Agenda for CVE Board Meeting March 8 (Wednesday)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Agenda for CVE Board Meeting March 8 (Wednesday)

Adinolfi, Daniel R

All,

 

I apologize for the late arrival of the agenda for this week's CVE Board meeting. It is below.

 

Thanks.

 

-Dan

 

 

CVE Board Meeting 8 March 2017

 

Agenda

 

2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin

2:05 – 2:25: Working Groups

            Strategic Planning - Kent Landfield

                        Issues

                        Actions

                        Board Decisions

            Automation - Harold Booth

                        Issues

                        Actions

                        Board Decisions

2:25 – 2:50: CNA Update

            DWF – Kurt Seifried

                        Issues

                        Actions

                        Board Decisions

            General - Dan Adinolfi

                        Issues

                        Actions

                        Board Decisions

2:50 – 3:00: FIRST PSIRT Meeting - Dan Adinolfi

3:00 – 3:10: CNA Documentation - Dan Adinolfi

3:10 – 3:20: CNA Report Card - Chris Coffin

3:20 – 3:40: Twitter and LinkedIn Presences - Chris Coffin

3:40 – 3:50: Pain Points - Chris Coffin

            - CVE entry sources.

3:50 – 3:55: Open discussion – CVE Board

3:55 – 4:00: Action items, wrap-up – Chris Coffin

 

 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Agenda for CVE Board Meeting March 8 (Wednesday)

kseifried@redhat.com
My throat is mostly packed up today, so mostly what I have to report:

1) need to CNA/CVE training material to mint more CVE Mentors (since I can't just use existing trained people =)
2) there is definitely interest in CVEMentors becoming CNAs for third party projects (e.g. Adam Caudhill doing wordpress)

One thing that I forgot to mention on the CVE automation WG yesterday but is worth thinking about both for them and the board:

CNA's are required to push data to their parents and ultimately to MITRE, BUT:

how does data from MITRE or data that goes directly to MITRE filter back up the patch? 

E.g. DWF CNA creates CVE-XXXX-YYYYYYY and pushes to the DWF which pushes it to MITRE. Then an existing root CNA, say a commercial one, comes along and updates the CVE root level description. How does that updated description go back up the chain to the DWF/child CNA? Do we care? My concern is ending up with different versions of a CVE that become difficult to merge (e.g. a DWF sub CNA updates the root description and then tries to send that up the line to MITRE). 

This won't be a problem for sometime I suspect, but it will become a problem eventually.

On Wed, Mar 8, 2017 at 11:59 AM, Adinolfi, Daniel R <[hidden email]> wrote:

All,

 

I apologize for the late arrival of the agenda for this week's CVE Board meeting. It is below.

 

Thanks.

 

-Dan

 

 

CVE Board Meeting 8 March 2017

 

Agenda

 

2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin

2:05 – 2:25: Working Groups

            Strategic Planning - Kent Landfield

                        Issues

                        Actions

                        Board Decisions

            Automation - Harold Booth

                        Issues

                        Actions

                        Board Decisions

2:25 – 2:50: CNA Update

            DWF – Kurt Seifried

                        Issues

                        Actions

                        Board Decisions

            General - Dan Adinolfi

                        Issues

                        Actions

                        Board Decisions

2:50 – 3:00: FIRST PSIRT Meeting - Dan Adinolfi

3:00 – 3:10: CNA Documentation - Dan Adinolfi

3:10 – 3:20: CNA Report Card - Chris Coffin

3:20 – 3:40: Twitter and LinkedIn Presences - Chris Coffin

3:40 – 3:50: Pain Points - Chris Coffin

            - CVE entry sources.

3:50 – 3:55: Open discussion – CVE Board

3:55 – 4:00: Action items, wrap-up – Chris Coffin

 

 




--

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Agenda for CVE Board Meeting March 8 (Wednesday)

Adinolfi, Daniel R

Thanks, Kurt.

 

I read your note into the record. Feel better soon.

 

-Dan

 

From: Kurt Seifried <[hidden email]>
Date: Wednesday, March 8, 2017 at 14:08
To: "Adinolfi, Daniel R" <[hidden email]>
Cc: cve-editorial-board-list <[hidden email]>
Subject: Re: Agenda for CVE Board Meeting March 8 (Wednesday)

 

My throat is mostly packed up today, so mostly what I have to report:

 

1) need to CNA/CVE training material to mint more CVE Mentors (since I can't just use existing trained people =)

2) there is definitely interest in CVEMentors becoming CNAs for third party projects (e.g. Adam Caudhill doing wordpress)

 

One thing that I forgot to mention on the CVE automation WG yesterday but is worth thinking about both for them and the board:

 

CNA's are required to push data to their parents and ultimately to MITRE, BUT:

 

how does data from MITRE or data that goes directly to MITRE filter back up the patch? 

 

E.g. DWF CNA creates CVE-XXXX-YYYYYYY and pushes to the DWF which pushes it to MITRE. Then an existing root CNA, say a commercial one, comes along and updates the CVE root level description. How does that updated description go back up the chain to the DWF/child CNA? Do we care? My concern is ending up with different versions of a CVE that become difficult to merge (e.g. a DWF sub CNA updates the root description and then tries to send that up the line to MITRE). 

 

This won't be a problem for sometime I suspect, but it will become a problem eventually.

 

On Wed, Mar 8, 2017 at 11:59 AM, Adinolfi, Daniel R <[hidden email]> wrote:

All,

 

I apologize for the late arrival of the agenda for this week's CVE Board meeting. It is below.

 

Thanks.

 

-Dan

 

 

CVE Board Meeting 8 March 2017

 

Agenda

 

2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin

2:05 – 2:25: Working Groups

            Strategic Planning - Kent Landfield

                        Issues

                        Actions

                        Board Decisions

            Automation - Harold Booth

                        Issues

                        Actions

                        Board Decisions

2:25 – 2:50: CNA Update

            DWF – Kurt Seifried

                        Issues

                        Actions

                        Board Decisions

            General - Dan Adinolfi

                        Issues

                        Actions

                        Board Decisions

2:50 – 3:00: FIRST PSIRT Meeting - Dan Adinolfi

3:00 – 3:10: CNA Documentation - Dan Adinolfi

3:10 – 3:20: CNA Report Card - Chris Coffin

3:20 – 3:40: Twitter and LinkedIn Presences - Chris Coffin

3:40 – 3:50: Pain Points - Chris Coffin

            - CVE entry sources.

3:50 – 3:55: Open discussion – CVE Board

3:55 – 4:00: Action items, wrap-up – Chris Coffin

 

 



 

--


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: 
[hidden email]

Loading...