CVE Advancements

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

CVE Advancements

Landfield, Kent B
Happy 2016!

Sorry for my slow reply.  Getting sick over the holidays is no fun.

CVE Issues discussed recently.

  *   Current CVE Operational Background and needed improvements
  *   CVE CNA Rules and Guidelines
  *   Existing CNA problems and guidelines to address them
  *   CVE Coverage – Prioritized scope of coverage for CVE / associated Sources and Products
  *   A simpler counting approach
  *   Board Responsibilities
  *   US Focus of CVE in a world where software is being developed globally
  *   The Future Management Architecture of CVE Assignment – federated CVE
  *   CVE Uses – database / NVD, others
  *   CVE Backlog
  *   Funding of CVE operations
  *   The required “quality” of final CVE entries
  *   Board membership and the process for adding members

And I am sure there are others I have missed…

At the Face-to-Face we held at RSA last year we discussed having a multi-day CVE Editorial Board Engineering and Organizational workshop.  The plan was for it to be open to Editorial Board members with the major purpose of addressing many of the outstanding issues at the time.  The set of issues has not been addressed. We all recognize that and at the rate we are making progress now, we may be talking about the same issues in two years with little done.

What we need to do is to get those interested in fixing the current issues, advancing CVE and putting it on a successful path, to get together in the same room for a few days to have high-bandwidth, open and honest discussions about the way forward.

I don’t see us being successful without an event such as this.  I know RSA is once again coming up but any meeting we will have there will be limited to potentially a couple hours due to everyone’s schedules.  What we need is to have this type of F2F in a place where we can be totally focused on CVE and it’s improvements.

Would MITRE or anyone here want to hold such an event?  I suspect we would need three days to discuss the issues and come to some agreement.  I suspect late March or early April could be a good time to to shoot for.  We would need to set up an agenda to assure we were addressing a prioritized set of issues in order to get the most out of the workshop.

If we are serious about correcting CVE related issues we need this time…

Thoughts?

---
Kent Landfield
+1.817.637.8026
Reply | Threaded
Open this post in threaded view
|

RE: CVE Advancements

Stephen Boyle
Administrator
Hello Kent and other Editorial Board members,

We agree that such a meeting would be very useful for all parties and we especially like the idea of a focused, high-bandwidth discussion.

We would be happy to host the meeting in either the MITRE Bedford or McLean, Virginia location according to member's preferences.

Of course, if anyone else would like to host the meeting, or if people would prefer a location other than the northeast corridor of the U.S., we are certainly open to that.

Best Regards,
The MITRE CVE Team
Reply | Threaded
Open this post in threaded view
|

Re: CVE Advancements

Landfield, Kent B
McLean VA sounds like a good idea. There are a good deal of folks in the
DC area that would not have to fly in.  I will of course, coming from
Texas, but if there are more folks in the DC area, that sounds like a
great venue for the workshop.
---
Kent Landfield
+1.817.637.8026




On 1/5/16, 1:11 PM, "[hidden email] on
behalf of Boyle, Stephen V."
<[hidden email] on behalf of
[hidden email]> wrote:

>Hello Kent and other Editorial Board members,
>
>We agree that such a meeting would be very useful for all parties and we
>especially like the idea of a focused, high-bandwidth discussion.
>
>We would be happy to host the meeting in either the MITRE Bedford or
>McLean, Virginia location according to member's preferences.
>
>Of course, if anyone else would like to host the meeting, or if people
>would prefer a location other than the northeast corridor of the U.S., we
>are certainly open to that.
>
>Best Regards,
>The MITRE CVE Team
Reply | Threaded
Open this post in threaded view
|

Re: CVE Advancements

Eugene H. Spafford
I would be happy to host this at Purdue, although that may not be as convenient as DC for some people.  It isn’t all the way to the East Coast, however.


