Board Members in Attendance
William Cox, Synopsys, Inc.
Kent Landfield, McAfee
Pascal Meunier, CERIAS/Purdue University
Kurt Seifried, Cloud Security Alliance
David Waltermire, National Institute of Standards and Technology (NIST)
Members of MITRE CVE Team in Attendance
Chris Johnson (NIST)
2:00 – 2:15: Introductions, action items from the last meeting – Chris Coffin
2:15 – 2:30: Working Groups
· Strategic Planning – Kent Landfield / Chris Coffin
· Automation – Chris Johnson / Dave Waltermire
2:30 – 2:45: CNA Update
· DWF – Kurt Seifried
· MITRE – Jonathan Evans
· JPCERT – Taki Uchiyama
2:45 – 3:50: Open Discussion
3:50 – 4:00: Action items, wrap-up – Chris Coffin
· The group agreed that Kurt will assign a CVE for this vulnerability.
· Status: Not Done
1. The Board gave approval to Kurt Seifried (CSA, DWF) to assign a CVE ID to the WordPress vulnerability that he had attempted to coordinate with HackerOne.
4) CNA Scope Issues
The Board discussed that CNA documentation around roles and responsibilities are needed, current documentation is not clear, CNA assign CVE within their scope. Scope may or may not cover CVE for their customers.
o CNA Rules State - The rules state CNAs are supposed to be responsive but does not provide a specific timeframe. The rules state if you are going to assign CVE for a vulnerability not in one of your products, you are supposed to contact the vendor. The vendor is supposed to make a determination.
o New Approach to CNAs and Roots - A given Root has a scope, a portion of the scope gets delegated to a CNA (i.e. product or area of research. If a portion of the scope is not delegated to a CNA, that scope stays with the Root. It is the Root’s responsibility to do the CVE assignment as a last resort.
o Action Item – CNA Rules need to be updated to reflect this new approach
5) Eliminate duplication CVE assignment discussion
o The Board discussed that specifying CNA scope will help eliminate duplication CVE assignment. Art explained that having open communication with other CNAs when making CVE assignments, asking if anyone has any one asked anyone else for CVE’s, keeping this at the CNA level (not at Root/Primary level). Adding this extra operational step will help with duplication.
o Recommendation 1: Process recommendation needs to be added to CNA training.
o Recommendation 2: CNA rules need to be updated to minimize duplicate assignments.
o Johnathan explained that duplication of CVE assignments occurs the most with DWF
6) Researcher CNAs
o The Board discussed researcher CNAs that have with ambiguous scopes. These CNAs have issued thousands of CVEs.
o Recommendation 1: Avoid adding any new researcher CNA’s until there are specific qualifications and guidelines for what qualifies as a researcher CNA. This includes defined scope rules yet to be discussed.
o Recommendation 2: Make the scope naturally programmatic for researcher CNAs.
o Recommendation 3: Change the process for researcher CNAs. Who is responsible for coordinating the assignment of the IDs? Who issues the CVE ID and who populates the information? There should be an easier way for companies to request an CVE ID.
o Recommendation 4: Better define roles and responsibilities for researcher CNAs
o Recommendation 5: Need to address the researcher CNA ambiguous scope issue before we sign up any more researcher CNAs.
o Recommendation 6: Explore the possibility of researchers participating in the CNA program without becoming CNAs.
o Recommendation 7: Need a testing/certification program for CNAs to make sure they can adequately perform their role, especially researchers.
o The Board agreed to explore better solutions regarding researcher CNAs ambiguous scope issue.
7) Operationalize Root CNAs effectively
o Further discussion around how we can operationalize Root CNAs more effectively.
o MITRE’s role in operationalizing roots.
8) Product Type Tagging/Categorization
o As the production numbers for CVEs go up, there will be an increasing need to view a subset of the overall CVE master list
o Define a list of common product areas/domains to be used for categorizing CVE entries (i.e., Medical devices, automotive, industrial, etc.)
o The tags/categories should be attached to the products and not the CVE entries directly.
o Product listings in CVE User Registry would be a potential location
Meeting recordings available here:
CVE Board Meeting 5 September 2018.docx (48K) Download Attachment
|Free forum by Nabble||Edit this page|