CVE Board Meeting – 10 June 2020
Members
of CVE Board in Attendance
Chris
Coffin, The
MITRE Corporation (MITRE
At-Large)
Patrick
Emsweller, Cisco
Systems, Inc.
Jay
Gazlay, Cybersecurity
and Infrastructure Security Agency (CISA)
Kent
Landfield, McAfee
Tom
Millar, Cybersecurity
and Infrastructure Security Agency (CISA)
Scott
Moore, IBM
Kathleen
Noble, Intel
Corporation
Shannon
Sabens, Trend
Micro/Zero Day Initiative (ZDI)
Takayuki
Uchiyama, Panasonic
Corporation
David
Waltermire, National
Institute of Standards and Technology (NIST)
Ken
Williams, Broadcom
Inc.
Members
of MITRE CVE Team in Attendance
Christine
Deal
Jonathan
Evans
Chris
Levendis
Lew
Loren
2:00
– 2:15: Introductions, action items from the last meeting
2:15
– 3:00: Working Groups
-
Outreach
and Communications Working Group (OCWG): Shannon
Sabens
-
CNA
Coordination Working Group (CNACWG):
Tod Beardsley
-
Quality
Working Group (QWG):
Jonathan Evans/Dave Waltermire
-
Automation
Working Group (AWG): Lew Loren
-
Strategic
Planning Working Group
(SPWG): Kent Landfield
3:00
– 3:30: Root CNA Update
-
MITRE:
Jo Bazar
-
JPCERT:
Jonathan Evans
-
Root
CNA Prospects: Jonathan
Evans/Jo Bazar
3:30–
3:50: Other discussions items
-
CVE
Board Resignation – Andy Belinsky
-
Publishing
RBP Metrics
-
The
next time we discuss this topic, we have two questions:
-
Should
we do it
-
When/how
should we do it
-
Sponsor
Liaison Board position
-
CNA
Response Timeframes – Tod Beardsley
3:50–
3:55: Open Discussion
3:55
– 4:00: Action items, wrap-up
Review
of Action Items from Board Meeting held on 27 May 2020
#
|
Action Item
|
Responsible Party
|
Status
|
Comments
|
02.19.01
|
Identify
the industries for active and pipeline CNAs to get a complete picture of the CNA profile.
|
OCWG
|
Completed
|
5/27
Update: The group reviewed the active and pipeline CNAs and have begun to assign industries.
6/10
Update: The group finished identifying the industries to current and pipeline CNAs; moving forward, MITRE will document the industry when the CNAs join the CNA program.
|
02.19.04
|
Develop
strategy for expanding and growing the CNA program into existing and new industries (e.g., Energy, Automotive, Healthcare tech, etc.).
|
SPWG
|
Not
Started
|
Assigned
2/19/2020.
|
4.1.04
|
Develop
Non-responsiveness Policy to address CNA1 that continues to be unresponsive.
|
Jo
Bazar (MITRE)
|
Pending
|
5/13
Update: Pending feedback from CNACWG. CNACWG will provide a recommended response time for CNAs to respond to MITRE requests.
|
4.1.07
|
Formalize
Council of Roots responsibilities in anticipation of new Roots joining the program
|
SPWG
|
In
progress
|
Assigned
on 4/1/2020.
|
4.29.02
|
Update
the CVE Board charter to address exceptions issues regarding CVE board member voting.
|
Kent
L.
|
Completed
|
6/10
Update: CVE Board Charter 3.2 approved on June 2, 2020.
|
5.13.02
|
Take the lead for developing a proposal
about approach for automated vulnerability identification workshop that includes an initial target participant list, and report back to next CVE Board Meeting on May 27, 2020.
|
Kent
L.
|
In
Process
|
6/10 Update: Recommend shifting report
back date to June 24, 2020.
|
5.27.01
|
Provide an updated list of vendors
who have requested CVE IDs but are not CNAs to the OCWG.
|
Jonathan
E. (MITRE)
|
Completed
|
6/10 Update: Jonathan provided updates
on May 29, 2020.