> On Jan 5, 2016, at 2:16 PM, Landfield, Kent B <[hidden email]> wrote:
>
> McLean VA sounds like a good idea. There are a good deal of folks in the
> DC area that would not have to fly in.  I will of course, coming from
> Texas, but if there are more folks in the DC area, that sounds like a
> great venue for the workshop.
> ---
> Kent Landfield
> +1.817.637.8026
>
>
>
>
> On 1/5/16, 1:11 PM, "[hidden email] on
> behalf of Boyle, Stephen V."
> <[hidden email] on behalf of
> [hidden email]> wrote:
>
>> Hello Kent and other Editorial Board members,
>>
>> We agree that such a meeting would be very useful for all parties and we
>> especially like the idea of a focused, high-bandwidth discussion.
>>
>> We would be happy to host the meeting in either the MITRE Bedford or
>> McLean, Virginia location according to member's preferences.
>>
>> Of course, if anyone else would like to host the meeting, or if people
>> would prefer a location other than the northeast corridor of the U.S., we
>> are certainly open to that.
>>
>> Best Regards,
>> The MITRE CVE Team


smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: CVE Advancements

tk blast
I don't have a preference on the location.  Just request that I have enough time to allocate time and block it on my calendar.
--tk

On Tue, Jan 5, 2016 at 2:45 PM, Eugene H. Spafford <[hidden email]> wrote:
I would be happy to host this at Purdue, although that may not be as convenient as DC for some people.  It isn’t all the way to the East Coast, however.


> On Jan 5, 2016, at 2:16 PM, Landfield, Kent B <[hidden email]> wrote:
>
> McLean VA sounds like a good idea. There are a good deal of folks in the
> DC area that would not have to fly in.  I will of course, coming from
> Texas, but if there are more folks in the DC area, that sounds like a
> great venue for the workshop.
> ---
> Kent Landfield
> <a href="tel:%2B1.817.637.8026" value="+18176378026">+1.817.637.8026
>
>
>
>
> On 1/5/16, 1:11 PM, "[hidden email] on
> behalf of Boyle, Stephen V."
> <[hidden email] on behalf of
> [hidden email]> wrote:
>
>> Hello Kent and other Editorial Board members,
>>
>> We agree that such a meeting would be very useful for all parties and we
>> especially like the idea of a focused, high-bandwidth discussion.
>>
>> We would be happy to host the meeting in either the MITRE Bedford or
>> McLean, Virginia location according to member's preferences.
>>
>> Of course, if anyone else would like to host the meeting, or if people
>> would prefer a location other than the northeast corridor of the U.S., we
>> are certainly open to that.
>>
>> Best Regards,
>> The MITRE CVE Team




--

Tim "TK" Keanini
mbl 415 328 2722
twtr @tkeanini

Reply | Threaded
Open this post in threaded view
|

RE: CVE Advancements

Stephen Boyle
Administrator

Shall we create a Doodle poll for the Board for March 28th – April 8th?

 

 

Reply | Threaded
Open this post in threaded view
|

Re: CVE Advancements

Landfield, Kent B
I actually have a conflict the week of the 1st thru the 8th.  An Intel event the first part and e the NIST Cybersecurity Framework workshop the second.

---
Kent Landfield
+1.817.637.8026

From: <[hidden email]<mailto:[hidden email]>> on behalf of Stephen Boyle <[hidden email]<mailto:[hidden email]>>
Date: Tuesday, January 5, 2016 at 3:26 PM
To: cve-editorial-board-list <[hidden email]<mailto:[hidden email]>>
Cc: Stephen Boyle <[hidden email]<mailto:[hidden email]>>
Subject: RE: CVE Advancements

Shall we create a Doodle poll for the Board for March 28th – April 8th?
Reply | Threaded
Open this post in threaded view
|

Re: CVE Advancements

Eugene H. Spafford
In reply to this post by Stephen Boyle
Let me note, from a historical perspective, that CERIAS hosted a workshop on vulnerability databases here in January 1999.  The MITRE folks presented at that workshop, and decided to make their efforts public as a result.  The CVE was “born” in a sense as a result of that meeting, although much of the work had been done prior.
See http://www.ieee-security.org/Cipher/ConfReports/1999/CR1999-WVDB99.html

(I helped organize the first workshop, too, at NIST, as I recall.  It wasn’t as well attended.)

