CVE Board Meeting 11 July 2018
Board Members in Attendance
Mark Cox (RedHat)
William Cox (Synopsys)
Scott Lawler (LP3)
Art Manion (CERT/CC)
Scott Moore (IBM)
Kurt Seifried (CSA)
Taki Uchiyama (Panasonic)
Ken Williams (CA)
Members of MITRE CVE Team in Attendance
Chris Johnson (NIST)
Lisa Olson (Microsoft)
Introductions, open action items – Chris Coffin
CVE Board Interview with Lisa Olson, Microsoft – CVE Board
As part of the process of vetting nominations to the CVE Board, the board conducted an interview with Lisa Olson, Senior Security Program Manager at Microsoft. Lisa provided a summary of her experience and her interest in participating in the program. The Board agreed to allow a week for internal discussion prior to calling for a vote on the nomination.
Strategic Planning Working Group Face to Face meeting Readout – Chris Coffin
SPWG Face to Face meeting was held in Gaithersburg, MD 6/25 – 6/28. Board members in attendance were Kent Landfield, David Waltermire, Chris Coffin, and Chris Levendis. Work continued on developing projects to be handed off to the Automation Working Group for development. The ID Allocation Service and the CVE User Registry Service will be handed over to the AWG in the near future.
Working Group Updates
Strategic Planning – Chris Coffin
Covered in SPWG Face to Face readout above.
Automation – Chris Johnson
Kurt Seifried agreed to lead the project to develop the CVE User Registry. The next step is to gather requirements.
Chris Johnson stated that NIST has noticed some irregularities in the CVE JSON files, and he will provide additional information on those observations.
Microsoft joined AWG and is working with IBM to develop their submission signing processes.
DWF – Kurt Seifried
Kurt is working to mint Jenkins, Xen, and PHP as sub-CNAs.
Kurt will inform the board on status of the CSA effort to stand up a new working group.
DWF has caught up on the backlog of new CVEs.
MITRE – Jonathan Evans
KrCERT/CC has asked to be a root CNA. Documentation is being prepared to help prep them to become Root CNA.
Jonathan talked to a few potential CNAs at FIRST conference.
JP-CERT - Taki Uchiyama
No update on whether any organizations have been approached to become sub-CNAs. Taki is unsure whether JP-CERT is actively recruiting new CNAs at this point. The current process is that when a Japanese company needs a CVE, it makes a request to JP-CERT, who then issues a CVE ID to them. This is how it has worked historically, and it appears that the process will not change for the foreseeable future.
MITRE had a call with CSA folks that brought to light interest to explore CVE usage in cloud services. CSA would like to investigate further being that they have lines of communication with Cloud service providers. They are asking to establish a Working Group open to all members on the board for participation.
Action items, wrap-up – Chris Coffin
• MITRE to set up repo in GitHub for CVE User Registry service project.
• MITRE to send email to board for CSA cloud services Working Group.
• Board agreed to leave a week open for further discussions on the Lisa Olson Board nomination before calling a vote.
CVE_Board_Meeting_Summary_11_July_2018.pdf (481K) Download Attachment
|Free forum by Nabble||Edit this page|