|
5.27.02
|
Schedule a meeting to discuss DWF
Postmortem, lessons learned, and opportunities moving forward.
|
Katie
N.
|
Completed.
|
6/10/20 Update: Meeting scheduled
for June 9, 2020, at 2:00pm EDT. The next step is to write of Post-Mortem notes, action item 6.10.04 created.
|
5.27.03
|
Start list of suggestions for next
CNA Rules update.
|
Jo
B. (MITRE)
|
Completed
|
6/10 Update: Email was sent to CVE
Board; included link
to CNA Rules v3.1 redline document and list of CNA rules changes. Next steps: Go through, mark necessary changes, further discuss with Board and CNACWG, action item 6.10.05 created.
|
-
Outreach and Communications Working Group (OCWG): Shannon
Sabens
-
OCWG meeting held on May 29, 2020
§
Shannon said that the group is spread out and doing too many things--need to focus on prime directive which is outreach to potential CNAs (and reaching out more
broadly into the community). In short, the podcast we want to do has run into logistical challenges and will not be ready for tomorrow. Shannon will meet with Tod and Jo next week to re-schedule. She will re-update the Board after they meet.
§
Jay Gazlay told the group that CISA is onboarding the end of July someone whose job is going to be solely to recruit CNAs.
§
The next OCWG meeting June 12, 2020.
-
CNA Coordination Working Group (CNACWG): Tod Beardsley
-
CNACWG meeting held on June 3
§
No update
§
The next CNACWG meetings are June 17 & 18, 2020. US and Euro meetings will be held on June 17 and Japan meeting will held on June 18.
§
Quality Working Group (QWG): Dave Waltermire/Jonathan Evans
-
QWG meeting held on May 28, 2020
§
Talking through tagging and have come to a consensus in the WG on the set of tags we would like to support initially both at the container level, the EOL (at time
of assignment), the exclusively hosted service. We are starting to talk about the disputed tag, although we have not come to a consensus on that. We have also come to consensus on the list of reference tags (which are basically characterizations of which type
of reference the CVE data format uses). We have added a few—based on reference types that NVD uses. We have changed the names of a couple; the final list is out on SharePoint site. We have started conversations with the AWG regarding how to get that deployed
in the format—we talked about that yesterday. It looks like we are going to enumerate those tag values in the format. That is work we are coordinating with Joe Whitmore on to get addressed in that format. Continuing to talk about tagging: two areas of focus
are around how do we provide for extensibility in the tagging process (so if a CNA wants to use an experimental tag, how would they go about doing that?). And we are also working on trying to formalize the process by which we will vet, review, and approve
new tags both for the reference type tags and the container-based tags. We are trying to brainstorm right now about how much review do we need, what WGs need to provide feedback, whether the Board needs to approve, etc. We are hoping to have that conversation
tomorrow.
§
The next QWG meetings are June 11, 2020.
-
Automation Working Group (AWG) – Lew Loren
-
AWG meetings held on June 2 and 9, 2020
§
Overall, it is steady as she goes. Since the last Board meeting, we have continued to have conversations about minimum requirements for the rollout of the AWG
services; in particular, we have gone through the Entry Submission and Upload (ESUS) service. We are in the process of turning to user registry discussion. My expectation is that once we move through that one, we should be done identifying the minimum viable
product (MVP) services. Simultaneously, we have been having meetings about the new website and content that should go in and how it should be organized. There is some crossover work between AWG/QWG pertaining to the tags. This conversation is occurring early
enough that I am not anticipating any issues incorporating it into the JSON 5.0 schema for initial rollout. We are finishing up sprint on the AWG services; we asked Kent to carve out time in the SPWG so we can discuss that on Monday.
§
Dave: Brought up on last AWG call that they want to create a registry of current tags with definitions, so they have started brainstorming on that. We need to
determine how to operationalize that. We need to also think about providing guidelines for how they should be used (e.g., EOL tag could point to EOL document).
§
Chris: Thanks to everyone who has participated in the MVP discussions and website discussions (card sorting). That will make Phase 1 services more effective and
will make the website better.
