CVE Board Meeting Summary - 8 August 2018

CVE Board Meeting 8 August 2018

Board Members in Attendance

Mark Cox (Red Hat)

William Cox (Black Duck Software)

Beverly Finch (Lenovo)

Scott Lawler (LP3)

Pascal Meunier (CERIAS/Purdue University)

Taki Uchiyama (Panasonic)

Members of MITRE CVE Team in Attendance

Chris Coffin

Christine Deal

Joe Sain

Other Attendees

Chris Johnson (NIST)

Agenda

2:00 – 2:15: Introductions, action items from the last meeting – Chris Coffin

2:15 – 2:30: Working Groups 

·       Strategic Planning – Kent Landfield / Chris Coffin

·       Automation – Chris Johnson / Dave Waltermire

2:30 – 2:45: CNA Update

·       DWF – Kurt Seifried

·       MITRE – Jonathan Evans

·       JPCERT – Taki Uchiyama

3:15 – 3:50: Open Discussion

3:50 – 4:00: Action items, wrap-up – Chris Coffin

Review of Action Items from Last Meeting

• Previous Action Item: MITRE (Chris C/Jonathan) to send out an email to the Board list to initiate the CNA Rules revision process (regarding inclusion)

• Status: Not Done
• Previous Action Item: CNA Coordination group needs a chair—MITRE will begin initiating the conversations to identify a chair
  • Status: Not Done
• Previous Action Item: Kurt to include project charter within the CVE User Registry repository
  • Status: Done
• Previous Action Item: MITRE to send note to the Board about removing the two non-responsive CNAs identified previously
  • Status: Done, included in the significant list of the last board meeting summary and the CNAs were removed
• Previous Action Item: MITRE to start vote on Lisa Olson Board nomination.
  • Status: Done
• Previous Action Item: Send out note to the Board on the CVE Quality WG (MITRE).  
  • Status: Not Done

Agenda Items

Board Working Groups

Strategic Planning Working Group (Chris Coffin / Kent Landfield)

ISSUES: The first two CVE service documents that have been written up were sent to the AWG on Monday; there is still some work to be done there, but we’d like the AWG projects to pick those up and start filling them in. Since that process seemed to work, MITRE will take on putting together the drafts of Authentication/Authorization and JSON Format service documents as well. If we need another face to face, we will do that. Otherwise, we will pass them around via email. The last part of the meeting, we discussed the fact that the whole purpose of the group is to think about what we want for CVE to look like 3-5 years down the road. There are still plenty of specifics that need to be defined, e.g., things like root CNAs, Secretariat, Council of Roots. We have a notional idea of what those should be, but we don’t yet have them defined specifically. We can start working on that in coming meetings. MITRE will start focusing on the agenda of the next few meetings to plan how we want to start working on those items.

ACTIONS: N/A

BOARD DECISIONS: N/A

Automation Working Group (Chris Johnson / Dave Waltermire)

ISSUES: No updates (nobody present attended the last meeting)

ACTIONS: Chris Johnson will talk to Dave Waltermire to understand if any significant discussions took place and will pass those along via the Board mailing list.

BOARD DECISIONS: N/A

 CNA Updates

DWF (Kurt Seifried)

STATUS: No updates (Kurt was not present)

ISSUES/DISCUSSION: N/A

ACTIONS: N/A

MITRE (CVE Team)

STATUS: We removed two CNAs that were non-responsive. Jonathan has been talking to two CNAs and will be meeting with some CNAs tomorrow (August 9) at BlackHat.

DISCUSSION: N/A

ACTIONS: None

JPCERT (Taki Uchiyama)

Status: Nothing to report.

Open Discussion

Really trying to focus on getting some of the Reserved but Public CVEs cleared out—we announced a new policy about if a CNA is behind as far as RBP CVE entries, we start doing a one for one trade. RedHat is just about caught up (they only have a handful in their backlog). Mark Cox said he was thinking of the policy from the Apache side—there are some occasions where they are not ready to publish a CVE but it was leaked by a researcher. Could we just put a placeholder in and then when ready, fill it in properly? There will be special cases from time to time that need to be handled separately.

Chris asked if anyone had anything to discuss. Pascal would like to discuss smart contract vulnerabilities, but thinks Kurt should be present for the discussion. Chris Coffin said it might be worthwhile for Pascal to re-distribute the background information with the group (started on July 9 with an email from Jericho).

One thing we can start talking about is CNA rules changes and the specifics of things that have been brought up.

Summary of Action Items

• MITRE (Jonathan/Chris C) to send out an email to the Board list to discuss updating CVE Rules (regarding inclusion)
  • CNA rules discussion—MITRE will start putting together a list of things to discuss in follow up calls
• CNA Coordination group needs a chair—MITRE will start setting up the conversations to get that moving
• Smart contract CVEs discussion—Board members should research and be prepared to discuss in next board meeting
• MITRE to prepare information for Board regarding CVE Quality WG
• NIST (Chris J) to send any important topics to Board list from August 6 Automation WG meeting

Significant Decisions:

None

Meeting recording available here: https://handshake.mitre.org/file/view/15205910/cve-board-meeting-8-august-2018