CVE Board Meeting Summary - 22 August 2018

CVE Board Meeting 22 August 2018

Board Members in Attendance

Andy Balinsky (Cisco Systems, Inc.)

William Cox (Synopsys, Inc.)

Kent Landfield (McAfee)

Scott Lawler (LP3)

Scott Moore (IBM)

Lisa Olson (Microsoft)

Kurt Seifried (Cloud Security Alliance)

Taki Uchiyama (Panasonic)

Dave Waltermire (NIST)

Members of MITRE CVE Team in Attendance

Chris Coffin

Christine Deal

Jonathan Evans

Joe Sain

George Theall

Other Attendees

Chris Johnson (NIST)

Agenda

2:00 – 2:15: Introductions, action items from the last meeting – Chris Coffin

2:15 – 2:30: Working Groups 

·       Strategic Planning – Kent Landfield / Chris Coffin

·       Automation – Chris Johnson / Dave Waltermire

2:30 – 2:45: CNA Update

·       DWF – Kurt Seifried

·       MITRE – Jonathan Evans

·       JPCERT – Taki Uchiyama

2:45 – 3:15: Smart Contract CVEs Discussion

3:15 – 3:50: Open Discussion

3:50 – 4:00: Action items, wrap-up – Chris Coffin

Review of Action Items from Last Meeting

• Previous Action Item: MITRE (Chris C/Jonathan) to send out an email to the Board list to initiate the CNA Rules revision process (regarding inclusion)

• Status: Not Done

• Previous Action Item: CNA rules discussion—MITRE will start putting together a list of things to discuss in follow up calls
  • Status: Not Done

• Previous Action Item: CNA Coordination group needs a chair—MITRE will begin initiating the conversations to identify a chair
  • Status: CNA Coordination Group startup has been prioritized and should begin this week.
• Previous Action Item: Send out note to the Board on the CVE Quality WG (MITRE).  
  • Status: Not Done
• Previous Action Item: NIST (Chris J) to send any important topics to Board list from August 6 Automation WG meeting
  • Status: Not Done

Agenda Items

Board Working Groups

Strategic Planning Working Group (Chris Coffin / Kent Landfield)

ISSUES: Need to focus was on how we move forward with some of the items that are a little behind, drafts of new service documents, standing up the CSA Coordination WG. Chris Levendis and Chris Coffin are going to draft the CVE JSON Submission and Credentialing and Authentication service documents. Talked about future meetings and the continued need for putting an agenda together for the meetings going forward.

ACTIONS: N/A

BOARD DECISIONS: N/A

Automation Working Group (Chris Johnson / Dave Waltermire)

ISSUES: Gave a status on NVD on August 13^th, cut over to getting over all CVE data directly from Git. That cut over has happened. As far as I know, all is working well on that front. Also encourage those in attendance to make themselves familiar with service documents that came down from the SPWG. Kent: Is switchover causing faster processing at NIST or is it about the same? Chris J: Don’t know the answer to that right now.

ACTIONS: Send out an email to CNA list about someone to chair the CVE ID Allocation Service project group

BOARD DECISIONS: N/A

 CNA Updates

DWF (Kurt Seifried)

STATUS: Nothing to report

ISSUES/DISCUSSION: N/A

ACTIONS: N/A

MITRE (CVE Team)

STATUS: Avaya and Odoo are new CNAs. Appthority as a CNA will be announced soon. Training was conducted last week with Johnson Controls and Oppo The Philippines CERT has asked to be a CNA. The Chinese CNCERT has asked to be a root CNA. We’ve had some scheduling issues because of some conferences.

The Open AI Systems Security Alliance has asked to be a CNA. It looks like they only cover open source products, so I may be referring them to DWF, but they are also a Chinese organization. All of their content is in Chinese. They were wondering if they need a website in English, and an English version of their disclosure policy, etc. Kurt: If it’s only used in China, then they can keep it in Chinese. If their products are used outside of China, it would be nice to have it in English. They want to be both a vendor and a researcher. They also asked if they could report bugs in Android or Linux and similar products. Chris C: Are they aware that anything they submit to us to get a CVE would have to be in English? Jonathan: I haven’t gotten that far yet. Kent: We need to have a base language for CVE so that it’s understood across the globe. The whole issue of language needs a separate discussion. Kurt: My concern is 1) make sure the value of forcing English is worth it and 2) they use Google translate and it may not be accurate. Chris C: If we require the description to be in English, do we also need the references to be in English? General consensus is that Google translate would be good enough for this purpose (description/references). Kurt: Inherent in JSON spec already is a language capability. Kent: We need to make sure that localization is understood by the industry. There is a need to create a document about this topic.

Jonathan: Say CNCERT was a root CNA. Would this new organization be under CNCERT or DWF? Kurt: I don’t speak Chinese, so I think it makes sense for them to be under CNCERT. Kent: We need to find out who they are (Open AI Systems Security Alliance), their scope, etc. They may be a better fit under CNCERT, but we need to figure it out.

Taki said he’d be a bit careful with CNCERT because they aren’t really responsive sometimes, so just be wary of that.

Chris C: The question whether or not they fall under you because they’re open source—that’s a scope conflict, right? Kurt: I was going to bring that up with regards to the Word Press issue because the vendor is HackerOne, and they are a CNA. Don’t want to step on their toes, but they haven’t done the CVE. Part of that will be solved with the CVE User Registry, forcing people to define their scope. That scope conflict issue is already there and isn’t too big of a problem, as long as when people assign a CVE and they publish it promptly.