§
User registry MVP discussions—still have two meetings to go—important to have these discussions so that we ensure they do what they have to do in Phase 1. The
meetings go into what we want as an end-state to look like and we pare back from there.
§
The next AWG meetings are June 16 and 23, 2020.
-
Strategic Planning (SPWG) – Kent Landfield
-
SPWG meetings held June 1 and 8, 2020
§
We are in the final throes of the EOL process document and will soon be bringing that to the Board for vote. CNAs were given two weeks to comment; we have had
discussions, but no comments that would affect the document. The document was sent to the tech editor (Christine) on June 8; we hope to get that tech edited by Monday’s meeting. There has been good participation on the SPWG which is appreciated. Next step
is to present the EOL document (after tech editing and adjudication) to the Board for a vote.
§
On the next SPWG meeting, we will hold a voice vote on the SPWG charter. We are also having a discussion with the AWG concerning their Sprint planning for the
last sprint before they standup the production services and some User Registry requirement questions. We do not want to stand in the way of their progress.
§
We are currently developing an official Terms and Definitions document, which will be useful during the development of the website and standardizing terms for
document uses. We had a good discussion; it is something we need as a program so that we are all speaking the same language. Hopefully, Terms and Definitions document will be done by the end of July.
§
I am trying to get a workshop going around creative ways to deal with Open Source (OS) and OS-related issues. This automation workshop that involves fuzzing and
other automated approaches to CVE is under development (planning has begun).
§
Chris L: When we get to the point where we are doing the automated workshop, does anybody object with my inviting the CWE group to that? There might be some value
to the CWE side of things. May change depending on the agenda. (Nobody voiced an objection)
§
There is one more vote short term: the exceptions vote (regarding Chris Coffin’s participation).
§
The next SPWG meetings are June15 and 22, 2020.
§
Received two CNA requests since the last CVE Board meeting (held on 5/27/20).
§
Zero onboarding sessions since the last CVE Board meeting.
§
Three CNA onboarding sessions
scheduled in June.
-
CNA Announcements and News
§
One CNA announcements since last CVE Board meeting: Xiaomi
§
There are now 128 CNAs participating in the program in 21 countries
§
105 in total CNA pipeline: 15 in Q3’19; 16 in Q4’19; 23 in Q1’20 and 20 in Q2’20
-
No pending CNA announcement.
–
CNAs missing disclosure policies and/or advisory locations (as required based on CNA rules 3.0)
§
We have emailed CNAs that are missing disclosures policies and/or advisory locations. We have emailed 19 CNAs and we have received the requested information from
9 CNAs; 10 are outstanding.
§
JPCERT - Jonathan Evans
–
CNA Status Updates 6/9/20:
-
Number of new CNAs: 0
-
Number of prospective CNAs we are working with: 2
-
CNA guidance material:
-
The initial translation is complete, and they are now reviewing the slides internally. This is taking longer than anticipated, as the amount of their coordination
work has recently increased more than expected. The PR review is complete, and they are now updating the materials; the plan is to finish everything (notes translation-process) by the end of this week.
-
Root CNA Prospects – Jonathan Evans/Jo Bazar
-
RCNA1 Root update:
-
Jonathan and Jo met with RCNA1on June 10, 2020.
-
The group reviewed the project timeline, updated the completion percentages, and added status updates.
-
The RCNA1 team will join the CNA Onboarding session on June 17th to get an idea of how MITRE conducts CNA onboarding sessions.
-
RCNA1 has a draft of their Dispute/Escalation policy
-
Kent asked if he could get a copy of the draft policy
-
Chris wants to add, as an action item, for us to ask RCNA1 if they are willing to share the current draft document with the SPWG (which will help inform
the SPWG’s draft policy and also allow SPWG to provide feedback to RCNA1 on their draft policy)
-
RCNA1 will officially announce to the community by the end of June, that RCNA1 Root is coming soon. Will be fully functional by September 30, 2020.
