CVE Board Agenda for Wednesday, 30 October 2019

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

CVE Board Agenda for Wednesday, 30 October 2019

Bazar, Jo E.

 

2:00 – 2:15: Introductions, action items from the last meeting 

2:15 – 2:30: Working Groups

  • Outreach and Communications Working Group (OCWG): Shannon Sabens
  • CNA Coordination Working Group (CNACWG): Tod Beardsley
  • Quality Working Group (QWG): Chris Coffin
  • Automation Working Group (AWG): Lew Loren
  • Strategic Planning Working Group (SPWG): Kent Landfield/Chris Coffin

 

2:30 – 2:45: Root CNA Update

  • MITRE: Jo Bazar
  • JPCERT: Jonathan Evans/Chris Coffin

 

2:45 – 3:00: CNA Summit – Beverly Miller Alvarez

3:00 – 3:15: CNA RBP Issues – Chris Coffin

3:15 – 3:30: CNA Rules Revision Status – Jonathan Evans

3:30 – 3:45: Transition Board Archives Long-Term Storage to AWS – Lew Loren

3:45 – 3:55: Open Discussion  

3:55 – 4:00: Action items, wrap-up

 

Review of Action Items from Board Meeting held on 16 October 2019


#


Action Item


Responsible Party


Status


Comments

1.23.1

Assemble additional operational guidance for program participation by CNAs (e.g., webinars, instructional videos).

MITRE (Jo B.)

In Process

MITRE assembled a list of guidance priorities and other areas of the program; the top five priorities are listed below:

  1. How to submit entries to MITRE using the web form 
  2. CVE ID assignment rule (Counting) 
  3. Becoming a CNA
  4. CVE Program (includes Root structure)
  5. How to request the MITRE CNA populate a CVE entry

 

8/21 Update: Jonathan sent draft CNT1 and CNT2 to OCWG and CNACWG for review and feedback by 9/13/19.

10/2 Update: Jonathan has drafted the Assignment rules script and will send to the group for review and feedback.

Update: A timeline was been prepared and will be shared at next CVE Board meeting.

4.17.5

Research solution for storing, archiving, and central repository for CVE Board and WG meeting minutes, recordings, as well as tracking action items.

MITRE (Lew L.)

In Process

6/12 Update: CNA SharePoint site is up (MITRE partners account is required), Handshake account is used for current meeting recordings and we are moving the archive of recordings to Amazon glacier for cold storage.   

8/21 Update: Next step is to move the recordings to the Amazon glacier for cold storage.   

10/2 Update: Script is being developed so the current meeting recordings can be uploaded to Amazon Glacier.

6.26.2

Update Charter to reflect new interview process of board nominations and that CVE Board member can send nominations directly to the private board list. 

MITRE (Chris C.)/Kent L.

In Process

10/2 Update: Kent explained a draft is in process; once completed, Chris C. will provide his input and send to the CVE Board for review and feedback. The CVE Board should expect to receive a draft in the next few weeks. 

6.26.3

Update Charter to reflect new Board nomination interview process. When a new Board member is nominated, a 30-minute interview is conducted during the next Board call.

MITRE (Chris C.)/Kent L.

In Process

10/2 Update: Kent explained a draft is in process; once completed, Chris C. will provide his input and send to the CVE Board for review and feedback. The CVE Board should expect to receive a draft in the next few weeks. 

7.24.01

Develop a strategy for handling public but low-quality vulnerabilities, especially cases where the vendor or maintainer has not acknowledged the vulnerability.

MITRE

(Chris C./Jonathan E.)

In Process

9/4 Update: Outline drafted by Jonathan and is being reviewed by the CVE team.

7.24.02

Draft language clarifying CVE charter around organizational voting. (When do we merge votes based on organizational affiliation)

MITRE (Chris C.)/Kent L.

In Process

10/2 Update: Kent explained a draft is in process; once completed, Chris C. will provide his input and send to the CVE Board for review and feedback. The CVE Board should expect to receive a draft in the next few weeks. 

