CVE Board Meeting 11 July 2018

Board Members in Attendance

Mark Cox (RedHat)

William Cox (Synopsys)

Scott Lawler (LP3)

Art Manion (CERT/CC)

Scott Moore (IBM)

Kurt Seifried (CSA)

Taki Uchiyama (Panasonic)

Ken Williams (CA)

Members of MITRE CVE Team in Attendance

Chris Coffin

Jonathan Evans

Joe Sain

Anthony Singleton

George Theall

Other Attendees

Chris Johnson (NIST)

Lisa Olson (Microsoft)

Agenda

Introductions, open action items – Chris Coffin

• Previous Action Item: MITRE to change Kurt Seifried’s organizational affiliation on the CVE web site from Red Hat to Cloud Security Alliance.
  • Status: Done July 2.
• Previous Action Item: Send out note to the Board on the CVE Quality WG (MITRE).
  • Status: TBD – Jonathan Evans
• Previous Action Item: Email to be sent to the CNA list regarding the establishment of the CNA Collaboration Working Group (MITRE).
  • Status: List has been set up.

CVE Board Interview with Lisa Olson, Microsoft – CVE Board

As part of the process of vetting nominations to the CVE Board, the board conducted an interview with Lisa Olson, Senior Security Program Manager at Microsoft. Lisa provided a summary of her experience and her interest in participating in the program. The Board agreed to allow a week for internal discussion prior to calling for a vote on the nomination.

Strategic Planning Working Group Face to Face meeting Readout – Chris Coffin

SPWG Face to Face meeting was held in Gaithersburg, MD 6/25 – 6/28. Board members in attendance were Kent Landfield, David Waltermire, Chris Coffin, and Chris Levendis. Work continued on developing projects to be handed off to the Automation Working Group for development. The ID Allocation Service and the CVE User Registry Service will be handed over to the AWG in the near future.

Working Group Updates

Strategic Planning – Chris Coffin

Covered in SPWG Face to Face readout above.

Automation – Chris Johnson

Kurt Seifried agreed to lead the project to develop the CVE User Registry. The next step is to gather requirements.

Chris Johnson stated that NIST has noticed some irregularities in the CVE JSON files, and he will provide additional information on those observations.

Microsoft joined AWG and is working with IBM to develop their submission signing processes.

CNA Updates

DWF – Kurt Seifried

Kurt is working to mint Jenkins, Xen, and PHP as sub-CNAs.

Kurt will inform the board on status of the CSA effort to stand up a new working group.

DWF has caught up on the backlog of new CVEs.

MITRE – Jonathan Evans

KrCERT/CC has asked to be a root CNA. Documentation is being prepared to help prep them to become Root CNA.

Jonathan talked to a few potential CNAs at FIRST conference.

• TWCERT/CC is developing their CVE Embargo policy; once that is complete, they should be ready to become a CNA.
• Talked to CNCERT/CC representative; may be able to make progress on bringing them on board as a CNA.
• D-Link is looking to become a CNA and is working on the requirements to become a CNA.

JP-CERT - Taki Uchiyama

No update on whether any organizations have been approached to become sub-CNAs. Taki is unsure whether JP-CERT is actively recruiting new CNAs at this point. The current process is that when a Japanese company needs a CVE, it makes a request to JP-CERT, who then issues a CVE ID to them. This is how it has worked historically, and it appears that the process will not change for the foreseeable future.

Open Discussion

MITRE had a call with CSA folks that brought to light interest to explore CVE usage in cloud services. CSA would like to investigate further being that they have lines of communication with Cloud service providers. They are asking to establish a Working Group open to all members on the board for participation.

Action items, wrap-up – Chris Coffin

•                     MITRE to set up repo in GitHub for CVE User Registry service project.

•                     MITRE to send email to board for CSA cloud services Working Group.

•                     Board agreed to leave a week open for further discussions on the Lisa Olson Board nomination before calling a vote.