-
Jay asked if MITRE is getting enough material to be useful in terms of creating documentation and processes for onboarding future Root CNAs
-
Chris replied: Once RCNA1 goes operational as a Root, we will learn things. As of right now, yes—RCNA1 is providing us with what we need. We will want
to have some post on-boarding sessions with them once they are active to take note of lessons learned that can be added to the guidance materials.
-
Dave suggested we should schedule some time shortly after the standup to have a kind of post-mortem discussion on this
-
Chris L said we need to have timely post-mortem type discussion for the first several Root CNAs that we onboard
-
Kent added that we need to build some process documentation (“how to guide”) on how to stand up a resourced CNA as a Root
-
Chris would like to get to the point where we can provide approximate costs, depending on the scope (time, money, etc.)
-
Dave added we need to learn where resources are being spent in the process, which may help us understand how to reduce those costs.
-
CVE Board Resignation – Andy Balinsky (Emeritus Status Recommended)
-
Andy Balinsky would like to resign; should we list him as an Emeritus status? Kent said he is
one of the originals I think he should be listed as Emeritus. Shannon asked what are the rights and responsibilities for Emeritus (i.e., can they vote)? Kent: It is in the charter. Emeritus status means they were formerly active on the Board; they must have
made significant contributions to CVE and may from time to time be called upon to consult. Chris—not sure if he even wants to be Emeritus. Dave: What were his significant contributions? Kent: He was very active in the early days. He has written a document
or two to support the cloud. Chris: He was a big proponent of the increased tempo of Board meetings and of program federation. Chris C: does Emeritus status require that person to do anything going forward? No, it does not involve any action on his part. Kent:
It is a show of respect for someone who has contributed to the program for many years. Calling for a voice vote. No dissenters on the call. All agreed.
-
The group agreed that Andy will resign from the CVE Board and be re-listed with an Emeritus Status.
MITRE will reach out and inform Andy and ask if he still wants to be on the Board mailing list. If not now and wants to be removed, he can get re-added at any point in time going forward. He just has to notify MITRE.
-
Publishing RBP Metrics
-
Chris advocated that the CVE Program should broadcast RBP metrics to the general public, in a
way that we are not revealing who has those RBPs, as a program health metric. Ideally, that would spur the community to action to help us identify those RPBs. He tried to generate a conversation about this on the mailing list but has not received any feedback.
-
Chris wants to do this—it allows transparency (Jonathan is concerned it may stimulate too much
immediate help from the community before we are prepared to deal with it). Chris does not share that concern.
-
Dave: There are ways you could effectively deal with that problem by queuing them into a backlog
and dealing with them later; I think we should move cautiously forward and deal with the outcomes as we see them. I do not suspect we will get a flood of requests.
-
Shannon: Because it’s a moving target, I think we should establish what constitutes a baseline
of normalcy without throwing it all out there
-
Kent disagrees—he thinks we should put it all out there
-
Dave agrees with Kent but can understand Shannon’s viewpoint. RBPs are going to go up over time
as the number of CVEs go up over time. Instead of graphing the total number of RBPs, graph the total number of RBPs relative to the number of allocated CVEs. Need to show the number as a ratio.
-
Chris: Right now, we are not talking about doing something hourly or daily (it will be much broader
timeframe) but we are moving towards real time public facing metrics. So RBPs will become more real time metrics than they are now. The new services should allow for a reduction (not elimination) of RBPs.
-
Dave wants to show the progress and be able to tell the story for the recent vast reduction in
RBPs.
-
How should this information be presented? We are making tremendous progress if you chart assignments
vs. RBPs over time. Do we agree that RBPs should be broadcast to the general public in a non-CNA specific way? (No objections) YES.
–
Next step:
We must figure out the process, make a recommendation on what the reporting timeframe is, how often we refresh the metrics, what’s the process for the community to report RBPs to us. Maybe this needs to be done through the SPWG to the Board. We need to think
all this through.
-
Sponsor Liaison Board position
-
When we were conducting our last Board member vote, this idea was generated, and we agreed at
the time that this would be a post board member vote. Do we want to move forward with a sponsor liaison position or do we not?