8.21.01

Take the lead for contest open to the community to create new CVE logo.

OCWG

In Process

9/4 Update: OCWG discussed at last meeting and is seeking additional guidance from the CVE Board.

10/16 Update: Shannon provided a list of requirements/questions for the CVE Board to consider. 

10.16.01

Follow up with MITRE legal about CVE logo language and design usage and required approvals. 

MITRE (Chris L.)

Not Started

Assigned October 16, 2019

10.16.02

MITRE communicate RBP backlog strategy to CVE Board.

MITRE (Chris L.)

Not Started

Assigned October 16, 2019

  10.16.04

SPWG down select CVE domain names and present options to CVE Board for final selection and approval. 

MITRE (Chris C.)

In Process

Update: CVE Domain names sent to CVE Board members for consideration on 10/24/2019.

10.16.05

Send CNA Press template to CVE Board.

MITRE (Jo B.)

In Process

Update: Press release sent to CVE Board for input due NLT 10/28/19.

 

 

Reply | Threaded
Open this post in threaded view
|

RE: [EXT] Re: CVE Board Agenda for Wednesday, 30 October 2019

Coffin, Chris
  • * We elected Tod as CNACWG chair for another year.

 

Really good news! Your hard work and dedication are much appreciated Tod!

 

Chris

 

From: Tod Beardsley <[hidden email]>
Sent: Tuesday, October 29, 2019 11:24 AM
To: Bazar, Jo E. <[hidden email]>
Cc: CVE Editorial Board Discussion <[hidden email]>; Coffin, Chris <[hidden email]>
Subject: [EXT] Re: CVE Board Agenda for Wednesday, 30 October 2019

 

Hey! Alas, I cannot make tomorrow's board meeting, for I managed to get booked into podcast recording. Written update on CNACWG:

 

* We elected Tod as CNACWG chair for another year.

* Gave feedback on Jonathan's cool instructional video (tldr, split it into two)

* Started work on revamping the dispute process (Figuring a rough but feature-complete draft for debate by Dec 1)

* Started thinking about summit agenda, will carve out essentially a day for MITRE stuff for the Board to fill in, and then a day of CNA stuff. If you want less time, say so now!

 

Also, you should listen to our podcast, it's kinda fun: https://podcasts.apple.com/us/podcast/security-nation/id1124543784

 

 

On Tue, Oct 29, 2019 at 11:18 AM Bazar, Jo E. <[hidden email]> wrote:

 

2:00 – 2:15: Introductions, action items from the last meeting 

2:15 – 2:30: Working Groups

  • Outreach and Communications Working Group (OCWG): Shannon Sabens
  • CNA Coordination Working Group (CNACWG): Tod Beardsley
  • Quality Working Group (QWG): Chris Coffin
  • Automation Working Group (AWG): Lew Loren
  • Strategic Planning Working Group (SPWG): Kent Landfield/Chris Coffin

 

2:30 – 2:45: Root CNA Update

  • MITRE: Jo Bazar
  • JPCERT: Jonathan Evans/Chris Coffin

 

2:45 – 3:00: CNA Summit – Beverly Miller Alvarez

3:00 – 3:15: CNA RBP Issues – Chris Coffin

3:15 – 3:30: CNA Rules Revision Status – Jonathan Evans

3:30 – 3:45: Transition Board Archives Long-Term Storage to AWS – Lew Loren

3:45 – 3:55: Open Discussion  

3:55 – 4:00: Action items, wrap-up

 

Review of Action Items from Board Meeting held on 16 October 2019


#


Action Item


Responsible Party


Status


Comments

1.23.1

Assemble additional operational guidance for program participation by CNAs (e.g., webinars, instructional videos).

MITRE (Jo B.)

