CVE Board Meeting Minutes - 8 March 2017

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

CVE Board Meeting Minutes - 8 March 2017

Adinolfi, Daniel R

CVE Board Meeting

8 March 2017, 2:00 p.m. EST

 

The CVE Board met via teleconference on 8 March 2017.

 

Board members in attendance were:

Andy Balinsky

Harold Booth (NIST)

William Cox (Black Duck)

Kent Landfield

Taki Uchiyama

 

Members of the MITRE CVE Team who attended the call are as follows:

Dan Adinolfi

Jon Baker

Chris Coffin

Jonathan Evans

Matt Hansbury

Anthony Singleton

George Theall

 

Agenda

2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin

2:05 – 2:25: Working Groups

            Strategic Planning - Kent Landfield

                        Issues

                        Actions

                        Board Decisions

            Automation - Harold Booth

                        Issues

                        Actions

                        Board Decisions

2:25 – 2:50: CNA Update

            DWF – Kurt Seifried

                        Issues

                        Actions

                        Board Decisions

            General - Dan Adinolfi

                        Issues

                        Actions

                        Board Decisions

2:50 – 3:00: FIRST PSIRT Meeting - Dan Adinolfi

3:00 – 3:10: CNA Documentation - Dan Adinolfi

3:10 – 3:20: CNA Report Card - Chris Coffin

3:20 – 3:40: Twitter and LinkedIn Presences - Chris Coffin

3:40 – 3:50: Pain Points - Chris Coffin

            - CVE entry sources.

3:50 – 3:55: Open discussion – CVE Board

3:55 – 4:00: Action items, wrap-up – Chris Coffin

 

Introductions and review of previous action items

·         A poll for scheduling the next and future Automation Working Group meetings was shared.

·         A version of the CNA documentation list was added to GitHub under a new branch. The link will be shared widely once all the placeholders have been created. This list includes a placeholder for a paper describing vulnerabilities in more detail.

·         A summary of observations from the RSA Conference will be sent to the Board.

·         Use cases for including services in the CVE list are still being developed by the Board.

 

Working Groups

·         Strategic Planning - Kent Landfield

o   Issues

§  There were no updates from the Strategic Planning Working Group.

o   Actions

§  The WG is considering changing their meeting schedule to once a month instead of every other week.

o   Board Decisions

§  There was no additional Board Discussion.

·         Automation - Harold Booth

o   Issues

§  The WG is considering how to allow for bi-directional data flow of CVE Data between CNAs.

o   Actions

§  The WG is waiting for a pull request to be accepted within GitHub and a message to be sent to the CNAs and Board that they can start using the current version of the JSON format.

o   Board Decisions

§  The Board suggested moving the bi-directional data flow issue to the Strategic Planning group.

 

CNA Update

·         DWF – Kurt Seifried

o   Issues

§  CNAs are required to push data to their parents and ultimately to MITRE, how does data from MITRE or data that goes directly to MITRE filter back to the original CNA? As mentioned during the Automation WG discussion, the need for bi-directional data flow needs to be considered. 

o   Actions

§  DWF would like additional CNA/CVE training material to help with the creation of more CVE Mentors.

§  There is interest in CVEMentors becoming CNAs for third party projects (e.g. Adam Caudhill covering Wordpress). CVE should consider the creation of this category of CNA.

o   Board Decisions

§  There was no additional Board Discussion.

·         General - Dan Adinolfi

o   Issues

§  The Board suggests that CVE should being working with the Chinese government as soon as possible to avoid any political complications of introducing CVE into the Chinese market.

o   Actions

§  MITRE met with Netgear, who is now on-boarded as a CNA.

§  Met with Qihoo 360, who is now on-boarded as a CNA.

o   Board Decisions

§  There was no additional Board Discussion.

 

FIRST PSIRT Meeting - Dan Adinolfi

o   Daniel Adinolfi attended the FIRST PSIRT Technical Colloquium in Raleigh and presented on CVE and the CNA program. He received a good deal of feedback on the CNA rules and the direction CVE is heading. He also got a few more leads on new CNAs.

 

CNA Documentation - Dan Adinolfi

o   MITRE will send out a link to the CNA documentation list in GitHub.

o   As discussed in previous meetings, once initial drafts are completed of documentation within the tree, the Board will be given two weeks for comment. Those comments will be integrated into a final draft by MITRE within a week and then included on the CVE website as official documents.

 

CNA Report Card - Chris Coffin

o   Design of the CNA Report Card is close to completion.

o   MITRE will send out the template before the next Board meeting.

 

Twitter and LinkedIn Presences - Chris Coffin

o   MITRE has created two Twitter accounts and is actively updating them. These accounts are @CVEnew (listing new CVE IDs as they are published) and @CVEannounce (listing announcements by the CVE team). They are both getting followers.

o   A LinkedIn CWE/CVE/CAPEC page has been created as well. This will be used in support of the CVE blog.

 

Pain Points - Chris Coffin

o   Should CVE entries include the source of the CVE ID?

o   MITRE is considering providing information on who submitted CVE request information.

o   MITRE asked the Board for their thoughts on this and if they thought it was something that the public would be interested in participating in. The Board’s reaction to the question was mixed and no definitive conclusion was reached.

 

Open discussion – CVE Board

o   The Board needs to develop additional clarification and have more discussion related to the use cases for including services in the CVE list.

o    

Action items, wrap-up – Chris Coffin

o   The CNA Report Card template will be provided to the Board by the next Board meeting.

o   MITRE will create a poll to determine when the Strategic Planning WG should meet each month.

o   Descriptions for each document listed in the CNA documentation tree will be created.

 


CVE Board Meeting_3_8_17.docx (29K) Download Attachment
Loading...