CVE Board Meeting 8 August 2018
Board Members in Attendance
Mark Cox (Red Hat)
William Cox (Black Duck Software)
Beverly Finch (Lenovo)
Scott Lawler (LP3)
Pascal Meunier (CERIAS/Purdue University)
Taki Uchiyama (Panasonic)
Members of MITRE CVE Team in Attendance
Chris Johnson (NIST)
2:00 – 2:15: Introductions, action items from the last meeting – Chris Coffin
2:15 – 2:30: Working Groups
· Strategic Planning – Kent Landfield / Chris Coffin
· Automation – Chris Johnson / Dave Waltermire
2:30 – 2:45: CNA Update
· DWF – Kurt Seifried
· MITRE – Jonathan Evans
· JPCERT – Taki Uchiyama
3:15 – 3:50: Open Discussion
3:50 – 4:00: Action items, wrap-up – Chris Coffin
Review of Action Items from Last Meeting
Board Working Groups
Strategic Planning Working Group (Chris Coffin / Kent Landfield)
ISSUES: The first two CVE service documents that have been written up were sent to the AWG on Monday; there is still some work to be done there, but we’d like the AWG projects to pick those up and start filling them in. Since that process seemed to work, MITRE will take on putting together the drafts of Authentication/Authorization and JSON Format service documents as well. If we need another face to face, we will do that. Otherwise, we will pass them around via email. The last part of the meeting, we discussed the fact that the whole purpose of the group is to think about what we want for CVE to look like 3-5 years down the road. There are still plenty of specifics that need to be defined, e.g., things like root CNAs, Secretariat, Council of Roots. We have a notional idea of what those should be, but we don’t yet have them defined specifically. We can start working on that in coming meetings. MITRE will start focusing on the agenda of the next few meetings to plan how we want to start working on those items.
BOARD DECISIONS: N/A
Automation Working Group (Chris Johnson / Dave Waltermire)
ISSUES: No updates (nobody present attended the last meeting)
ACTIONS: Chris Johnson will talk to Dave Waltermire to understand if any significant discussions took place and will pass those along via the Board mailing list.
BOARD DECISIONS: N/A
DWF (Kurt Seifried)
STATUS: No updates (Kurt was not present)
MITRE (CVE Team)
STATUS: We removed two CNAs that were non-responsive. Jonathan has been talking to two CNAs and will be meeting with some CNAs tomorrow (August 9) at BlackHat.
JPCERT (Taki Uchiyama)
Status: Nothing to report.
Really trying to focus on getting some of the Reserved but Public CVEs cleared out—we announced a new policy about if a CNA is behind as far as RBP CVE entries, we start doing a one for one trade. RedHat is just about caught up (they only have a handful in their backlog). Mark Cox said he was thinking of the policy from the Apache side—there are some occasions where they are not ready to publish a CVE but it was leaked by a researcher. Could we just put a placeholder in and then when ready, fill it in properly? There will be special cases from time to time that need to be handled separately.
Chris asked if anyone had anything to discuss. Pascal would like to discuss smart contract vulnerabilities, but thinks Kurt should be present for the discussion. Chris Coffin said it might be worthwhile for Pascal to re-distribute the background information with the group (started on July 9 with an email from Jericho).
One thing we can start talking about is CNA rules changes and the specifics of things that have been brought up.
Summary of Action Items
Meeting recording available here: https://handshake.mitre.org/file/view/15205910/cve-board-meeting-8-august-2018
CVE Board Meeting 8 August 2018.docx (32K) Download Attachment
|Free forum by Nabble||Edit this page|