CVE Board Meeting 30 May 2018
Board Members in Attendance
William Cox (Black Duck Software)
Beverly Finch (Lenovo)
Kent Landfield (McAfee)
Scott Moore (IBM)
Kurt Seifried (RedHat)
Taki Uchiyama (Panasonic)
Andy Balinsky (Cisco)
Members of MITRE CVE Team in Attendance
2:00 – 2:15: Introductions, action items from the last meeting – Chris Coffin
2:15 – 2:30: Working Groups
· Strategic Planning – Kent Landfield
· Automation – Chris Johnson, Dave Waltermire
2:30 – 2:45: CNA Update
· DWF – Kurt Seifried
· MITRE – Jonathan Evans, Nick Caron
2:45 – 3:15: Establishing the QA Working Group – Jonathan Evans
3:15 – 3:30: Amazon Alexa Vulnerability Update – Chris Coffin
3:30 – 3:50: Open Discussion
3:50 – 4:00: Action items, wrap-up – Chris Coffin
Review of Action Items from Last Meeting
Board Working Groups
Strategic Planning Working Group (Chris Coffin / Kent Landfield)
ISSUES: MITRE CVE team is working the services as part of roles/structure of the program. Planning to get a start on the CONOPS this week; that will hopefully tie together the services and what roles are tied to the services. We need to prioritize the services we want to hand off to the AWG. We also put together a “save the date” to meet in Gaithersburg, MD the end of June (26-29 June). Also incorporating the user registry service into the user stories.
BOARD DECISIONS: N/A
Automation Working Group (Chris Johnson / Dave Waltermire)
ISSUES: Chris Johnson asked that people review the issues (categorizing, tagging) in the GitHub tracker with the aim of parsing those out to the various project teams. There was an updated status on phase 3 of the git pilot. Providing updates of meetings to NVD folks about workflows was discussed and there was a discussion about how to start up the project teams—who would be participating in those. Board vote on the charter is due on 5/31 but it is not an official vote (silence begets acceptance, since only MITRE can call for a vote).
ACTIONS: Chris C has an action item to check with Chris Johnson to verify the process for the Automation WG Charter approval process.
BOARD DECISIONS: N/A
DWF (Kurt Seifried)
STATUS: Working on making Xen and PHP CNAs.
MITRE (CVE Team)
STATUS: Jonathan contacted the four CNAs who have not been in contact in a long time; got a response from two. Those two (Qihoo 360 and MarkLogic) would like to remain CNAs and one (Qihoo 360) expressed an interest in expanding their coverage; if that happens, they would be more active. Kurt said they have released reports on other products (Xen) and they are very good and high quality and detailed reports. Taki also said he has worked with 360 and agreed that they provide good reports.
The email bounced on notifications Jonathan sent to two of the CNAs in question, but the public email was still active in both cases.
ABB (Swiss) requested to become a CNA; they do robotics for industrial production.
Establishing the QA Working Group (Jonathan Evans)
DISCUSSION: At the last Board meeting, we discussed issues with including CVSS scores/vectors in descriptions, and that expanded into a discussion on what the quality of a description should be. Perhaps we should develop a group that can make those decisions rather than just MITRE making all of the decisions. Based on what I originally wrote, CVSS vectors would have been permissible in a description. We could split this off and create a WG that discusses quality issues. They could propose new rules for what’s allowed in a description and also produce guidance documents. Kent: Would this be a description WG or a QA WG? Jonathan: It wouldn’t just be for descriptions. A CVE entry isn’t just for descriptions. It would oversee the quality of all parts of a CVE ID. Kurt: A part of creating a good CVE is getting in good information about what the vulnerability is; might be helpful to have guidelines on what to ask for in order to get a good (well written) CVE. Maybe it should be a CVE usability group—broader scope than just quality. There is (should be?) a minimum data set required to supply the assigner before a CVE will be assigned.
Kent: I am hearing a couple of different things—you are looking for quality of descriptions but also the quality of other aspects of a CVE entry and also what are the guidelines for CVE submission before it goes to the next stage.
Jonathan: Does it make sense to create that group? Is there any interest?
Kurt: I’m definitely interested in this.
Kent: I don’t have any issues if you guys want to do it. What’s required by the Charter?
Chris C: Any Board member can create a group; safe thing to do would be to send an email out to the list to make sure there are no major issues. We can create a draft charter and send out to the Board list for approval. Are we okay with the QA WG or do we need a different name?
Kurt: Maybe make it just CVE Quality WG.
ACTION: Send an email out to the list to make sure there are no major issues. We can create a draft charter and send out to the Board list for approval.
Amazon Alexa Vulnerability Update (Chris Coffin)
DISCUSSION: We are planning to populate the Amazon Alexa vulnerability by the end of the day. I’m planning to go with Tom’s update to Kurt’s proposed version. The CVE entry will be populated at 5pm ET.
Kurt: The CSA is interested in working with the CVE Board on the CVE services stuff—it dovetails with the work they are doing on security, trust, and automation. (Cloud Securities WG: https://cloudsecurityalliance.org/group/cloud-vulnerabilities/#_overview).
ACTION: Kurt to send out email to Board about cloud services discussion.
Summary of Action Items
CVE Board Meeting 30 May 2018.docx (34K) Download Attachment
|Free forum by Nabble||Edit this page|