CVE Board Meeting 4 April 2018
Board Members in Attendance
Members of MITRE CVE Team in Attendance
2:00 – 2:10: Introductions, action items from the last meeting – Joe Sain
2:10 – 2:30: Working Groups
2:30 – 2:50: CNA Update
2:50 – 3:00: CVE GitHub landing page and Working Group Repositories – Joe Sain
3:00 - 3:30: CVE Working Groups: How should non-Board members or non-CNAs be permitted to participate? – Dave Waltermire
3:30 – 3:50: Open Discussion
3:50 – 4:00: Action items, wrap-up – Joe Sain
Board Working Groups
Strategic Planning Working Group (Kent Landfield)
ISSUES: Discussion ongoing about roles and responsibilities, more discussion being done on automation administration needs, what needs to be put in place to make roles functional, and role reengineering as a whole. The European Union (EU) General Data Protection Regulation (GDPR), which goes into effect on May 25, 2018, will need to be accounted for in some manner, some disagreement over what direction should be taken with this, (ignore for now, or account for it? Is opt-in sufficient, or is opt-out also necessary [opinion of MITRE lawyers is the latter].). Should all products containing a person’s name be outright refused for publication? Cease and desist could have negative effects on the program.
These should be done in the next two weeks, RSA permitting.
Conversation of GDPR ongoing.
Automation Working Group (Chris Johnson/Dave Waltermire/George Theall)
Went over outstanding issues for working group charter. Spent some time discussing using GitHub as a collaboration tool. Joe Sain presented the current flat structure for the github io pages for documentation/working group and project repos. Spent some time talking about workflow, issue management, possibly using project board in Github to give better views over issues.
Discussed in the call was a potential need for more effort into nurturing the culture of using Git for CVE, documentation being a good start to this end. Also, should the CVE webform be deprecated, (long off to-do)?
BOARD DECISIONS: None
DWF (Kurt Seifried)
STATUS: using automatically built descriptions to great success for improving workflow.
ISSUES/DISCUSSION: May be worth building a more general description generation tool to avoid various issues concerning descriptions.
MITRE (CVE Team)
STATUS: CVE is about to bring on SonicWall as CNA, with an announcement planned for Friday. Training for Avaya, Palo Alto Networks, and Taiwan CERT, all within next week or so.
ISSUES/DISCUSSION: Getting close to 100th CNA! It would be worthwhile to have a press release to celebrate/outline the recent accomplishments of the CNA program, at the time of the 100th CNA.
MITRE has been getting a CNA request per week, requiring all CNAs to get trained up, (4-5 hours per), which has been time consuming. Considering creating regular sessions, 1 per every-other week, which anyone (potential CNA or current) can sign up for, with a test for candidates to determine understanding of material.
CVE GitHub landing page and Working Group Repositories: Joe Sain
ISSUES: Mostly covered elsewhere, though looking for feedback on current look and feel! Directory structure formation ongoing.
BOARD DECISIONS: None
CVE Working Groups: How should non-Board members or non-CNAs be permitted to participate? Dave Waltermire
DISCUSSION: Chris Johnson is working on project descriptions for WG projects, and once those are complete, we will be looking to bring in hands to work on said projects. Can we bring in outside people to this end? Working group charter says yes.
BOARD DECISIONS: None
CVE ID “OWNERSHIP” TRANSFER:
DISCUSSION: CVE ids may need to transfer “ownership” (which CNA has this id in their block), for a variety of reasons, though this is currently only tracked internally with MITRE due to privacy concerns. A protocol may be necessary for mutual agreement and ID transfer processes. This problem becomes much easier should this be tracked externally and kept in the public CVE data itself, tying back to the Automation Working Group discussion over the publication of ID “ownership” and the resulting abolishment of blocks, (the ID request API replacing block requests).
ACTIONS: None, conversation ongoing.
CVE JSON Modifications to Support NVD:
DISCUSSION: Reference names and sources attributes were added to the JSON schema, which will be going live 4/5/18, unless immediate objections are raised. Discussion concludes a JSON schema should exist to check against NVD data, to ensure validity when provided. MITRE at the current time will only be checking against the minimum schema, (for example, MITRE does not currently validate CVSS scores, if included).
There was a discussion regarding whether there is a need to create another schema file that would allow people to validate their JSON; no action was taken to do so at this time.
NEXT BOARD MEETING DURING RSA SECURITY CONFERENCE:
DISCUSSION: The Board discussed the fact that the next scheduled meeting falls during the RSA Security Conference and that a number of Board members would be attending the conference.
ACTIONS: Next board meeting rescheduled due to RSA.
Summary of Action Items:
CVE_Board_Meeting_Summary_4_April_2018.pdf (620K) Download Attachment
|Free forum by Nabble||Edit this page|