CVE Board Meeting Summary - 19 September 2018

Board Members in Attendance

Andy Balinsky, Cisco Systems, Inc.

William Cox, Synopsys, Inc.

Kent Landfield, McAfee

Scott Lawler, LP3

Art Manion, CERT/CC (Software Engineering Institute, Carnegie Mellon University)

Beverly Miller, Lenovo Group Ltd.

Scott Moore, IBM

Lisa Olson, Microsoft

Kurt Seifried, Cloud Security Alliance

David Waltermire, National Institute of Standards and Technology (NIST)

Members of MITRE CVE Team in Attendance

Jo Bazar

Chris Coffin

Jonathan Evans

Joe Sain

George Theall

Other Attendees

None

2:00 – 2:15: Introductions, action items from the last meeting – Chris Coffin

2:15 – 2:30: Working Groups 

·         Strategic Planning – Kent Landfield / Chris Coffin

·         Automation – Chris Johnson / Dave Waltermire

2:30 – 2:45: CNA Update

·         DWF – Kurt Seifried 

·         MITRE – Jonathan Evans

·         JPCERT – Taki Uchiyama

2:45 – 3:50: Open Discussion

3:50 – 4:00: Action items, wrap-up – Chris Coffin

• Previous Action Item: MITRE (Chris C/Jonathan) to send out an email to the Board list to initiate the CNA Rules revision process (regarding inclusion).

• Status: Not Done.
• Previous Action Item: CNA rules discussion—MITRE will start putting together a list of things to discuss in follow up calls. 
  • Status: Complete.
• Previous Action Item: Send out note to the Board on the CVE Quality WG (MITRE).
  • Status: Not Done.

• Previous Action Item: Continue discussion to define set of product types, define value, determine whether it can be automated, and the effort involved in doing so (tagging).
  • Status: Moved to future discussion list.
• Previous Action Item: Distribute MITRE congressional slides once submitted to Congress.
  • Status: Response in progress.
• Previous Action Item: Communicate to researcher CNAs – new CNA are hold. Explain that clarifications need to be made about roles and responsibilities before new CNA’s are confirmed.
  • Status: In progress.
• Previous Action Item: Reach out to HackerOne regarding response to CNA query.

o   Status: Done. Initial response was belated due to automated tier 1 response system. HackerOne suggests private CNA email for future communications

o   We will explore the possibility of using Handshake to host the CNA email list and have the CNAs maintain it. 

• Previous Action Item: MITRE to provide metrics on the number of researcher CNAs vs. the number of vendor CNAs.
  • Status: In progress. (Jonathan sent to Dave and Kurt)
  • Action: MITRE to send metrics to Scott Moore as well.
• Previous Action Item: Kurt Seifried to provide the names of those participating in the CVE User Registry project and set up a requirements kickoff meeting.
  • Status: Not Done.
• Previous Action Item: MITRE to send a note to the CNA group email soliciting participation in Automation Working Group projects.
  • Status: Not Done.
• Previous Action Item: MITRE to distribute CVE Root discussion slides to the Strategic Planning Working Group.
  • Status: Complete.

·       Strategic Planning – Kent Landfield / Chris Coffin

o     Kick Off meeting will be September 20, 2018, 4pm – 5pm (EST)

·       Automation – Chris Johnson / Dave Waltermire

o     Meeting was held on Monday Sept. 17^th, to discuss the projects and their status.

o   A kick-off meeting will be set up to review the draft high-level requirements that were developed from the strategic working groups.

o     Kurt requested a “Code of Conduct” for the projects, since they are opening up to CNA’s and others.

·       DWF – Kurt Seifried

• No updates

·       MITRE – Jonathan Evans

o   Cybersecurity Philippines CERT is a new CNA, would like to be a Root CNA.

o   HCL requested to be a CNA.

Met with CNCert last week about requirements for being a Root CNA. Training session needs to be schedules about the CVE rules. 

o   IBM requested to have their X-Force Red team become a researcher CNA, MITRE advised IBM that researcher CNAs are currently on hold. Board (Kent) felt that IBM could be trusted to assign out of their existing IBM CNA pool of CVE IDs.

o   Oracle updated their scope so that end of life products are no longer be covered.

o   ZTE plans on updating their scope, end of life products will not be covered.

·       JPCERT – Taki Uchiyama (not on call)

End of Life Product Discussion

• The question was asked “How can a CNA notify MITRE that they will not be assigning a CVE for end of life products?” 
• How should vendor handle end of life products?
  • Suggestion was made to issue a CVE but not publish a fix; this, however, is up to the Vendor and control of the CVE information release process is a risk of using this approach.
• If a vendor updates their scope to exclude end-of-life products, should they provide documentation explaining which products are/aren’t supported?

Update from Briefing on the Hill

·         Chris Coffin provided an update on the response to the congressional letter regarding CVE funding and coverage received at the end of August. MITRE met with House Energy and Commerce Committee staff members in Washington, D.C. The meeting went very well; they are supportive of the changes that the CVE Board and MITRE have been making to the program and they appreciated the updates. They appreciate our efforts in evolving the program and producing CVEs faster, they look forward to the changes in governance, operations, and infrastructure and for sharing metrics moving forward. They believe we have a great story and they appreciate the hard work that has beenput in. The committee have heard from others in the community and from our sponsor expressing support and the direction the program is heading. The recommendation is to provide consistent funding to the program in the form of a line item in the budget to stabilize the funding. CVE Metrics should be shared with the general public as well going forward. There was confusion among the staffers present regarding roles and responsibilities between CVE, NVD, and CERT.