Dave: But HackerOne’s scope isn’t open source. Kurt: But Word Press is their client, so they do fall within their scope. Dave: Every CNA is supposed to have a published, defined scope.

There is a lot of discussion about the fact that HackerOne is covering Word Press, who falls outside their scope (technically). Word Press is open source AND a client of HackerOne. So, while they are open source and should perhaps go through DWF for CVE assignment, they are going through HackerOne since they are a client.

Kent: We’ve talked about this before—we need to re-organize the hierarchy of root CNAs. This will help reduce the ambiguity here. In certain cases, we will not be able to make it all go away.

Kurt: There are 80+ CNAs; at least 60 of them have stuff in GitHub, meaning they have stuff in open source. Dave: Some decision needs to be made on where they fall. Kurt: Why do they only have to fall into one root? Dave: Most concerned that there be a clear management chain of who is supposed to oversee that CNA. Chris C: We need to be more specific with the way scope statements are defined—the CVE User Registry is one way we will get there.

Jonathan: Something on my to do list is to create a guidance document on how to create a scope statement. Becoming a CNA presentation—there is a slide deck on how to define your scope: http://cveproject.github.io/docs/cna/Becoming%20a%20CNA.pptx.  

CVE User registry scope discussion: product/service; severity and/or type of flaw; internal (public and/or private) vs. external (public and/or private); coverage of end of life products.

Chris C and Jonathan will discuss process for adding researchers as CNAs (pending the onboarding of Appthority). Dave/Kent expressed concern for adding researchers as CNAs. Dave is happy to participate in an alternate call to further discuss the topic of adding researchers as CNAs.

Kent would like to know the identities of the CNAs that were removed for lack of communication.

DISCUSSION: N/A

ACTIONS: Outreach to community regarding how to handle language issues. Lisa Olson may be able to send us a document we can use as a starting point.

Schedule a separate call to discuss Researcher CNAs.

JPCERT (Taki Uchiyama)

Status: Nothing to report.

Smart Contract CVEs Discussion

Kurt and Pascal are on board with continuing to create CVEs in the cases of smart contract vulnerabilities; anyone have additional thoughts? Should we continue to assign CVEs for smart contract vulnerabilities? Kurt: A lot of these smart contract assignments are Turing complete. We already have a precedent of Turing complete scripting language and there are also actions people can take with these smart contracts (not using them or avoiding them in other ways). This is a new space with a lot of movers. 59% attrition rate. Dave: This is something we should be covering, I agree. Kent: I haven’t had a chance to review it yet.

Kurt: I don’t want a million boring smart contract vulnerabilities to sift through eventually. Dave—we’ve talked about this before. There needs to be a way to categorize the vulnerabilities so that the boring ones can be sorted out. We need to re-visit the categorization/characterization of vulnerabilities. Kurt: Hoping that better defining the scope will fix most of the problem. Wants to avoid making people manually tag data.

This discussion leads to open discussion, below.

Open Discussion

We need to be able to tag a product and product list so that the CVEs include the tags. Kurt: We still need to add the tags and deal with those who refuse to add them.

Who actually does the work of adding them (tags)? NVD? MITRE? Chris C to Dave: Should this be what the vulntology does? Dave: The vulntology has been more about characterizing the nature of the vulnerability, not the nature of the vulnerable product.

Kent: What is the status of the vulntology? Dave: We are still working on getting together an initial draft. What I’d like to do is to begin to share the site with more (broaden the review); seems like the Board would be a good place to start. Send Dave an email if you are interested in taking a look at it.

Chris C: As far as an action item for getting started on this other topic, we need to come up with a list of categories, types, tags that make sense. Kurt: Wouldn’t it make more sense for the community to come up with that? Dave: We need to think through the target audience and the best way to get them engaged. Kurt: the other things is that different industries have different meanings for the same word. We need to look at how we can get a machine to do this. Dave: The reason we want to do something like this is that we constantly say when we’ve been talking about various new types of vulnerabilities to cover with CVE that we’re concerned about, the bloat that picking on those things would cause. I’m afraid that we’re making decisions based on technical problems that could be solved by some human or machine tagging process that would help us make CVE more relevant. But we are not wanting to do so because of the impact it would have (e.g., service vulnerabilities). Kurt is in favor of tagging if we can get it automated.

Kurt raised with SPWG: Trying to look for a good, simple, concise marketing message around CVE to make it more palatable. Chris C: The CVE 101 document and set of slides was shared with the Board and should suffice for this purpose. Kurt wants a simple moniker that gets the point across. Chris C said CVE 101 or some part of it should work for him and if it doesn’t, we need to re-visit that document.

Summary of Action Items

• MITRE (Chris C/Jonathan) to send out an email to the Board list to initiate the CNA Rules revision process (regarding inclusion)
• CNA rules discussion—MITRE will start putting together a list of things to discuss in follow up calls
• Send out note to the Board on the CVE Quality WG (MITRE) 
• Lisa Olson to investigate sharing a paper as a place to start with CNA scope work
• MITRE will contact HackerOne to inquire about WordPress vulnerability and contact Kurt
• Set up another discussion for Appthority as a research CNA
• Continue discussion to define set of product types, define value, determine whether it can be automated, and the effort involved in doing so (tagging)
• Marketing message for CVE—send out CVE 101 to group and use as starting point (may need to customize for different audiences)

Significant Decisions:

None

Meeting recordings available here:

https://handshake.mitre.org/file/group/15069086/all#15209000