CVE Board Meeting Minutes - 5 April 2017

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

CVE Board Meeting Minutes - 5 April 2017

Adinolfi, Daniel R

CVE Board Meeting

5 April 2017, 2:00 p.m. ET

 

The CVE Board met via teleconference on 5 April 2017.

 

Board members in attendance were:

Andy Balinsky (Cisco)

Harold Booth (NIST)

Art Manion (CERT/CC)

Kurt Seifried (Red Hat/DWF)

Taki Uchiyama (JPCERT/CC)

William Cox (Black Duck)

Pascal Meunier (Purdue)

 

Members of the MITRE CVE Team who attended the call are as follows:

Dan Adinolfi

Jonathan Evans

Anthony Singleton

George Theall

 

Agenda

CVE Board Meeting 5 April 2017

 

Agenda

 

2:00 – 2:05: Introductions, action items from the last meeting – Dan Adinolfi

2:05 – 2:25: Working Groups

            Strategic Planning - Kent Landfield

                        Issues

                        Actions

                        Board Decisions

            Automation - Harold Booth/Kurt Seifried

                        Issues

                        Actions

                        Board Decisions

2:25 – 2:50: CNA Update

            DWF – Kurt Seifried

                        Issues

                        DWF Web Form confusion

                        Actions

                        Board Decisions

            General - Dan Adinolfi

                        Issues

                        Actions

                        Board Decisions

2:50 – 2:55: CNA Report Card Update - Dan Adinolfi

3:00 – 3:10: CNA Documentation Update - Dan Adinolfi

3:10 – 3:55: Open discussion – CVE Board

3:55 – 4:00: Action items, wrap-up – Dan Adinolfi

 

Introductions and review of previous action items

  • The CNA Report Card for the first quarter of this calendar year will be provided to the Board by the next Board meeting.
  • The first document to be developed for the new CNA documentation will be shared in the next week.
  • A summary of observations from the RSA Conference will be sent to the Board.
  • Use cases for including services in the CVE list are still being developed by the Board.

 

Working Groups

  • Strategic Planning – Dan Adinolfi
    • Issues
      • There were no updates from the Strategic Planning Working Group.
    • Actions
      • The next Strategic Planning WG meeting will be April 6, 2017 at 2PM ET. Future meetings will be held the Thursday after the first Board meeting each month.
    • Board Decisions
      • There was no additional Board Discussion.
  • Automation - Harold Booth
    • Issues
      • Had a meeting 2 April 2017.
      • MITRE is cleared to use the new minimal JSON format.
      • The WG is still considering how to allow for bi-directional data flow of CVE Data between CNAs.
      • Should there be a container around each CVE entry in the JSON format? Possibly, but the need to develop that should not hold up the use of the minimal specification.
    • Actions
      • Additional development will be done on the JSON format.
      • Assigner information (an email address) will be included as a required field in the minimum specification.
      • Question to be considered: How should transport or container standards be developed?
    • Board Decisions
      • Assigner will be included as a required field in the minimum JSON specification.
      • MITRE is cleared to use the new minimal JSON format for CVE requests.

 

CNA Update

  • DWF – Kurt Seifried
    • Issues
      • MITRE is receiving complaints that they are not receiving CVE ID assignments after submitting them through the DWF web form. DWF should be finishing the development of its infrastructure by the end of next week.
      • The Board reviewed the guidelines regarding how CVE ID pools are assigned within Root CNAs.
      • DWF will be finishing validating their Terms of Use with their submitters.
    • Actions
      • More infrastructure will be developed in the next week.
    • Board Decisions
      • There was no additional Board Discussion.
  • General - Dan Adinolfi
    • Issues
      • Qualcomm is now a CNA.
      • Invitations for May’s CNA Training in Tokyo has been sent out. We know at least three CNAs that will be attending.
    • Actions
      • None.
    • Board Decisions
      • There was no additional Board Discussion.

 

CNA Report Card Update – Dan Adinolfi

The CNA Report Card and a corresponding summary slide deck is in its final draft and will be shared with the Board within the next week.

 

CNA Documentation Update – Dan Adinolfi

A final draft of the CVE 101 White Paper, the first document to be co-developed with the Board to support the CNA program, has been written and will be shared with the Board within the next week.

 

Open Discussion - Dan Adinolfi

  • OASIS CSAP is working on CVRF version 2, and additional community feedback is welcomed.
  • The CVSS v3 JSON specification is immanent, and the Automation Working Group should consider how best to accommodate it.
  • The Board reviewed the active working groups and how to join. The active working groups are the Strategic Planning Working Group, the Automation Working Group, and the Naming Working Group. Participation is open to anyone, and they can request inclusion on the group mailing lists and call invitations through MITRE.
  • The Board discussed if Black Duck should be a CNA and how that may be done. Further discussion will be had.

 

Action items, wrap-up – Dan Adinolfi

  • The CNA Report Card for the first quarter of this calendar year will be provided to the Board by the next Board meeting.
  • The first document to be developed for the new CNA documentation will be shared in the next week.
  • A summary of observations from the RSA Conference will be sent to the Board.
  • Use cases for including services in the CVE list are still being developed by the Board.
  • MITRE will send out the link to the development branch in GitHub for the CNA documentation.
  • MITRE will investigate converting documents in the GitHub repository to markdown for easier editing.

 

 

 


CVE Board Meeting 5 April 2017[1].docx (96K) Download Attachment