It might be worthwhile to have a follow-up workshop for not only the CVE, but some of the other players in the arena.  We could piggyback it on our annual symposium here, in April, which might make it even more of interest for some people to attend.

However, if I were to do that, I’d want some definite buy-in from people, including some who would help with planning.  This is not necessarily the same as a CVE editorial board meeting, which could be done in conjunction or separately with a workshop.

—spaf

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: CVE Advancements

Stephen Boyle
Administrator
In reply to this post by Landfield, Kent B
How about the weeks of March 28th - April 1st, and April 11th - 15th?

Other suggestions?

Best Regards,
The MITRE CVE Team

-----Original Message-----
From: Landfield, Kent B [mailto:[hidden email]]
Sent: Tuesday, January 05, 2016 4:32 PM
To: Boyle, Stephen V. <[hidden email]>; cve-editorial-board-list <[hidden email]>
Subject: Re: CVE Advancements

I actually have a conflict the week of the 1st thru the 8th.  An Intel event the first part and e the NIST Cybersecurity Framework workshop the second.

---
Kent Landfield
+1.817.637.8026

From: <[hidden email]<mailto:[hidden email]>> on behalf of Stephen Boyle <[hidden email]<mailto:[hidden email]>>
Date: Tuesday, January 5, 2016 at 3:26 PM
To: cve-editorial-board-list <[hidden email]<mailto:[hidden email]>>
Cc: Stephen Boyle <[hidden email]<mailto:[hidden email]>>
Subject: RE: CVE Advancements

Shall we create a Doodle poll for the Board for March 28th - April 8th?
Reply | Threaded
Open this post in threaded view
|

Re: CVE Advancements

Landfield, Kent B
In reply to this post by Eugene H. Spafford
As long as the focus would be discussing and deciding CVE related issues
and talking about the path forward for CVE Š.  That was the real purpose
of my suggestion.  We need to address the short term problems while
planning for the long term future of CVE on a larger scale.  I¹d also like
to have this be restricted to the Editorial Board since they are the ones
highly familiar with the existing problems and the requisite history.
Definitely don¹t want outsiders that needs educating. That cuts into the
time for discussions and solution development.
---
Kent Landfield
+1.817.637.8026




On 1/5/16, 3:34 PM, "Eugene H. Spafford"
<[hidden email] on behalf of
[hidden email]> wrote:

>Let me note, from a historical perspective, that CERIAS hosted a workshop
>on vulnerability databases here in January 1999.  The MITRE folks
>presented at that workshop, and decided to make their efforts public as a
>result.  The CVE was ³born² in a sense as a result of that meeting,
>although much of the work had been done prior.
>See
>http://www.ieee-security.org/Cipher/ConfReports/1999/CR1999-WVDB99.html
>
>(I helped organize the first workshop, too, at NIST, as I recall.  It
>wasn¹t as well attended.)
>
>It might be worthwhile to have a follow-up workshop for not only the CVE,
>but some of the other players in the arena.  We could piggyback it on our
>annual symposium here, in April, which might make it even more of
>interest for some people to attend.
>
>However, if I were to do that, I¹d want some definite buy-in from people,
>including some who would help with planning.  This is not necessarily the
>same as a CVE editorial board meeting, which could be done in conjunction
>or separately with a workshop.
>
>‹spaf
Reply | Threaded
Open this post in threaded view
|

Re: CVE Advancements

Eugene H. Spafford
Then that is two meetings — one CVE-specific, and one more generally for the topic area, if people want that.


