CVE Board Meeting
14 December 2016, 2:00 p.m. EST
The CVE Board met via teleconference on 14 December 2016.
Board members in attendance were:
Andy Balinsky (Cisco)
Harold Booth (NIST)
Kent Landfield (Intel)
Scott Lawler (LP3)
Pascal Meunier (CERIAS/Purdue University)
Ken Williams (CA Technologies)
Members of the MITRE CVE Team who attended the call are as follows:
2:00 – 2:05: Introductions, action items from the last meeting – Daniel Adinolfi
2:05 – 2:10: CVE Strategic Planning Working Group Update – Kent Landfield
2:10 – 2:40: DWF Update – Kurt Seifried
2:40 – 2:50: Automation Working Group - Kurt Seifried and Harold Booth
2:50 – 3:20: MITRE CNA adoption of CNA rules - Jonathan Evans
3:20 – 3:40: Pain Points - Daniel Adinolfi
3:40 – 3:55: Open discussion – CVE Board
3:55 – 4:00: Action items, wrap-up – Daniel Adinolfi
The meeting began with a review of the action items from the previous Board meeting. There were four action items. First, MITRE confirmed that they will be sending a CVE representative to RSA. They will be available to participate in the presentation and talk planned to announce the CVE Mentor program. Also, the Vulnerability Naming Working Group is still to be created, and MITRE will complete this task. The JSON schema was shared with the Automation Working Group. Finally, the December 28, 2016, Board meeting has been cancelled due to the holiday.
CVE Strategic Planning Working Group Update
At the previous meeting of the Strategic Planning Working Group (WG), the group discussed the potential impact of the planned CVE Mentor Program being developed by Kurt Seifried and Kent Landfield. (As mentioned above, the Mentoring Program will be formally announced at RSA 2017 in February.) The Mentor Program, as with other parts of CVE, must be built to allow for the flexibility required to work across multiple domains and CNA roots.
Also, the WG will be doing additional work on comparing NIST’s vulnerability ontology with the data elements of the proposed JSON scheme to ensure that both efforts are heading in the same or compatible direction.
The DWF is also looking at identity management schemes to facilitate identifying users, authorizing their roles within DWF, and generating a clear history of their participation.
Automation Working Group
The Automation Working Group met on December 6, 2016. The WG reviewed the and commented on the JSON format. The strengths and weaknesses of using the format were discussed, and that discussion is ongoing, both within the WG and on the automation and CNA mailing lists.
The WG is waiting on explicit permission from Intel to make use of their excellent counting spreadsheet so that it can act as a starting point for further automation development.
The next meeting of the WG will be scheduled soon.
MITRE CNA Adoption of CNA rules
MITRE has been reviewing its operational procedures to bring them into alignment with the CNA Rules. The Board considered the implications of changing the requirements that MITRE places on CVE ID requests to ensure MITRE can follow the CNA Rules. For example, MITRE has assigned a CVE ID to a vulnerability before it becomes public and then is not notified when the vulnerability is made public. This leaves the CVE ID entry listed as “RESERVED” in the CVE list and without a description, even though the details about the vulnerability are public, which causes confusion by CVE consumers.
MITRE will continue to investigate options for reducing the occurrence of this and related issues.
The CVE Board discussed a recent incident on the CNA mailing list involving a Board member acting unprofessionally and inappropriately. The Board agreed that any response should be as transparent as possible.
MITRE, speaking on behalf of the CVE Board, will send a public message to the CNA list that calls out the unacceptable behavior. It will explain that such repeated behavior will result in removal from the CNA list.
MITRE, speaking on behalf of the CVE Board, will send a direct warning to the Board member with the Private Board mailing list CC'd. That warning will explain to the individual that disciplinary actions will be taken, up to and including, removal from the CNA list if there is any further unacceptable behavior. The Board member will not be removed at this time.
The Board will be updating the Board Charter to include more specific language regarding what is considered appropriate for a Board member. It was suggested that the Board adopt the Contributor Covenant as a Code of Conduct: http://contributor-covenant.org/version/1/4/.
This is used for DWF's Code of Conduct. MITRE will create some updated language for the Charter by the next Board meeting, and that proposed language will be discussed.
The Charter already has what it needs to censure or remove a Board member, but this update will reinforce what is already included.
The next Board Meeting will be held on January 11, 2017.
CVE Board Meeting_12_14.docx (28K) Download Attachment
|Free forum by Nabble||Edit this page|