CVE Board Meeting 7 March 2018
Board Members in Attendance
Andy Balinsky (Cisco)
William Cox (Black Duck Software)
Kent Landfield (McAfee)
Scott Lawler (LP3)
Pascal Meunier (CERIAS/Purdue University)
Scott Moore (IBM)
Kurt Seifried (Red Hat/DWF)
Taki Uchiyama (JPCERT/CC)
Dave Waltermire (NIST)
Members of MITRE CVE Team in Attendance
2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin
2:05 – 2:15: Working Groups
2:15 – 2:30: CNA Update
2:30 – 3:30: Automation Working Group Way Forward
3:30 – 3:45: Next Steps for CNA Coordination Working Group
3:50 – 4:00: Action items, wrap-up – Chris Coffin
Review of Action Items from Last Meeting
Board Working Groups
Strategic Planning Working Group (Kent Landfield)
ISSUES: There is an issue with the way we set up CNAs; we need to be more focused on scope. Some of the scope issues are too broad, allowing CNAs to do things outside of their scope. We need to focus the scope upfront and expand once they prove good citizens of CVE. There was a request for potentially identifying researchers.
Some time was allotted to automation working group issues.
BOARD DECISIONS: N/A
Automation Working Group (George Theall)
We had a proposal on how to support NIST using the GitPilot to import date to the NVD. We had a simple set of requirements to test (ref source, and name), using aliases. George owes the Board a revised proposal, which hopefully will happen in the next week. Also talked about the CNA registry. Several members (including Dave Waltermire) will send updates to George so that he can get a draft together and send to the Board for their approval.
BOARD DECISIONS: N/A
DWF (Kurt Seifried)
STATUS: Has had some requests from Sajeeb Lohani that are not valid; this person is now complaining to MITRE. Kurt will send him guidance slides. Discussion followed; root CNA (DWF) needs to set its own policy as to how to handle nuisance CVE requests going forward.
Grammar issue in pull requests. Need to give people submitting problematic pull requests a deadline to clean up requests (or requests will be rejected). Some suggested to give them 2 weeks to correct the request. Dave Waltermire suggested perhaps 3 weeks instead; all on call agreed. May need to pick this discussion up later to talk about the workflow.
JPCERT (Taki Uchiyama)
STATUS: We’ve had one vendor ask about becoming a CNA. We sent him some information on how to become a CNA but have not yet followed up.
MITRE (CVE Team)
STATUS: Sajeeb Lohani requested to become a CNA; I have no intention of making him a CNA, but I’ll follow up with him and talk about the process with him. Hillstone (Chinese company) requested to become a CNA but their spoken English is not good enough that we can communicate over the phone. This will make training difficult, if not impossible.
Sangoma would like to be the CNA for all VoIP products. Chris Coffin stated that we probably need to bring in vendors at their own scope and then see how they do before expanding their coverage.
Kurt suggested we include languages spoken as part of the CNA repository.
Automation Working Group Way Forward
DISCUSSION: One of the problems with the Automation WG now is it’s way too tactical. We are not getting any documented requirements. We need to look at these four projects we’ve identified to figure out how to handle them in parallel.
We should consider going down the path of making the transition to restructure the Automation WG sooner rather than later so that we can get requirements down on paper.
We need to come up with a different way of operating in order to be more effective and accomplish more work. We’ve been tackling a single technical topic, maybe two, and we end up often using the hour and end up making one or two small decisions. The current way of operating will not allow us the bandwidth to tackle the current projects we have in front of us. We need to think more strategically about how we can organize the group and provide more leadership.
We should focus on forming project teams and then let the project teams self-organize around what resources they need to be effective and how often they need to meet. Someone should be identified as the leader of the overall Automation WG. Kurt recommended Kent Landfield; Kent said Dave Waltermire had someone in mind for this role (Chris Johnson, NIST). He has project management experience and would be dedicated to this role. Dave plans to nominate Chris Johnson as a Board member.
ACTION: Automation WG will discuss the projects and new structure in the next meeting. Chris Coffin will set up a meeting between Chris Johnson, Dave Waltermire, George Theall, and Chris Coffin to discuss.
Next Steps for CNA Coordination Working Group
DISCUSSION: We sent a test invite to Kent Landfield and he pointed out that you have to have a Google account to participate.
Kent mentioned that there were three issues around opening up CNA community:
Summary of Action Items
CVE Board Meeting 7 March 2018.docx (35K) Download Attachment
|Free forum by Nabble||Edit this page|