CVE Board Meeting Summary - 7 March 2018

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

CVE Board Meeting Summary - 7 March 2018

Coffin, Chris

CVE Board Meeting 7 March 2018

 

Board Members in Attendance

Andy Balinsky (Cisco)

William Cox (Black Duck Software)

Kent Landfield (McAfee)

Scott Lawler (LP3)

Pascal Meunier (CERIAS/Purdue University)

Scott Moore (IBM)

Kurt Seifried (Red Hat/DWF)

Taki Uchiyama (JPCERT/CC)

Dave Waltermire (NIST)

 

Members of MITRE CVE Team in Attendance

Chris Coffin

Christine Deal

Jonathan Evans

Kevin Greene

Joe Sain

Anthony Singleton

George Theall

 

Agenda

2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin

2:05 – 2:15: Working Groups 

  • Strategic Planning – Kent Landfield
  • Automation – George Theall

2:15 – 2:30: CNA Update

  • DWF – Kurt Seifried
  • JPCERT – Taki Uchiyama
  • MITRE – Jonathan Evans

2:30 – 3:30: Automation Working Group Way Forward

3:30 – 3:45: Next Steps for CNA Coordination Working Group

3:50 – 4:00: Action items, wrap-up – Chris Coffin

 

Review of Action Items from Last Meeting

  • Previous Action Item: Kent Landfield to make minor addition to Board Charter Proxy Voting language and re-send to the Board
    • Status: In progress
  • Previous Action Item: MITRE to set up meeting with NIST to discuss JSON data format
    • Status: Done; meeting held 2/28 (NIST presented a few concerns they had with JSON; primary one is that the info only includes URLs. Also concerned about white space differences, as well as some encoding characters)
  • Previous Action Item: Discuss Automation Working Group Projects, way forward for the WG
    • Status: Done; Automation WG is on today’s agenda
  • Previous Action Item: MITRE to set up a Google Group for CNA Collaboration
    • Status: Done; group was set up for testing on 3/5 (you must have a Google account to participate)
  • Previous Action Item: Kent Landfield to write a message for the CNA list that describes the CNA Coordination Working Group
    • Status: Not yet done

 

Agenda Items

Board Working Groups

Strategic Planning Working Group (Kent Landfield)

ISSUES: There is an issue with the way we set up CNAs; we need to be more focused on scope. Some of the scope issues are too broad, allowing CNAs to do things outside of their scope. We need to focus the scope upfront and expand once they prove good citizens of CVE. There was a request for potentially identifying researchers.

Some time was allotted to automation working group issues.

ACTIONS: N/A

 

BOARD DECISIONS: N/A

 

 Automation Working Group (George Theall)

We had a proposal on how to support NIST using the GitPilot to import date to the NVD. We had a simple set of requirements to test (ref source, and name), using aliases. George owes the Board a revised proposal, which hopefully will happen in the next week. Also talked about the CNA registry. Several members (including Dave Waltermire) will send updates to George so that he can get a draft together and send to the Board for their approval.

ISSUES: N/A

ACTIONS: N/A

BOARD DECISIONS: N/A

 

CNA Updates

DWF (Kurt Seifried)

STATUS: Has had some requests from Sajeeb Lohani  that are not valid; this person is now complaining to MITRE. Kurt will send him guidance slides. Discussion followed; root CNA (DWF) needs to set its own policy as to how to handle nuisance CVE requests going forward.

Grammar issue in pull requests. Need to give people submitting problematic pull requests a deadline to clean up requests (or requests will be rejected). Some suggested to give them 2 weeks to correct the request. Dave Waltermire suggested perhaps 3 weeks instead; all on call agreed. May need to pick this discussion up later to talk about the workflow.

ISSUES/DISCUSSION: None

ACTIONS: N/A

JPCERT (Taki Uchiyama)

STATUS: We’ve had one vendor ask about becoming a CNA. We sent him some information on how to become a CNA but have not yet followed up.

MITRE (CVE Team)

STATUS: Sajeeb Lohani requested to become a CNA; I have no intention of making him a CNA, but I’ll follow up with him and talk about the process with him. Hillstone (Chinese company) requested to become a CNA but their spoken English is not good enough that we can communicate over the phone. This will make training difficult, if not impossible.

Sangoma would like to be the CNA for all VoIP products. Chris Coffin stated that we probably need to bring in vendors at their own scope and then see how they do before expanding their coverage.

Kurt suggested we include languages spoken as part of the CNA repository.

DISCUSSION: N/A

ACTIONS: None

 

Automation Working Group Way Forward

DISCUSSION: One of the problems with the Automation WG now is it’s way too tactical. We are not getting any documented requirements. We need to look at these four projects we’ve identified to figure out how to handle them in parallel.

  1. Shared ID allocation service requirements project
  2. CNA registry capability requirements project
  3. CNA Authorized Automated Submissions projects
  4. JSON Data Exchange Format requirements project

We should consider going down the path of making the transition to restructure the Automation WG sooner rather than later so that we can get requirements down on paper.

We need to come up with a different way of operating in order to be more effective and accomplish more work. We’ve been tackling a single technical topic, maybe two, and we end up often using the hour and end up making one or two small decisions. The current way of operating will not allow us the bandwidth to tackle the current projects we have in front of us. We need to think more strategically about how we can organize the group and provide more leadership.

We should focus on forming project teams and then let the project teams self-organize around what resources they need to be effective and how often they need to meet. Someone should be identified as the leader of the overall Automation WG. Kurt recommended Kent Landfield; Kent said Dave Waltermire had someone in mind for this role (Chris Johnson, NIST). He has project management experience and would be dedicated to this role. Dave plans to nominate Chris Johnson as a Board member.

ACTION: Automation WG will discuss the projects and new structure in the next meeting. Chris Coffin will set up a meeting between Chris Johnson, Dave Waltermire, George Theall, and Chris Coffin to discuss.

 

Next Steps for CNA Coordination Working Group

DISCUSSION: We sent a test invite to Kent Landfield and he pointed out that you have to have a Google account to participate.

Kent mentioned that there were three issues around opening up CNA community:

  1. Creating CNA Collaboration WG;
  2. Create CNA liaison Board representative (should they be the Chair of the CNA Collaboration WG?);
  3. Having two online events a year in conjunction with the annual CNA summit (only heard one pushback from Tom Millar who thinks maybe have one online event to start and add another later if we can).

ACTION: N/A

 

Open Discussion

 

 

Summary of Action Items

  • Strategic Planning WG to discuss rules of escalation above roots
  • Additional thinking needed to go into the workflow for rejecting old pull requests, put on agenda for a later discussion
  • MITRE will begin rejecting invalid pull requests after 21 days
  • Have a discussion on language formats for CVE entries (Should CVE entries be required to use English language?), put on agenda for later discussion
  • Automation WG to discuss to new project groups and initiate that process
  • Set up a meeting with NIST to discuss Automation WG roles and responsibilities

 

Significant Decisions:

None

 


CVE Board Meeting 7 March 2018.docx (35K) Download Attachment