Common Vulnerabilities and Exposures – CVE Board

CVE Board Meeting summary - 1 April 2020

classic Classic list List threaded Threaded
1 message Options
Jo E Bazar
Reply | Threaded
Open this post in threaded view
|

CVE Board Meeting summary - 1 April 2020

Jo E Bazar

CVE Board Meeting – 1 April 2020

Members of CVE Board in Attendance

Tod Beardsley, Rapid7

Patrick Emsweller, Cisco Systems, Inc.

Kent Landfield, McAfee

Scott Moore, IBM

Lisa Olson, Microsoft

Shannon Sabens, Trend Micro

Kathleen Noble, Intel

Takayuki Uchiyama, Panasonic Corporation

David Waltermire, National Institute of Standards and Technology (NIST)

Ken Williams, Broadcom Inc.

Members of MITRE CVE Team in Attendance

Jo Bazar

Christine Deal

Jonathan Evans

Chris Levendis

Lew Loren

 

2:00 – 2:15: Introductions, action items from the last meeting 

2:15 – 3:00: Working Groups

  • Outreach and Communications Working Group (OCWG): Shannon Sabens
  • CNA Coordination Working Group (CNACWG): Tod Beardsley
  • Quality Working Group (QWG): Jonathan Evans/Dave Waltermire
  • Automation Working Group (AWG): Lew Loren
  • Strategic Planning Working Group (SPWG): Kent Landfield

 

3:00 – 2:45: Root CNA Update

  • MITRE: Jo Bazar
  • JPCERT: Jonathan Evans
  • Root CNA Prospects – Jonathan Evans/Jo Bazar

 

2:45 – 3:55: Open Discussion  

3:55 – 4:00: Action items, wrap-up


#


Action Item


Responsible Party


Status


Comments

1.23.1

Assemble additional operational guidance for program participation by CNAs (e.g., webinars, instructional videos).

MITRE (Evans)

Completed

MITRE assembled a list of guidance priorities and other areas of the program; the top five priorities are listed below:

  1. How to submit entries to MITRE using the web form (CNA Submission process)
  2. CVE ID assignment rule (Counting) – DRAFT sent for inputs to CNACWG and OCWG
  3. Becoming a CNA – DRAFT sent for inputs to CNACWG and OCWG
  4. CVE Program (includes Root structure) 
  5. How to request MITRE CNA populate a CVE entry (CNA Process)
  6. How to create a CVE Entry (CNA Entry creation)

1/8 Update: Draft videos are uploaded to YouTube and CNACWG and OCWG will provide feedback NLT January 17.

2/5 Update: Feedback received from CNCWG and OCWG.

2/19 Update: Videos will be available on YouTube by April 1, 2020.

4/1 Update: CNA Onboarding videos posted to CVE website.

10.30.02

Update RBP threshold policy to include consequences for CNA’s with backlogs over the specific threshold.

MITRE (Jonathan E./Jo B.)

In Process

11/13 Update: RBP policy drafted and being reviewed by CVE team. Policy document will be sent to the CVE Board for awareness.

4/1 Update: Policy approved by Chris L, in process of updating CVE Website.

02.19.01

Identify the industries for active and pipeline CNAs so get a complete picture of the CNA profile.  

OCWG

In Process

Assigned 2/19/2020.

02.19.04

Develop strategy for expanding and growing the CNA program into existing and new industries (e.g., Energy, Automotive, Healthcare tech, etc.).

SPWG

Not Started

Assigned 2/19/2020.

3.18.02

QWG develop a definition for the EOL tagging for presentation to the CVE Board. Once defined, the next step is to document the entire process. 

Lisa Olson/Jonathan E. (MITRE)

Not started

Assigned 3/18/20.

3.18.03

Send action items from CVE Global Summit for review/input. Once reviewed, add the action items to the CVE Board meeting minutes.

Jo B. (MITRE)

In Process

4/1 Update: Sent CVE Global Summit action items for review to CVE Board on 3/26; feedback due by 3/31/2020.

