CVE Board Meeting 16 May 2018
Board Members in Attendance
Chris Johnson (NIST)
Kent Landfield (McAfee)
Scott Moore (IBM)
Kurt Seifried (RedHat)
Dave Waltermire (NIST)
Members of MITRE CVE Team in Attendance
2:00 – 2:20: Introductions, action items from the last meeting – Chris Coffin
2:20 – 2:40: Working Groups
· Strategic Planning – Kent Landfield
· Automation – Chris Johnson, Dave Waltermire
2:40 – 2:50: CNA Update
· DWF – Kurt Seifried
· MITRE – Jonathan Evans, Nick Caron
2:50 – 3:15: Process for handling unresponsive CNAs – Jonathan Evans, Nick Caron
3:15 – 3:30: Board Charter Update Discussion – Kent Landfield, Pascal Meunier, Chris Coffin
3:30 – 3:50: Open Discussion
3:50 – 4:00: Action items, wrap-up – Chris Coffin
Review of Action Items from Last Meeting
Board Working Groups
Strategic Planning Working Group (Kent Landfield)
ISSUES: Spent a majority of the meeting discussing MITRE’s updates and changes to the three services they took ownership of; the changes and updates can be used as a template for creating additional services and was sent to the working group for review. Focus has been on user stories and functional requirements.
BOARD DECISIONS: N/A
Automation Working Group (Chris Johnson / Chris Coffin)
ISSUES: There were a number of different discussions, including the schedule for Git Pilot Phase 3 capabilities. The concern is that we are approaching a deadline for having phase 3 capabilities ready to deploy by the end of the month—we are not in a place to do that. Need to identify a reasonable date for when we can have it ready. There was an action item for getting an updated schedule in place. Another area of discussion was around updates to JSON schema; NVD team has been doing ongoing testing in terms of being able to turn that capability on in production. Would require some fairly significant changes on the MITRE side in order to get CNAs and content submitters to provide the refsource and name fields in the master list. An added concern is, are there other aspects of validation that may not be happening?
Working on project documentation so that the processes will be available on the GitHub site for reference.
There is ongoing development of use cases and requirements.
Working to prioritize the 33 issues that exist on the Automation Working Group project list.
ACTIONS: Chris Johnson will send out an email to Chris Coffin later today regarding the updated charter.
BOARD DECISIONS: N/A
DWF (Kurt Seifried)
STATUS: No updates
STATUS: JPCERT said they’d like to continue to be the Root CNA. They suggested Taki remain the POC. Taki will reach out to JPCERT.
MITRE (CVE Team)
STATUS: No updates
Process for Handling Unresponsive CNAs (Jonathan Evans, Nick Caron)
DISCUSSION: There are about 4 CNAs who have not reserved an ID in over a year or populated or published an ID in over a year. Jonathan will contact them to see if they still want to be a CNA. If they do want to be a CNA still, is that okay?
The next group we may need to consider de-certifying as CNAs are those who repeatedly cannot/do not put their information in the correct format. Or they don’t put the product information in the description.
ACTION: Jonathan and Chris Coffin can type up something to go in the CNA Rules to address this issue.
Board Charter Update Discussion (Kent Landfield, Pascal Meunier, Chris Coffin)
DISCUSSION: There are a couple of other updates that need to be added to the Board charter. Since we just had a vote and updated the Charter, we can add the issue that Pascal brought up to the queue to add in to the next Charter update.
ACTION: Think about some training that includes what we’ve been discussing, given the potential for automation.
Kent: We have had discussion about how to reach our stakeholders?
Chris C: That list is fairly well received. We are always over 10k subscribers.
Kent: We need to reach those 10k subscribers with something beneficial. Let’s use it to educate them and share information about CVE.
Chris C: It’s pointing to the issues on the newsfeed.
Kent: We need to include an excerpt from the news stories and not just a link.
Chris C: And also you indicated it may be sent too frequently.
Kent: I think we need to send it out if there are things to announce. May be nice to have a conversation about this on the Board list. May be nice to have someone write a short article for it occasionally. May also be nice to include links to articles from outside news sources.
Chris C: We used to do more of that but we stopped because it got “noisy.” Maybe we should introduce it back, but keep it to articles that are specifically about CVE.
Dave: I don’t have a problem adding him to the mailing list and eventually the Board.
Nobody on the call has an objection to him being added to the mailing list.
Kent: We have recently had people popping up on the mailing list who have no responsibility whatsoever except to write a check (sponsors). It would be good to know who is on the Board list. I don’t have a problem adding people, but I want to make sure I know who is a part of the list.
Chris C: I don’t think there is any issue with making the list public to members and notifying the list when there is add or drop.
Summary of Action Items
CVE Board Meeting 16 May 2018.docx (37K) Download Attachment
|Free forum by Nabble||Edit this page|