CVE Board Meeting Minutes - 11 January 2017

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

CVE Board Meeting Minutes - 11 January 2017

Adinolfi, Daniel R

CVE Board Meeting

11 January 2017, 2:00 p.m. EST

 

The CVE Board met via teleconference on 11 January 2017.

 

Board members in attendance were:

Andy Balinsky (Cisco)

Harold Booth (NIST)

Kent Landfield (Intel)

Scott Lawler (LP3)

Art Manion (CERT/CC)

Kurt Seifried (Red Hat)

Taki Uchiyama (JPCERT/CC)

 

Members of the MITRE CVE Team who attended the call are as follows:

Dan Adinolfi

Tiffany Bergeron

Jonathan Evans

Anthony Singleton

George Theall

 

Agenda

 

2:00 – 2:05: Introductions, action items from the last meeting – Dan Adinolfi

2:05 – 2:10: CVE Strategic Planning Working Group Update – Kent Landfield

2:10 – 2:40: DWF Update – Kurt Seifried

                        - DWF and reserved CVE IDs - Jonathan Evans

2:40 – 2:50: Automation Working Group - Kurt Seifried and Harold Booth

2:50 – 3:00: CVE mailing list usage - Dan Adinolfi

3:00 – 3:20: Requirements for Test CVE ID data - Dan Adinolfi

3:20 – 3:30: CVE Contributor Public Recognition - Dan Adinolfi

3:30 – 3:40: Monthly CNA Report - Dan Adinolfi

3:40 – 3:45: Board Nomination for William Cox - Dan Adinolfi

3:45 – 3:55: Open discussion – CVE Board

3:55 – 4:00: Action items, wrap-up – Dan Adinolfi

 

The action items from the previous Board meeting were:

  • “MITRE will review publicly posted content on the CVE website and the related Wikipedia page to ensure it is correct and up to date.“ This work has not yet been accomplished.
  • “A mailing list to support the Naming Working Group will be created by MITRE.” This mailing list has been created, but it has yet to be populated.
  • “MITRE will develop a strategy and suggested implementation plan for the creation of CVE ID blocks that could be used for testing.” After receiving additional feedback on this issue, MITRE will develop a proposal.
  • “The Strategic Planning WG meeting scheduled for December 21, 2016, may be cancelled due to the holiday. This will be confirmed on the WG mailing list.” This meeting was indeed cancelled.
  • “A response to the questionable content posted to the cve-cna-list mailing list will be implemented as described above.” This was done per the instructions of the Board.
  • “CVE will schedule the next Automation Working Group meeting.” The next Automation WG meeting is scheduled for January 17, 2017.
  • “The Board will check with Intel to verify that their CVE assignment spreadsheet can be shared with the larger community.” We did verify that the spreadsheet could be shared.

CVE Strategic Planning Working Group Update

Coming out of their January 4, 2017, meeting, the Strategic Planning Working Group made the following recommendations.

  1. The Board believes MITRE should move forward in changing JPCERT/CC to a Root CNA, as a peer to DWF.
  2. The Board will begin the discussions needed to address supporting the localization of other languages in CVE.
  3. The Board will encourage MITRE to continue working toward publishing all CVE IDs that have been assigned.
  4. The Board will encourage MITRE to develop metrics needed to better inform the Board regarding CVE and CNA operations.
  5. The Board will support and assist MITRE in developing a global marketing plan for outreach to nations, technology sectors, and emerging technologies.
  6. The Board will encourage MITRE to determine what is necessary to support additional devices, firmware, and software not traditionally supported. Additionally, the Board will encourage MITRE to publicize the expansion of CVE's scope to include hardware, firmware, and software.

Also, the WG suggested considering a new schedule for the Board meetings to accommodate the wider array of time zones and changing schedules of Board participants.

 

The WG also discussed the role of all working groups formed by the Board. Working groups are meant to advise the Board with specific suggestions and action items. Working groups should be considered an extension of the Board, and when a working group reports to the Board, the Board should comment immediately on the working groups’ findings. Those findings should be considered the findings of the Board, and, unless there is significant disagreement about them, they will be implemented on behalf of the Board.

 

DWF Update

DWF continues working with developers to identify and train new Sub CNAs under DWF. At this point, no Sub CNAs have been formally named.

Work on the DWF JSON schema is continuing, and that work will be done in coordination with the Automation Working Group. Other operational processes are still under development as well, including how to make the GitHub repository scale.

MITRE brought up the fact that currently DWF cannot accommodate CVE ID requests for embargoed vulnerabilities. DWF recognizes this as a requirement, and a solution will be developed.

 

 

Automation Working Group

The Automation Working Group (AWG) will be meeting 17 January, 2017. An agenda will be posted before the meeting, and that agenda will include the JSON schema. MITRE requested that a version of the JSON schema be finalized to allow CNAs to develop against that schema without it being a moving target. A new version of the DWF schema will be presented as well.

 

CVE mailing list usage

As the CVE community grows, more communications channels are being created and more new members of the community are using those channels. Mailing list etiquette and list focus has occasionally been the source of confusion.

The Board discussed the use of each mailing list and wants the lists to have a professional tone and appropriate content shared on each. The goal is for the community to be comfortable with posting questions and making remarks on the lists and for the flow of information on the lists to be manageable.

 

Requirements for Test CVE ID Data

During the previous Board meeting, the idea of creating a set of CVE ID test data was proposed. MITRE solicited the Board for specific requirements and use cases for this data set. The Board discussed these, but they then suggested that the development and testing of these data sets be done through the Automation Working Group.

 

CVE Contributor Public Recognition

MITRE asked the Board their opinion on the creation of a “Thank You” page for the CVE website that would recognize anyone who submitted a CVE ID description in the last month. This would create a small incentive for descriptions being written by the community. The Board felt that the likelihood of contributors “gaming the system” to have public recognition while adding minimal value to CVE was high. This idea will not be pursued.

 

Monthly CNA Report

MITRE asked the Board what kinds of information they would like to see in periodic reports on CNAs and the CVE program as a whole. The Board hoped to get indications as to the quality of the data being included in the CVE list, how many errors and duplicates are being handled, and which CNAs may require additional help or training.

Metrics that show the number of Board and Working Group meetings, the number of CNAs, and the number of CNA assignments would also be useful. Metrics that can give an indication on the time taken to assign and public CVE IDs may also be useful. All of these reports would be best delivered on a quarterly basis.

 

Board Nomination for William Cox

MITRE is formally nominating William Cox of Black Duck software for the Board.

 

Open discussion

MITRE has published a news article explaining why reserved CVE ID numbers have a much higher ordinal section than compared to previous years. http://cve.mitre.org/news/archives/2017/news.html#january122017_FOCUS_ON:_The_Significance_and_Meaning_of_the_Year_Portion_of_a_CVE_Identifier

The Blog post for December received only one response. MITRE would like to see some more feedback on the issue, and they asked the Board to spread the word about the post.

NVD mentioned that they will be launching a newly-designed website very soon.

 

Action Items:

  • The Automation WG will develop a plan for implementing testing datasets.
  • MITRE will send mail to the Board describing recent accomplishments.
  • MITRE will investigate how to improve their blog, especially such that individual posts could be linked to directly.
  • MITRE will review publicly posted content on the CVE website and the related Wikipedia page to ensure it is correct and up to date
  • A mailing list for the Naming Working Group will be populated after posting a call for participation.

 

The next Board Meeting will be held on January 25, 2017.

 


CVE Board Meeting_1_11_17.docx (29K) Download Attachment