In Process

MITRE assembled a list of guidance priorities and other areas of the program; the top five priorities are listed below:

  1. How to submit entries to MITRE using the web form 
  2. CVE ID assignment rule (Counting) 
  3. Becoming a CNA
  4. CVE Program (includes Root structure)
  5. How to request the MITRE CNA populate a CVE entry

 

8/21 Update: Jonathan sent draft CNT1 and CNT2 to OCWG and CNACWG for review and feedback by 9/13/19.

10/2 Update: Jonathan has drafted the Assignment rules script and will send to the group for review and feedback.

Update: A timeline was been prepared and will be shared at next CVE Board meeting.

4.17.5

Research solution for storing, archiving, and central repository for CVE Board and WG meeting minutes, recordings, as well as tracking action items.

MITRE (Lew L.)

In Process

6/12 Update: CNA SharePoint site is up (MITRE partners account is required), Handshake account is used for current meeting recordings and we are moving the archive of recordings to Amazon glacier for cold storage.   

8/21 Update: Next step is to move the recordings to the Amazon glacier for cold storage.   

10/2 Update: Script is being developed so the current meeting recordings can be uploaded to Amazon Glacier.

6.26.2

Update Charter to reflect new interview process of board nominations and that CVE Board member can send nominations directly to the private board list. 

MITRE (Chris C.)/Kent L.

In Process

10/2 Update: Kent explained a draft is in process; once completed, Chris C. will provide his input and send to the CVE Board for review and feedback. The CVE Board should expect to receive a draft in the next few weeks. 

6.26.3

Update Charter to reflect new Board nomination interview process. When a new Board member is nominated, a 30-minute interview is conducted during the next Board call.

MITRE (Chris C.)/Kent L.

In Process

10/2 Update: Kent explained a draft is in process; once completed, Chris C. will provide his input and send to the CVE Board for review and feedback. The CVE Board should expect to receive a draft in the next few weeks. 

7.24.01

Develop a strategy for handling public but low-quality vulnerabilities, especially cases where the vendor or maintainer has not acknowledged the vulnerability.

MITRE

(Chris C./Jonathan E.)

In Process

9/4 Update: Outline drafted by Jonathan and is being reviewed by the CVE team.

7.24.02

Draft language clarifying CVE charter around organizational voting. (When do we merge votes based on organizational affiliation)

MITRE (Chris C.)/Kent L.

In Process

10/2 Update: Kent explained a draft is in process; once completed, Chris C. will provide his input and send to the CVE Board for review and feedback. The CVE Board should expect to receive a draft in the next few weeks. 

8.21.01

Take the lead for contest open to the community to create new CVE logo.

OCWG

In Process

9/4 Update: OCWG discussed at last meeting and is seeking additional guidance from the CVE Board.

10/16 Update: Shannon provided a list of requirements/questions for the CVE Board to consider. 

10.16.01

Follow up with MITRE legal about CVE logo language and design usage and required approvals. 

MITRE (Chris L.)

Not Started

Assigned October 16, 2019

10.16.02

MITRE communicate RBP backlog strategy to CVE Board.

MITRE (Chris L.)

Not Started

Assigned October 16, 2019

  10.16.04

SPWG down select CVE domain names and present options to CVE Board for final selection and approval. 

MITRE (Chris C.)

In Process

Update: CVE Domain names sent to CVE Board members for consideration on 10/24/2019.

10.16.05

Send CNA Press template to CVE Board.

MITRE (Jo B.)

In Process

Update: Press release sent to CVE Board for input due NLT 10/28/19.

 

 


 

--

"Tod Beardsley"
Director of Research
+1-512-438-9165 | 
https://keybase.io/todb


NOTICE OF CONFIDENTIALITY: At Rapid7, the privacy of our customers, partners, and employees is paramount. If you received this email in error, please notify the sender and delete it from your inbox right away. Learn how Rapid7 handles privacy at rapid7.com/privacy-policy. To opt-out of Rapid7 marketing emails, please click here or email [hidden email].