-
Kent: I do not see the value. I think it sends the wrong message to the world. We are trying to
remove the U.S specific aspects from literature and focus on the fact that this is a global effort. Having a sponsor liaison board position spotlights DHS and sends wrong message from PR perspective. In every case, the sponsors have been added to the Board
because of their quality and their individual capabilities.
-
Shannon: I agree with Kent; it would be over representation of an entity.
-
Katie: Thinks it is disingenuous to try and hide the fact that DHS sponsors the program. The liaison
position allows for flexibility. If someone comes in to replace Jay, they should not have to go through the entire process again. They do not have to be a voting member.
-
Shannon: Yes, I would entertain that if they were a non-voting member.
-
Chris: Think about a future where there is maybe more than just one sponsor; if we think about
that future, that bodes well for a sponsor liaison position because it is anyone bringing cash to the program. If it is a non-voting position, they get to be heard by their Board colleagues but not have any undo influence.
-
Jay: I think the only part of this conversation that brings me any real pause is the discussion
of voting vs. non-voting. CISA will ask why they are working on a program that will not allow you to vote?
-
Tom disagrees and thinks a non-voting member makes sense
-
Dave: Prefers always having a direct conversation with DHS rather than working through a conduit
(MITRE). That is the value of having this liaison position.
-
Kent: There is not a need for this position today.
-
Jay: Suggest that we table this topic until a time when CISA is no longer the sole sponsor.
-
Katie: When we nominated Jay to the Board, I brought up the concern that Jay is in that position
now but what happens when he leaves and is in a different position? We are not planning for something that is never going to happen. CISA re-organizes every two years.
-
Chris: We agreed for our first discussion on this needed to be post-Jay. Jay should have confidence
that he was brought on as an individual board member.
-
Shannon: To grow globally and to round out as an international body, we cannot and should not
hide a DHS presence, but we need to give the impression of DHS neutrality. She wants new, globally located CNAs to have that comfort.
-
Dave: We need to assuage concerns with transparency; one way we are transparent is with minutes
of the Board being public documents. We share the recordings too. These conversations are all public. The conversations the sponsor has with MITRE are NOT public conversations. To some degree, by having the sponsor participate in the Board, we are providing
a better avenue of transparency than by other means.
-
No consensus
-
Next steps: Kent proposes that Dave or Katie write up the value and limits and we can discuss
this on a future call (with boundaries).
Action Items from Board
Meeting held on 10 June 2020
#
|
Action Item
|
Responsible Party
|
Status
|
Comments
|
6.10.01
|
Contact RCNA1 to see if they are comfortable sharing their draft Dispute/Escalation policy with the SPWG (and receiving
feedback)
|
Jo Bazar (MITRE)
|
Not Started
|
Assigned on 6/10/2020.
|
6.10.02
|
Contact Andy Belinsky to let him know that the Board would like to
grant him Emeritus status (and explain what that means)
|
Chris L/Jo Bazar (MITRE)
|
Completed
|
Email sent to Andy on 6/11/20.
|
6.10.03
|
Draft parameters regarding sponsor liaison position and present to board by August 19 board call.
|
Dave W/ Katie N
|
Not Started
|
Assigned on 6/10/2020.
|
6.10.04
|
Write up post-mortem notes for DWF discussion
|
Katie N.
|
In process
|
Assigned on 6/10/2020.
|
6.10.05
|
Proposed CNA Rules changes v3.1, go through, mark necessary changes, further discuss with Board and CNACWG. Link here->
https://partners.mitre.org/sites/CVE_CNA/Shared%20Documents/1.%20CNA%20Rules
|
All
|
In process
|
Assigned on 6/10/2020.
|
6.10.06
|
After RCNA1 Root CNA is stood up, schedule a post-mortem that includes developing process documentation (i.e., “how to guide”).
|
TBD
|
Not Started
|
Assigned on 6/10/2020.
|
None
Wednesday, June 24, 2020 at 2:00PM EDT