Potential new board member

• Art Manion advised the group he will be submitting a nomination for a new board member.
  • Chris recommend a board interview be conducted with board member nominees.

CVSS (Common Vulnerability Scoring System)

• ISSUE: There is currently an assumption that each CVE has a single CVSS score.  However, different products may have different score, e.g. one may implement sandboxing while the other doesn’t.  It was proposed that the CVE assignment rules be changed to assign IDs per product per vulnerability.
  • All CVE’s have a CVSS, there is a concern that there are not a CVSS scores to represent the various CVE issues.
  • The group discussed ways to use the CVSS scoring to address these situations.
  • The main problem here is there only a one to one mapping, in the NVD. This is a conversation needed with the NVD to help address this situation.
  • The CVE JSON format does allow for more than one CVSS score to be assigned to a single CVE
• CVSS SIG meeting will be held on Sept. 21^st, to further discuss this issue.
  • Art Manion will report on the outcomes from this meeting at the next Board meeting.

·       Homework for the Board:

• Bring ideas about which CVE Metrics should be displayed on the CVE site.
• Think about how to best advertise CVE metrics to the community.
  • E.g., CVE Assigned, CVE published, days/months to publish, etc.

·       Art Manion to report back to the Board about the CVSS SIG Meeting.

·       Scott Moore to notify MITRE on how to handle IBM researcher CNA status

·       Chris Coffin - Add Andy Balinsky to the Cloud Security Alliance working group to discuss CVE for services.

·       Andy Balinsky - Post message/document to the list as a foundational piece regarding Cloud Security Alliance.

·       Chris Coffin - Add CSA to the regular agenda for the board meeting (a readout from the last call).

·       MITRE (Chris C/Jonathan) to send out an email to the Board list to initiate the CNA Rules revision process.

·       Send out note to Board on CVE Quality WG (MITRE).

·       Scott Moore (IBM) will be allowed to use his IBM CVE IDs or create an alternate IBM CNA to cover IBM researcher vulnerabilities.

1. How can we better communicate our future vision of the CVE program? How can we better market the CVE program and communicate the great changes that are taking shape?
2. How do we provide more status information to the public around metrics and ongoing activities we are engaged in?
3. CNA Process – Front Door or Back Door; How should CNAs communicate with each other, and how would that information be managed?
   1. Set up an excel spreadsheet to share contact info amongst the CNAs?

4)   CNA Scope Issues 

      The Board discussed that CNA documentation around roles and responsibilities are needed, current documentation is not clear, CNA assign CVE within their scope. Scope may or may not cover CVE for their customers.

o   CNA Rules - The rules state CNAs must be responsive but does not provide a specific timeframe. The rules state if a CNA plans to assign a CVE for a vulnerability another vendor’s product, to the assigning CNA should contact the vendor.  The vendor would then make a determination.

o   New Approach to CNAs and Roots - A given Root has a scope. A portion of the scope gets delegated to a CNA (i.e., product or area of research). If a portion of the scope is not delegated to a CNA, that scope stays with the Root. It is the Root’s responsibility to do the CVE assignment as the CNA of last resort.

o   Action Item – CNA Rules need to be updated to reflect this new approach.

5)   Eliminate duplication CVE assignment discussion

o   The Board discussed that specifying CNA scope will help eliminate duplicate CVE assignments. Art explained that having open communication with other CNAs when making CVE assignments is critical; keeping this communication at the CNA level (not at Root/Primary level) will help with duplication.

o Recommendation 1: Process recommendation needs to be added to CNA training.

o Recommendation 2: CNA rules need to be updated to minimize duplicate assignments.

o   Johnathan explained that duplication of CVE assignments occurs the most with DWF.

6)   Researcher CNAs

o   The Board discussed researcher CNAs that have with ambiguous scopes. These CNAs have issued thousands of CVEs.

o Recommendation 1: Avoid adding any new researcher CNAs until there are specific qualifications and guidelines for what qualifies as a researcher CNA. This includes defined scope rules yet to be discussed.

o Recommendation 2: Make the scope naturally programmatic for researcher CNAs.

o Recommendation 3: Change the process for researcher CNAs. Who is responsible for coordinating the assignment of the IDs? Who issues the CVE ID and who populates the information? There should be an easier way for companies to request an CVE ID.

o Recommendation 4: Better define roles and responsibilities for researcher CNAs.

o Recommendation 5: Need to address the researcher CNA ambiguous scope issue before onboarding additional researcher CNAs.

o Recommendation 6: Explore the possibility of researchers participating in the CNA program without becoming CNAs.

o Recommendation 7: Need a testing/certification program for CNAs to make sure they can adequately perform their role, especially researchers.

o   The Board agreed to explore better solutions regarding the researcher CNA ambiguous scope issue.

7)    Operationalize Root CNAs effectively

o   Further discussion is needed regarding how we can operationalize Root CNAs more effectively.

o   Additional discussion regarding MITRE’s role in operationalizing roots is needed.

8)     Product Type Tagging/Categorization

o   As the production numbers for CVEs go up, there will be an increasing need to view a subset of the overall CVE master list

o   Define a list of common product areas/domains to be used for categorizing CVE entries (e.g.., Medical devices, automotive, industrial, etc.)

o   The tags/categories should be attached to the products and not to the CVE entries directly.

o   Product listings in CVE User Registry would be a potential location.

• Can it be automated?
8. Future of CVSS
   • Assigning multiple CVSS to a single CVE.
   • Hill discussions around CVSS.

Meeting recordings available here:

https://handshake.mitre.org/file/group/15069086/all#15213189