[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE Board Meeting Summary - 25 July 2018

CVE Board Meeting 25 July 2018


Board Members in Attendance

Andy Balinski (Cisco)

William Cox (Black Duck Software)

Beverly Finch (Lenovo)

Scott Lawler (LP3)

Art Manion (CERT-CC)

Scott Moore (IBM)

Kurt Seifried (RedHat)

Taki Uchiyama (Panasonic)

Members of MITRE CVE Team in Attendance

Chris Coffin

Christine Deal

Jonathan Evans

Other Attendees

Chris Johnson (NIST)


2:00 – 2:15: Introductions, action items from the last meeting – Chris Coffin

2:15 – 2:30: Working Groups 

·       Strategic Planning – Kent Landfield

·       Automation – Chris Johnson, Dave Waltermire


2:30 – 2:45: CNA Update

·       DWF – Kurt Seifried

·       MITRE – Jonathan Evans

·       JPCERT – Taki Uchiyama


2:45 – 3:15: 2018 Q2 Quarterly Program Review and CNA Report Card – Chris Coffin

3:15 – 3:50: Open Discussion

3:50 – 4:00: Action items, wrap-up – Chris Coffin

Review of Action Items from Last Meeting

  • Previous Action Item: MITRE to set up repo in GitHub for CVE User Registry service project.
    • Status: Done
  • Previous Action Item: MITRE to send email to Board for CSA cloud services Working Group.
    • Status: Done
  • Previous Action Item: Board agreed to leave a week open for further discussions on the Lisa Olson Board nomination before calling a vote.
    • Status: Are we ready to start the vote? Nobody on the call objected to starting the vote
  • Previous Action Item: Send out note to the Board on the CVE Quality WG (MITRE).  
    • Status: Not Done


Agenda Items

Board Working Groups

Strategic Planning Working Group (Chris Coffin / Kent Landfield)

ISSUES: Talked about current state of Services documents, which are mostly complete. Waiting on final feedback and review from SPWG members and chair.





Automation Working Group (Chris Johnson / Dave Waltermire)

ISSUES: Met on Monday and discussed several topics, including the use of 2 digits vs. 3 digits for ISO language code for CVE entries and the need to come to an agreement about which code is preferable. Some scenarios were introduced on emergent issues, including publishing of CVEs and the possible workflows that would happen from such a capability. Also discussed the NVD CPE assignment process—how it happens, what data is used to craft the CPEs (container data or vendor sources)—will look into the process. The group also talked about getting together to plan for phase 3 pilot; there were some activities that were supposed to happen that haven’t yet happened—do those need to be addressed under a follow on phase? A quick status on CONOPS for Services coming out of SPWG was given. Kurt Seifried provided an update on some of the activities he did in getting the CVE User Registry project off the ground.

Scott Moore indicated he was unable to join via Skype so Chris Coffin will look into that before the next meeting.

Kurt stated that there are rules about how we ingest data (CVE guidelines); with the language issue—when he looked at the ISO standard, he picked the newer 3 digit one because it supports more language. But do we have rules for how others publish data? Within the CVE ecosystem, there are a lot of people who consume the data and re-publish it. He wants to confirm that there are no rules/guidelines on how people publish the data (e.g., changing the date format). Chris Coffin said he’s not aware of any formal guidelines as long as they’re following the Terms of Use. Kurt wants to know if we need to state somewhere that the originally formatted canonical source of the CVE master list is on the MITRE CVE web site, but that the data may be slightly altered if viewed from a different source.



 CNA Updates

DWF (Kurt Seifried)

STATUS: Working on minting some new CNAs and one of them identified some problems he had to fix. Trying to streamline the process a bit.




STATUS: Had a few people request to become CNAs:

  • MongoDB (CNA training with them this morning)
  • Odoo (training scheduled for Friday)
  • Johnson Controls asked for more information on the general process of onboarding
  • Philippines CERT
  • An open sources organization was sent to DWF




Status: Nothing to report.

2018 Q2 Quarterly Program Review and CNA Report Card (Chris Coffin)

DISCUSSION: Discussed the general topics and covered some of the highlights of the data from the 2nd quarter of 2018. There was a 40% reduction in the number of Reserved but Public (RBP) CVE IDs. The average time to populate rose a bit in the past quarter, but this was due to multiple CNAs populating CVE entries from their backlogs.

ACTION: Board to review at their leisure and provide comments

Open Discussion

Regarding publicly disclosed but unpopulated CVE IDs: How do we incentivize CNAs to handle their backlog? We have guidance for a 24-hour rule for getting the information to MITRE once a CVE ID is published. Next time they ask for IDs, perhaps we could request that they first give us information on their backlog. Instead of giving them another set of IDs, we ask them to provide a number of items from their backlog and then we will give them that same amount of new CVE IDs (i.e., a one-for-one trade). Kurt feels that would elicit a very negative reaction from some CNAs, but it may be what is needed to fix the problem.

Asked Kurt to take a look at the CVE User Registry Charter: As the chair of the first Automation WG project, Kurt will review the charter to see if it meets his needs. Kurt edited the file on the automation WG from CVE Registry to CVE User Registry—that file makes sense in general. He will update the documentation to reference that.

Does MITRE support setting up a public discussion list for the CVE User Registry? Yes, that seems reasonable.


Summary of Action Items

  • MITRE (Chris C/Jonathan) to send out an email to the Board list to initiate the CNA Rules revision process (regarding inclusion)
  • CNA Coordination group needs a chair—MITRE will begin initiating the conversations to identify a chair
  • MITRE to send note to the Board about removing the two non-responsive CNAs identified previously
  • Kurt to include project charter within the CVE User Registry repository

Significant Decisions:

  • MITRE will create a message for the CNAs to let them know of a change in policy for how RBP CVEs are handled going forward. If a CNA has any RBP CVEs that are one week or older, they must submit the details for those before obtaining additional new CVE IDs for later assignment. If their RBP list is large, we can provide new CVE IDs on a one-for-one basis. In other words, for each RBP CVE they populate, we will provide them with one new CVE ID.
  • The two non-responsive CNAs will have their CNA status removed. These CNAs have not been active in the past 12 months and failed to respond to recent communication attempts.


Page Last Updated or Reviewed: July 31, 2018