CVE Board Meeting 25 April 2018
Board Members in Attendance
Andy Balinsky (Cisco)
William Cox (Black Duck Software)
Kent Landfield (McAfee)
Scott Lawler (LP3)
Art Manion (CERT/CC)
Scott Moore (IBM)
Taki Uchiyama (Panasonic)
Members of MITRE CVE Team in Attendance
2:00 – 2:10: Introductions, action items from the last meeting – Chris Coffin
2:10 – 2:30: Working Groups
2:30 – 2:50: CNA Update
2:50 – 3:15: Takeaways from RSA Conference – The Board
3:15 - 3:30: Quarterly Program Review and CNA Report – Chris Coffin and Jonathan Evans
3:30 – 3:50: Open Discussion
3:50 – 4:00: Action items, wrap-up – Chris Coffin
Review of Action Items from Last Meeting
Board Working Groups
Strategic Planning Working Group (Kent Landfield)
ISSUES: No updates
BOARD DECISIONS: N/A
Automation Working Group (Chris Johnson / Chris Coffin)
ISSUES: No updates
BOARD DECISIONS: N/A
DWF (Kurt Seifried)
STATUS: No updates
JPCERT (Taki Uchiyama)
MITRE (CVE Team)
STATUS: Palo Alto Networks and Hillstone are now CNAs; we are close to announcing Avaya and maybe TWCERT/CC. Naver (Korean company) would like to become a CNA. We also have talked to GE and GitLab about becoming a CNA. Gitlab has withdrawn their request to become a CNA because using the MITRE CNA to request CVE IDs is sufficient for their needs.
Takeaways from RSA Conference (Board Members)
DISCUSSION: Kent—heard a number of people speaking about CVE in a positive way. He did a presentation on patching (in a game show format) at RSA. One of the things he heard from the audience is that they are using CVE very effectively and (sadly) they were using CVSS as a threshold and focusing on CVEs and correcting those things that had reached a certain threshold. Someone was wearing a “We Speak CVE” button.
Chris Coffin said we got about 10-15 companies that came forward with interest as becoming a CNA.
Kent: There was a vulnerability meeting on Wednesday and we had a really good conversation on how to improve CVE (regarding the roles); how to change the focus from a technical and political perspective. Art Manion: Another thread that was discussed in the meetings was regarding medical devices and the fact that they do receive CVEs.
Quarterly Program Review and CNA Report (Chris Coffin and Jonathan Evans)
DISCUSSION: The latest report card was sent out on April 16 for 2018 Q1 (sharing screen and going through the slides). Kent believes that open source CVE ID assignment (and CNA) requests need to be transferred to DWF. George Theall mentioned that Kurt Seifried can now only work on DWF on the weekends (he needs support).
Kent asked if the Board could be given the CNA data; the Board should have access to data (doesn’t have to be in graph form; just raw data is fine). He thinks the Board should have access to data that tells them who is getting better, who is slow, who is improving, etc. May not need all the charts and graphs going forward; the data in a spreadsheet may be just as useful.
Art Manion said it would be great to be able to show some of this information publicly; quite a bit of value showing the improvements that a project has made in a couple of years. Anything that doesn’t name a CNA specifically could be used.
ACTION: Chris Coffin will reach out to Kurt to find out more and figure out what MITRE can do to find support for DWF. Jonathan and Chris Coffin will discuss how to get some raw data to the Board.
CNA Collaboration WG: Kent would like to get the Charter approved so that we can move forward. Jonathan mentioned the move of email to exchange groups—not sure what the impact of that will be. Chris Coffin said the list names will change; he will find out if there are other impacts from Joe Sain tomorrow.
Jonathan said we had an issue with Hikvision—because they’re in China, their public advisory was only accessible to people in China; we
could not validate the advisory because of this. What do we do if China decides to block GitHub? Art: we should be concerned, but we have a blind spot regarding a lot of the Chinese software/vulnerabilities. The CERT/CC tries to help bootstrap PCERT capabilities
or teams. We regularly go to conferences where the western world is, but I don’t really know what’s going on in China or India, for example. It is a question of reaching those markets in any way. The most tangible resource I have is to be able to present and/or
attend certain conferences where Chinese software developers might be present.
Is the focus on trying to find the right person in the Chinese government to have these conversations with? Art—not sure we are near that point yet. We are open to talking to C-CERTS, CNVD, industry groups, government, customers, etc. We are trying to get the message out to software development companies that they should be assigning CVE IDs to their vulnerabilities. Kent may be able to facilitate a meeting in-country; he will work on it.
Jonathan said there is still the issue of what happens if we can’t access the CNA’s advisory. We won’t be able to validate there is a public reference for the submitted entries. This may become moot if we drop this check during automation.
Jonathan has had a couple of CNAs ask if they should assign a CVE ID—they don’t think an ID should be assigned because it was fixed a year ago but now the researcher wants it to go public. It would be nice if Jonathan could get some assistance writing a paper to show the downstream effects of CVE IDs to show why assigning an ID is important (asking for the Board’s help in creating a document). Jonathan will send out a couple of sentences to the Board mailing list to ask for assistance in writing a document to show the importance of assigning CVE IDs.
If something is not in scope for CVE ID, but through a chain of events, causes a vulnerability—what should be done? Nothing in the Rules to address this scenario. Also, Jonathan recommends renaming “Counting Rules” to “Assigning Rules.”
There are a couple of instances where researches have gone public before the CNA is ready. One interpretation is that the CNAs must populate the entry as soon as it becomes public; another interpretation is that the CNAs must populate the entry as soon as they (the CNAs) make it public. A related process issue that results from this is that if someone contacts MITRE to ask who the CNA is (if a researcher publishes the CVE), Jonathan cannot tell them who the CNA is (for privacy reasons). MITRE is put in the middle in many circumstances. Is it possible to have something that points to a private database?
Jonathan: Do we want to make it a rule that reservations are tagged with the CNA, or do we want to keep it as a voluntary basis? Kent reminds everyone that we cannot force the CNAs to do anything, as it is a voluntary program. This is a matter of communication and needs to be handled on a case-by-case basis. We need to ask the CNA list (and document to make it official) about the issue discussed above regarding tagging a CVE with CNA. As a CNA, Kent does not feel that CVE ID reservations should be tagged with the reserving CNA name. However, for the process issue described, Kent had no concerns with giving external folks who inquired about a reserved but public CVE ID the name of the assigning CNA and pointed their way in these cases.
Summary of Action Items
CVE Board Meeting 25 April 2018.docx (33K) Download Attachment
|Free forum by Nabble||Edit this page|