CVE Board Meeting 2 May 2018
Board Members in Attendance
William Cox (Synopsys)
Beverly Finch (Lenovo)
Kent Landfield (McAfee)
Scott Moore (IBM)
Pascal Meunier (CERIAS/Purdue University)
Kurt Seifried (RedHat)
Dave Waltermire (NIST)
Andy Balinsky (Cisco)
Members of MITRE CVE Team in Attendance
2:00 – 2:10: Introductions, action items from the last meeting – Chris Coffin
2:10 – 2:30: Working Groups
2:30 – 2:50: CNA Update
2:50 – 3:15: Takeaways from RSA Conference – Joe Sain
3:15 – 3:30: Board Charter Update Status and Next Steps – Chris Coffin
3:30 – 3:50: Open Discussion
3:50 – 4:00: Action items, wrap-up – Chris Coffin
Review of Action Items from Last Meeting
Previous Action Item: Send email to the Board list to get opinions on a potential Charter update that would allow opening WG participation to anyone, not just Board members and CNAs. Is a Charter update needed to describe this or does the Board feel this is already implied?
Previous Action Item: MITRE to talk to Kurt about DWF resources and helping him where needed.
Previous Action Item: Jonathan and Chris to discuss getting the Board some of the raw data that informs CNA report cards.
Previous Action Item: MITRE will send an email to the Board to ask them for input regarding the value of assigning CVE IDs for older vulnerabilities or vulnerabilities that will never be patched.
Previous Action Item: MITRE will communicate with the CNAs about the tagging of reserved CVE IDs with the CNA name. The pros and cons of tagging or not tagging will also be included and CNAs will be encouraged to add their thoughts and concerns.
Board Working Groups
Strategic Planning Working Group (Kent Landfield)
ISSUES: Walked through some of the updates to the roles presentation; Chris Levendis wants to ensure we are on the right path (provide objectives, etc.). The main changes to be done to the slides involve updating the process flows. The need for an ID allocation service was discussed—would it be better to assign a block that never changes for different CNAs? Jonathan Evans refers to them as “year over year” blocks and the “prefix model.” If we were to go with something like that, it does away with the need for an ID allocation service.
There is a need to encourage “good behavior” and discourage “bad behavior” with regard to using and publishing CVE IDs.
ACTIONS: Put some use cases together so that the problem statement is well articulated and then send out to the Board.
BOARD DECISIONS: N/A
Automation Working Group (Chris Johnson / Chris Coffin)
ISSUES: An action item that came out of Monday’s Automation Working Group meeting was to send out charters for JSON format and CNA registry, as well for as the AWG itself. Chris Johnson would like to receive approval from the Board that it represents the necessary AWG activities. Project repos have been set up on GitHub and we will build those out. The changes to the JSON format that were requested for NVD were implemented (name attributes, changes to how white space is being handled). NVD is in the process of sending out new code to enable the generation of CVE list from repository rather than allitems.xml file.
There was a discussion on outreach—as participation is increased, who would be appropriate candidates for participation in the AWG? Also discussed, in preparation for spinning up the groups, what sort of documentation do you we need to explain our processes (channels for participation, access to GitHub account, POCs, user stories, reporting, etc.). Kurt provided sample documentation, so we have some examples to use. We also talked a little about issue management and communication mechanisms, which can be added to the processes document.
ACTIONS: Chris Johnson will forward the email for distribution to the Board regarding the review and approval of the AWG and AWG Project charters. Chris Johnson will put together a draft processes document and put on GitHub for review.
BOARD DECISIONS: N/A
DWF (Kurt Seifried)
STATUS: No updates
MITRE (CVE Team)
STATUS: Two requests to become CNAs—one was Xen (referred to DWF) and one was Teltonica (IoT maker in Lithuania). Jonathan will try to get more information from them. No new CNAs since last week.
Takeaways from RSA Conference (Joe Sain)
DISCUSSION: Joe had an Expo pass and spent all his time on the floor. Looks like an increasing number of companies are looking at analytics platforms that look at existing data feeds—fusing that data together rather relying strictly on their own data and intelligence. There were some interesting things in the health care sector, including a company, Cynerio, that performs passive network discovery, device categorization, and anomaly detection on hospital networks. We are also beginning to see an increasing number of Industrial Security Control (ISCS) vendors at the conference. People are that we spoke to were very positive about CVE, and there were about 20 companies that expressed interest in the CNA program and the possibility of becoming a CNA.
Amazon Alexa Issue (Chris Coffin)
DISCUSSION: Issue with Amazon Alexa that it may record information and conversations you don’t want recorded. There is an IoT and SaaS issue here. Does this necessitate a CVE? He has had communication with Amazon about this topic; they are not looking at this as a CVE (they’d rather it not be released). Kurt has done some research—red LED light should be lit at the top if not recording. As a user, do I have any control over the microphone? You should get an alert and allow it or not. In this case, with the way Alexa is used and deployed, you’re not staring at it. Alexa has a very sensitive microphone. It can record if you’re not in the same room—and you can’t see the LED light, which indicates if it’s recording or not. Amazon is saying they will fix this to some degree—can we change the behavior of Alexa to mitigate the problem? Amazon thinks yes. Would the CVE be against Alexa, or a component of that device?
The group consensus: Kent—not ready to say it’s a vulnerability; Dave said the same. Beverly doesn’t have an opinion yet. Chris Johnson needs to look at the issue more closely. Pascal is convinced it’s a vulnerability but is willing to entertain the possibility that it doesn’t need a CVE (but he thinks it does). Chris Coffin thinks similarly to Jonathan--we should write the CVE specifically for the re-prompt feature. The consensus from the Board members on the call is that if a CVE is issued, it needs to be written with a very narrow description.
This issue will be summarized in a post to the CVE Board email list for further discussion.
Summary of Action Items
CVE Board Meeting 2 May 2018.docx (33K) Download Attachment
|Free forum by Nabble||Edit this page|