> On Jan 5, 2016, at 4:47 PM, Landfield, Kent B <[hidden email]> wrote:
>
> As long as the focus would be discussing and deciding CVE related issues
> and talking about the path forward for CVE Š.  That was the real purpose
> of my suggestion.  We need to address the short term problems while
> planning for the long term future of CVE on a larger scale.  I¹d also like
> to have this be restricted to the Editorial Board since they are the ones
> highly familiar with the existing problems and the requisite history.
> Definitely don¹t want outsiders that needs educating. That cuts into the
> time for discussions and solution development.
> ---
> Kent Landfield
> +1.817.637.8026
>
>
>
>
> On 1/5/16, 3:34 PM, "Eugene H. Spafford"
> <[hidden email] on behalf of
> [hidden email]> wrote:
>
>> Let me note, from a historical perspective, that CERIAS hosted a workshop
>> on vulnerability databases here in January 1999.  The MITRE folks
>> presented at that workshop, and decided to make their efforts public as a
>> result.  The CVE was ³born² in a sense as a result of that meeting,
>> although much of the work had been done prior.
>> See
>> http://www.ieee-security.org/Cipher/ConfReports/1999/CR1999-WVDB99.html
>>
>> (I helped organize the first workshop, too, at NIST, as I recall.  It
>> wasn¹t as well attended.)
>>
>> It might be worthwhile to have a follow-up workshop for not only the CVE,
>> but some of the other players in the arena.  We could piggyback it on our
>> annual symposium here, in April, which might make it even more of
>> interest for some people to attend.
>>
>> However, if I were to do that, I¹d want some definite buy-in from people,
>> including some who would help with planning.  This is not necessarily the
>> same as a CVE editorial board meeting, which could be done in conjunction
>> or separately with a workshop.
>>
>> ‹spaf
>


smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: CVE Advancements

Landfield, Kent B
While I like the idea of a more general meeting I think we need to focus
on CVE initially.  After we have accomplished what we need to then I think
we will be in position to have a more generalized event around
Vulnerability Identification and Reporting and the associated tools,
databases and coordination activities.

Steve, I like the doodle poll idea. Can you set that up as you suggested?
I would include three weeks,  the weeks of March 28th - April 1st,  April
11th - 15th and April 18th - 22nd.

As suggested we should allocate 3 days to address the issues. Active CVE
Board members and the current CVE team should be the target participants.

The next thing we need to do is to start figuring out what an agenda would
be.  We all have a list of topics. It would be an interesting exercise for
folks to put together your individual list of the more critical items you
would like to see addressed.  This should include members of the CVE team.
 Then maybe, with a little correlation, we can arrive at a useful and
focused agenda.

---
Kent Landfield
+1.817.637.8026




On 1/5/16, 3:51 PM, "Eugene H. Spafford" <[hidden email]> wrote:

>Then that is two meetings — one CVE-specific, and one more generally for
>the topic area, if people want that.
>
>
>> On Jan 5, 2016, at 4:47 PM, Landfield, Kent B
>><[hidden email]> wrote:
>>
>> As long as the focus would be discussing and deciding CVE related issues
>> and talking about the path forward for CVE Š.  That was the real purpose
>> of my suggestion.  We need to address the short term problems while
>> planning for the long term future of CVE on a larger scale.  I¹d also
>>like
>> to have this be restricted to the Editorial Board since they are the
>>ones
>> highly familiar with the existing problems and the requisite history.
>> Definitely don¹t want outsiders that needs educating. That cuts into the
>> time for discussions and solution development.
>> ---
>> Kent Landfield
>> +1.817.637.8026
>>
>>
>>
>>
>> On 1/5/16, 3:34 PM, "Eugene H. Spafford"
>> <[hidden email] on behalf of
>> [hidden email]> wrote:
>>
>>> Let me note, from a historical perspective, that CERIAS hosted a
>>>workshop
>>> on vulnerability databases here in January 1999.  The MITRE folks
>>> presented at that workshop, and decided to make their efforts public
>>>as a
>>> result.  The CVE was ³born² in a sense as a result of that meeting,
>>> although much of the work had been done prior.
>>> See
>>> http://www.ieee-security.org/Cipher/ConfReports/1999/CR1999-WVDB99.html
>>>
>>> (I helped organize the first workshop, too, at NIST, as I recall.  It
>>> wasn¹t as well attended.)
>>>
>>> It might be worthwhile to have a follow-up workshop for not only the
>>>CVE,
>>> but some of the other players in the arena.  We could piggyback it on
>>>our
>>> annual symposium here, in April, which might make it even more of
>>> interest for some people to attend.
>>>
>>> However, if I were to do that, I¹d want some definite buy-in from
>>>people,
>>> including some who would help with planning.  This is not necessarily
>>>the
>>> same as a CVE editorial board meeting, which could be done in
>>>conjunction
>>> or separately with a workshop.
>>>
>>> ‹spaf
>>
>