3.18.04

Develop write up to send to the CNAs via the CNA mailing list to get their feedback on JSON 5.0 90-day transition. 

Lew L. (MITRE)

In Process

4/1 Update: Lew sent email on 3/30 to CNA Mailing list.

 

Working Group Updates

  • Outreach and Communications Working Group (OCWG): Shannon Sabens 
    • OCWG meeting held on March 27, 2020:  
      • CVE Logo roll-out plan: Shannon sent an email to CNAs about CVE logo usage. There are two CNAs using the CVE logo; one is using it internally, and the other is using it on their website.
      • Chris provided an update on the trademark CVE logo; the trademark is expected to be completed within 3 to 4 weeks. Legal is working on the trademarking.
      • CNA Newsletter: The OCWG is developing a newsletter that is focused on issues/topics of interest to CNAs. The first newsletter is scheduled to be published on June 15. The group also talked about adding a blog on the new website that only CNAs can access.
      • CNA Welcome kit: The OCWG discussed a kit for incoming CNAs that provides what is going on in the program, WG updates, how to join a WG, etc. The CNA newsletter could be used to fulfill this request.
      • CNA Active and Pipeline: The group was tasked with identifying prospective CNAs by region, sector, and industry.
        • Chris explained that focusing on Energy and Communications should be a priority.
        • Shannon explained that getting one of the leaders in a sector is key to getting others in the sector to join the CNA Program (e.g., Tesla)
        • Chris explained the priority will be based on the types of leads. If we have a great lead in the water sector and a not so great lead in the energy sector, we will follow the better lead. 
        • The goal of the federated strategy, for the voluntary participants in those sectors, is to mobilize them as they enter the CNA Program and empower them to advocate for the program.
        • Shannon explained some of the leads will be organic, as she has contacts in automotive, finance, and energy that she will be reaching out to.

§  CNA Coordination Working Group (CNACWG): Tod Beardsley

  • CNACWG meeting held on March 25, 2020:

o   Kicked off a survey for new meeting times for new globalized federated program. Survey results are being collected.

o   Documented a CVE ID transfer process from one CNA to another.

o   Quality Working Group (QWG): Dave Waltermire/Jonathan Evans 

    • QWG meeting held on March 19, 2020: 
      • Creating requirements, the AWG needs for the new JSON format
        • Tagging
        • New fields for NVD’s needs
        • GitHubs proposal for packaging
      • No decisions were made.
  • Automation Working Group (AWG) – Lew Loren 

      AWG meeting was held on March 30, 2020: 

    • 90-day transition period to accommodate the transition from the Github submission service to the Entry Submission and Upload Service (ESUS).  Barring any concerns, we will start the transition period at the next planned AWG meeting on April 13. CNAs’ concerns about the transition time will be discussed at the April 13 meeting.

§  Lew explained the 4 phases: 

        • Phase 1: Service is available, not connected to database
        • Phase 2: Same code, connect to database (dummy data)
        • Phase 3: Put it in the cloud and connect
        • Phase 4: Tested in the cloud, confident it works, then connect to system of record.

§  David suggested that the 90-day window starts at Phase 4.

§  Lisa Olsen explained that for her development team, a non-GitHub service will be less difficult.

§  David suggested clearly documenting the milestones: Clarify when the 90 transitions begins and when the other services (ID allocations services) are included in the plan.

§  The group agreed to further discuss and address the concerns at the April 13 AWG meeting.

      The current version of the JSON 5.0 schema is here

§  Requirements for those changes can be determined at least one month prior to the end of the transition period, and they are not prohibitively difficult to implement; they will be incorporated into the 5.0 schema.

§  Requirements cannot be determined one month prior to the end of the transition period, or they are difficult to implement; they will be included in the 5.1 update.

