majority of the discussion was around the face to face we are having 26-28 June and the CONOPS we are developing. We are establishing requirements that will drive the Automation WG projects. We have a lot of different areas that will need to be addressed: rule changes that could be impacted by how the board voted on the Alexa vulnerability; how do you handle a vulnerability with an AI product; starting discussion on updating the counting rules in early July.

We need to set up a Board meeting specifically to discuss how to go about updating CNA Rules.

ACTIONS: N/A

BOARD DECISIONS: N/A

Automation Working Group (Chris Johnson / Dave Waltermire)

ISSUES: Microsoft attended for the first time. They are very interested in being part of the process to help shape the automation efforts. Chris mentioned the ID allocation service to them and they (Microsoft) are very interested. Chris Johnson had a chance to define some labels and attach those to some of the GitHub issues for the AWG. Microsoft went through some of their process with how they use CVE today. We talked a little about how to handle goals for phase 3 of the GitPilot.

ACTIONS:

BOARD DECISIONS: N/A

 CNA Updates

DWF (Kurt Seifried)

STATUS: Nothing major to report.

ISSUES/DISCUSSION: N/A

ACTIONS: N/A

MITRE (CVE Team)

STATUS: We’ve had two organizations reach out to become CNAs: Johnson Controls (HVAC, automotive) and 5ecurity.CN (researcher organization in China). They appear to be reasonably active and they have iwantacve.cn (helping Chinese researchers request CVEs through that website). They could be thought of similar to a vendor coordinator.

Kurt wants to know if we are doing anything to assure that people wanting to become coordinator CNAs are not doing this for malicious reasons? (Jonathan posted this in the chat window: http://cve.mitre.org/cve/cna/rules.html#Section_2_2_communication_rules item 10 and http://cve.mitre.org/cve/request_id.html).

Kent agrees with the concern; we need to reach out to them and talk to them about their expectations and how they see themselves fitting into the environment going forward.

Jonathan added that we’ve been working with Qualcomm. They’ve re-submitted their CVE entries; they did much better this time so we’ve populated those. Mozilla submitted most of their backlog to us so we’ve populated those (about 300 entries).

DISCUSSION: N/A

ACTIONS: None

JPCERT

Status: Taki reached out to JPCERT and they plan to be a root CNA and can report any updates through Taki; he hasn’t received any updates yet. He will see some people face to face at FIRST and may get some updates then. No indication of sub-CNAs.

Amazon Alexa Decision Summary (Chris Coffin)

DISCUSSION: We held the vote; a CVE was issued and it was populated. Essentially, we chose to assign and populate for the Amazon Alexa issue even thought there was nothing on the part of the end user that they had to do—it was all mitigated in the cloud by Amazon. It does beg the question, going forward, whether or not customer control and INC3 specifically in the current Counting Rules, is required or if it needs to be slightly different depending on the issue domain (which raises its own complexities)?

Kurt: Has Amazon made any comments about this? They were of the opinion it was a non-customer controlled situation—they knew that we had that rule—and they didn’t necessarily agree with us populating the CVE but they were happy we gave them a heads up and keeping them in the loop.

Pascal: Turning off the device is a form of customer control.

Kent: Are there going to be situations in the Counting Rules where we have to customize them for specific types of technological uses? I suspect yes—especially regarding medical devices. During the review of the counting rules, we need to look at how we structure it so that we can support this kind of situation--one that, for all intents and purposes, is a technological environment that is different from anything we’ve faced, and how can it be applicable to the rest of the group? We may have to have different counting rules for different kinds of technical vulnerabilities.

Kurt: Part of me would like to have one set of rules. I get that automotive, medical, tech, etc., are very different. But my concern is how do you split that up? The lines are already blurry. I think we need a master set of rules with an addendum.

Kent: I just want to add flexibility to the Counting Rules so that we can address these issues when they come up.

Chris: We held a vote for the Amazon Alexa issue, but we don’t want to have to do that for every undefined issue.

Kent: We need to talk about the scope and focus of what we’re going to do with the CNA Rules this year. How do we envision this occurring appropriately so that we can get the CNA Rules updated?

Chris: Last year, we focused on the entire document. This year, we need to have a separate meeting to discuss the major issues we need to address with the update.

Kent: I’m not sure what the impact is to the CNAs. This needs to be a combined effort. We need to have more than two meetings with the CNAs to make sure they’re involved.

ACTION:

Open Discussion

Kent: Where do we stand on the CNA registry proposal? George: We are using a slightly newer version of that internally, but we haven’t done anything with the AWG about that. Kent: Can you post that to the list so we are aware of the changes?

Summary of Action Items

• Check with Chris Johnson on the status of the AWG charter (MITRE).
• Send out note to the Board on the CVE Quality WG (MITRE).
• Kurt Seifried to send follow-up email on Cloud Services.
• Email to be sent to the CNA list regarding the establishment of the CNA Collaboration Working Group (MITRE).
• Continue work on CNA training (MITRE).
• Update the Board charter based on recommendation from Pascal Meunier (MITRE)
• MITRE to setup Board meeting to discuss the “outlier” or unique technical vulnerabilities and update the CNA and Counting Rules
• Get the posting put together for the CNA liaison board nomination and process (email to get people interested in becoming the representative); once nominations are received, the Board will vote on who will be the liaison (MITRE).
• George Theall to post information on the CNA registry proposal update

Significant Decisions:

None