Reply | Threaded
Open this post in threaded view
|

Re: CVE Advancements

Kurt Seifried
Just a note on the meeting, I will not be attending it, and it doesn't look like anyone from Red Hat will be attending it. I'm also not clear on how this will take 3 days (or even where that number comes from) and what the meeting will accomplish. Will ever single agenda item proposed by Kent be addressed and completed (e.g. written policy available) at the conclusion of the meetings? We already have several commitments from Mitre to provide policy/documentation/etc but I haven't seen anything, not even a draft or napkin sketch as it were.

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: CVE Advancements

Art Manion
In reply to this post by Stephen Boyle
On 2016-01-05 16:40, Boyle, Stephen V. wrote:
> How about the weeks of March 28th - April 1st, and April 11th - 15th?

April 11-15 is out for me.

Strongly support the idea of a CVE-focused meeting, within the scope of
the editorial board.  Might the board invite other experts, if we think
that would be useful?

I also like the broader vulnerability database workshop idea, and may be
able to commit to helping, but these should be separate events.

Regards,

 - Art
Reply | Threaded
Open this post in threaded view
|

RE: CVE Advancements

Stephen Boyle
Administrator
Dear Board members,

I'll note first that Art is a great setup guy. Now to the update on the face-to-face meeting

There have been several questions, comments and suggestions (both public and private) regarding the proposed "CVE Advancements" face-to-face meeting and we would like to update the full Board list.

In his email of 5 January 2016, Kent Landfield proposed a "multi-day CVE Editorial Board Engineering and Organizational workshop... open to Editorial Board members with the major purpose of addressing many of the outstanding issues..." in order to "get those interested in fixing the current issues, advancing CVE and putting it on a successful path... together in the same room for a few days to have high-bandwidth, open and honest discussions about the way forward."
 
Kent's list of potential topics was:
  *   Current CVE Operational Background and needed improvements
  *   CVE CNA Rules and Guidelines
  *   Existing CNA problems and guidelines to address them
  *   CVE Coverage - Prioritized scope of coverage for CVE / associated Sources and Products
  *   A simpler counting approach
  *   Board Responsibilities
  *   US Focus of CVE in a world where software is being developed globally
  *   The Future Management Architecture of CVE Assignment - federated CVE
  *   CVE Uses - database / NVD, others
  *   CVE Backlog
  *   Funding of CVE operations
  *   The required "quality" of final CVE entries
  *   Board membership and the process for adding members

Since Kent's email:
- Several Board members have either explicitly or implicitly expressed support for Kent's proposal, many Board members have not provided any opinion.
- A link to a private poll was provided to Editorial Board members as an aid in scheduling the meeting.
- Questions were raised regarding the proposed 3 day duration of the meeting.

At this point, we are moving forward with arranging the face-to-face meeting. We will post another Doodle poll, as not many Board members could make the originally proposed dates. If people have preferred or blackout dates, please post them to the list.

The 3 day duration was proposed in order to give us sufficient time to go over a number of topics, plus leave travel days on either end. We are refining a proposed agenda, based on Kent's list and other Board member suggestions, as well as what we believe should be covered. Again, if anyone has suggestions for topics, please post them to this list.

Best Regards,
The MITRE CVE Team



-----Original Message-----
From: Art Manion [mailto:[hidden email]]
Sent: Friday, January 29, 2016 4:15 PM
To: Boyle, Stephen V. <[hidden email]>; cve-editorial-board-list <[hidden email]>
Subject: Re: CVE Advancements

On 2016-01-05 16:40, Boyle, Stephen V. wrote:
> How about the weeks of March 28th - April 1st, and April 11th - 15th?

April 11-15 is out for me.

Strongly support the idea of a CVE-focused meeting, within the scope of
the editorial board.  Might the board invite other experts, if we think
that would be useful?

I also like the broader vulnerability database workshop idea, and may be
able to commit to helping, but these should be separate events.

Regards,

 - Art