    • Transition plan for the GitHub to Entry Submission and Upload Service developed. Refer to AWG meeting notes for detailed plan.
    • Entry Submission and Upload Service (ESUS): It will take about another month before the Entry Submission and Upload Service (ESUS) is code complete.  
    • Sprint process: The next two weeks will be used as a dry run for the sprint process for ESUS development.  We will have a corresponding dry-run of the sprint review in the SPWG meeting on April 13.
  • Strategic Planning (SPWG) – Kent Landfield 
    • SPWG meeting was held on March 30, 2020:
    • Kent explained there was not as much participation last year, so he restructured the meeting to encourage more participation and productivity.  Listed below are the status updates:
      • CVE Board Charter updates in process, to include disbanding or pausing Working Groups.
      • AWG and SPWG working together on sprint process.
      • Draft CVE EOL process underway, to include CNA scope.
      • NVD submission guidelines, comments received and being discussed.
      • Zoom is on hold until the security issue is resolved. 
      • Website development meeting being set up to review new website with WG chairs.

CNA Updates

  • MITRE –Jo Bazar
  • Requests to become a CNA

§  Received three CNA requests since the last CVE Board meeting (held on 3/18/20).

  • On-Boarding

§  Conducted one onboarding sessions since the last boarding meeting.

§  No CNA onboarding sessions scheduled. 

  •  CNA Announcements and News

§  No CNA announcement since last CVE Board meeting.

§  There are now 116 CNAs participating in the program in 21 countries

§  87 in total CNA pipeline, 7 = Q2; 15= Q3, 15 = Q4 and 25 = Q1’20 so far

§  Four pending CNA announcements.

·       2 CNAs in process of preparing press releases. 

·       Draft press release received for CNA1, the press release was reviewed, feedback was provided, and a quote was provided by the CVE Board (thank you Kent).

  • JPCERT - Jonathan Evans
    • No Updates.
  • Root CNA Prospects – Jonathan Evans/Jo Bazar
    • R-CNA1 Root update: Jonathan and Jo met with R-CNA1and reviewed the list of tasks that need to be completed before becoming a Root. The timeline for R-CNA1 to be fully functioning is 90 days.  
      • MITRE to develop a timeline for when milestones to be completed.
      • MITRE set up a meeting with R-CNA1 to discuss timeline and milestones.

 

Open Discussion Items

§  CVE Website: On the CNA participants section of the CVE website, need to update MITRE to include secretariat, Root CNA and Program Root CNA roles. 

 

Action Items from Board Meeting held on 1 April 2020


#


Action Item


Responsible Party


Status


Comments

4.1.01

Update templates (Word, PowerPoint) with new CVE logo

Christine Deal (MITRE)

Not Started

Assigned on 4/1/2020

4.1.02

Lew and development team develop a more granular set of milestones for April 13, 2020 AWG meeting.

Lew Loren (MITRE)

Not Started

Assigned on 4/1/2020

4.1.03

Lew and Dave meet to review milestones before April 13th AWG meeting.

Lew Loren MITRE)

Not Started

Assigned on 4/1/2020

4.1.04

Develop Non-responsiveness Policy to address CNA1 that continues to be unresponsive.

Jo Bazar (MITRE)

Not Started

Assigned on 4/1/2020

4.1.05

Develop milestones and timeline for RCNA1 and set up follow up meeting in next two weeks. 

Jo Bazar/Jonathan E. (MITRE)

Not Started

Assigned on 4/1/2020

4.1.06

Update CVE Website to include Secretariat next to MITRE.

Jo Bazar (MITRE)

Completed

Assigned on 4/1/2020

4.1.07

Formalize Council of Roots responsibilities in anticipation of new Roots joining the program

SPWG

Not Started

Assigned on 4/1/2020

 

Board Decisions

None

Next CVE Board Meeting 

Wednesday, April 15, 2020 at 2:00PM EDT

 

 


CVE_Board_Meeting_1 April 2020 FINAL.pdf (560K) Download Attachment
Free forum by Nabble Edit this page