CVE Board Meeting Minutes - 30 November 2016

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

CVE Board Meeting Minutes - 30 November 2016

Adinolfi, Daniel R

CVE Board Meeting

30 November 2016, 2:00 p.m. EST

 

The CVE Board met via teleconference on 30 November 2016.

 

Board members in attendance were:

Andy Balinsky (Cisco)

Harold Booth (NIST)

Kent Landfield (Intel)

Scott Lawler (LP3)

Art Manion (CERT-CC)

Pascal Meunier (CERIAS/Purdue University)

Ken Williams (CA Technologies)

Members of the MITRE CVE Team who attended the call are as follows:

Dan Adinolfi

Chris Coffin

Jonathan Evans

Anthony Singleton

George Theall

 

Agenda

 

2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin

2:05 – 2:10: CVE Strategic Planning Working Group Update – Kent Landfield

2:10 – 2:40: DWF Update – Kurt Seifried

2:40 – 2:50: Automation Working Group Update - Kurt Seifried and Harold Booth

2:50 – 3:20: Creation of Naming Working Group - Jonathan Evans

3:20 – 3:40: JSON Format - Chris Coffin

3:40 – 3:55: Open discussion – CVE Board

3:55 – 4:00: Action items, wrap-up – Chris Coffin

 

The meeting began with a review of the action items from the previous Board meeting. There were three action items. First, MITRE was to share a list of action items coming out of the CNA Summit, which they did. Second, the Board was to investigate the possibility of having a Board meeting at the RSA conference in February, which is still under investigation. Finally, MITRE was to query the CNA and Board mailing lists to ask who would like to participate in the new Automation Working Group, which they did.

 

CVE Strategic Planning Working Group Update

 

The Strategic Planning Working Group (SPWG) had met on 22 November 2016. During that meeting, the SPWG debated the need for a council related to the Board that would focus on operational issues. Also, the SPWG discussed the idea that any vision of the future of CVE must include the needs of global vulnerability management across all sectors and what that might mean for strategy development. Related to this, there is a need for improved search capabilities to support this collaboration and interconnection with other stakeholders.

 

DWF Update

 

There was no update for the DWF for this meeting. The Board is aware of the ongoing operational activity and the development of the mentoring program, but no new information was available.

Automation Working Group

 

The mailing list for the Automation Working Group (AWG) has been populated with those interested in participating. The first order of business was scheduling a regular meeting, and a Doodle poll was sent out to schedule the initial meetings. The results of that poll will be announced to the group within a few days.

 

Creation of Naming Working Group

 

After a lengthy discussion of the need for alternative names for vulnerabilities or classes of vulnerabilities, MITRE suggested that a Working Group be created to address this issue. The Working Group would determine if CVE can or should establish a standard for alternate names for existing CVE ID-assigned vulnerabilities and how to document those. The Working Group will consider the work already being done by other working groups outside of CVE to determine how CVE should collaborate with them. This Working Group is open to CNAs, the Board, and other members of the larger vulnerability management community, such as the CWE and CAPEC teams at MITRE. A mailing list will be established to facilitate the discussion.

 

JSON Format

 

The JSON schema being developed to facilitate automated submission of CVE ID requests and sharing of CVE ID information is close to being complete. Its development will be shifted to the Automation Working Group. The AWG will look at developing tools that will work with the schema once the schema itself has been formally set. There was some discussion of making use of YAML, but that discussion was tabled and will be picked up by the AWG.

 

Open Discussion

 

Due to the number of Board members who will be unavailable on December 28, the CVE Board meeting scheduled for that day will be canceled.

 

Kurt Seifried will be using the hashtag #cvementor on Twitter to tag any discussion related to the CNA mentoring program he and others are developing. 

 

At the start of the new year, the Board should poll its membership to see if the scheduled times for Board meetings should be changed.

 

Kent Landfield is preparing to nominate Takayuki (Taki) Uchiyama from JPCERT to the CVE Board. Once the details of such a nomination have been settled within JPCERT, the official nomination will be submitted to the Board for consideration.

 

Action Items:

  • MITRE will investigate if they will be sending staff to attend the RSA conference in February 2017.
  • A Vulnerability Naming Working Group will be established with a mailing list, which will be created by MITRE.
  • The Board meeting scheduled for December 28th will be cancelled due to the holiday.
  • The latest version of the JSON schema will be shared with the Automation Working Group via their mailing list.

The next Board Meeting will be held on December 14th.

 


CVE Board Meeting_11_30.docx (26K) Download Attachment