CVE Board Meeting summary -10 June 2020

CVE Board Meeting – 10 June 2020

Members of CVE Board in Attendance

Chris Coffin, The MITRE Corporation (MITRE At-Large)

Patrick Emsweller, Cisco Systems, Inc.

Jay Gazlay, Cybersecurity and Infrastructure Security Agency (CISA)

Kent Landfield, McAfee

Tom Millar, Cybersecurity and Infrastructure Security Agency (CISA)

Scott Moore, IBM

Kathleen Noble, Intel Corporation

Shannon Sabens, Trend Micro/Zero Day Initiative (ZDI)

Takayuki Uchiyama, Panasonic Corporation

David Waltermire, National Institute of Standards and Technology (NIST)

Ken Williams, Broadcom Inc.

Members of MITRE CVE Team in Attendance

Christine Deal

Jonathan Evans

Chris Levendis

Lew Loren

 

2:00 – 2:15: Introductions, action items from the last meeting 

2:15 – 3:00: Working Groups

• Outreach and Communications Working Group (OCWG): Shannon Sabens
• CNA Coordination Working Group (CNACWG): Tod Beardsley
• Quality Working Group (QWG): Jonathan Evans/Dave Waltermire
• Automation Working Group (AWG): Lew Loren
• Strategic Planning Working Group (SPWG): Kent Landfield

 

3:00 – 3:30: Root CNA Update

• MITRE: Jo Bazar
• JPCERT: Jonathan Evans
• Root CNA Prospects: Jonathan Evans/Jo Bazar

 

3:30– 3:50: Other discussions items

• CVE Board Resignation – Andy Belinsky 
• Publishing RBP Metrics 
• The next time we discuss this topic, we have two questions:

1. Should we do it  
2. When/how should we do it

• Sponsor Liaison Board position
• CNA Response Timeframes – Tod Beardsley

3:50– 3:55: Open Discussion  

3:55 – 4:00: Action items, wrap-up

#	Action Item	Responsible Party	Status	Comments
02.19.01	Identify the industries for active and pipeline CNAs to get a complete picture of the CNA profile.	OCWG	Completed	5/27 Update: The group reviewed the active and pipeline CNAs and have begun to assign industries. 6/10 Update: The group finished identifying the industries to current and pipeline CNAs; moving forward, MITRE will document the industry when the CNAs join the CNA program.
02.19.04	Develop strategy for expanding and growing the CNA program into existing and new industries (e.g., Energy, Automotive, Healthcare tech, etc.).	SPWG	Not Started	Assigned 2/19/2020.
4.1.04	Develop Non-responsiveness Policy to address CNA1 that continues to be unresponsive.	Jo Bazar (MITRE)	Pending	5/13 Update: Pending feedback from CNACWG. CNACWG will provide a recommended response time for CNAs to respond to MITRE requests.
4.1.07	Formalize Council of Roots responsibilities in anticipation of new Roots joining the program	SPWG	In progress	Assigned on 4/1/2020.
4.29.02	Update the CVE Board charter to address exceptions issues regarding CVE board member voting.	Kent L.	Completed	6/10 Update: CVE Board Charter 3.2 approved on June 2, 2020.
5.13.02	Take the lead for developing a proposal about approach for automated vulnerability identification workshop that includes an initial target participant list, and report back to next CVE Board Meeting on May 27, 2020.	Kent L.	In Process	6/10 Update: Recommend shifting report back date to June 24, 2020.
5.27.01	Provide an updated list of vendors who have requested CVE IDs but are not CNAs to the OCWG.	Jonathan E. (MITRE)	Completed	6/10 Update: Jonathan provided updates on May 29, 2020.
5.27.02	Schedule a meeting to discuss DWF Postmortem, lessons learned, and opportunities moving forward.	Katie N.	Completed.	6/10/20 Update: Meeting scheduled for June 9, 2020, at 2:00pm EDT. The next step is to write of Post-Mortem notes, action item 6.10.04 created.
5.27.03	Start list of suggestions for next CNA Rules update.	Jo B. (MITRE)	Completed	6/10 Update: Email was sent to CVE Board; included link to CNA Rules v3.1 redline document and list of CNA rules changes. Next steps: Go through, mark necessary changes, further discuss with Board and CNACWG, action item 6.10.05 created.

 

 

• Outreach and Communications Working Group (OCWG): Shannon Sabens 

• OCWG meeting held on May 29, 2020

§  Shannon said that the group is spread out and doing too many things--need to focus on prime directive which is outreach to potential CNAs (and reaching out more broadly into the community). In short, the podcast we want to do has run into logistical challenges and will not be ready for tomorrow. Shannon will meet with Tod and Jo next week to re-schedule. She will re-update the Board after they meet.

§  Jay Gazlay told the group that CISA is onboarding the end of July someone whose job is going to be solely to recruit CNAs.

§  The next OCWG meeting June 12, 2020.

• CNA Coordination Working Group (CNACWG): Tod Beardsley

• CNACWG meeting held on June 3

§  No update

§  The next CNACWG meetings are June 17 & 18, 2020. US and Euro meetings will be held on June 17 and Japan meeting will held on June 18.  

§   Quality Working Group (QWG): Dave Waltermire/Jonathan Evans

• QWG meeting held on May 28, 2020

§  Talking through tagging and have come to a consensus in the WG on the set of tags we would like to support initially both at the container level, the EOL (at time of assignment), the exclusively hosted service. We are starting to talk about the disputed tag, although we have not come to a consensus on that. We have also come to consensus on the list of reference tags (which are basically characterizations of which type of reference the CVE data format uses). We have added a few—based on reference types that NVD uses. We have changed the names of a couple; the final list is out on SharePoint site. We have started conversations with the AWG regarding how to get that deployed in the format—we talked about that yesterday. It looks like we are going to enumerate those tag values in the format. That is work we are coordinating with Joe Whitmore on to get addressed in that format. Continuing to talk about tagging: two areas of focus are around how do we provide for extensibility in the tagging process (so if a CNA wants to use an experimental tag, how would they go about doing that?). And we are also working on trying to formalize the process by which we will vet, review, and approve new tags both for the reference type tags and the container-based tags. We are trying to brainstorm right now about how much review do we need, what WGs need to provide feedback, whether the Board needs to approve, etc. We are hoping to have that conversation tomorrow. 

§  The next QWG meetings are June 11, 2020. 

• Automation Working Group (AWG) – Lew Loren

• AWG meetings held on June 2 and 9, 2020

§  Overall, it is steady as she goes. Since the last Board meeting, we have continued to have conversations about minimum requirements for the rollout of the AWG services; in particular, we have gone through the Entry Submission and Upload (ESUS) service. We are in the process of turning to user registry discussion. My expectation is that once we move through that one, we should be done identifying the minimum viable product (MVP) services. Simultaneously, we have been having meetings about the new website and content that should go in and how it should be organized. There is some crossover work between AWG/QWG pertaining to the tags. This conversation is occurring early enough that I am not anticipating any issues incorporating it into the JSON 5.0 schema for initial rollout. We are finishing up sprint on the AWG services; we asked Kent to carve out time in the SPWG so we can discuss that on Monday.

§  Dave: Brought up on last AWG call that they want to create a registry of current tags with definitions, so they have started brainstorming on that. We need to determine how to operationalize that. We need to also think about providing guidelines for how they should be used (e.g., EOL tag could point to EOL document).

§  Chris: Thanks to everyone who has participated in the MVP discussions and website discussions (card sorting). That will make Phase 1 services more effective and will make the website better.

§  User registry MVP discussions—still have two meetings to go—important to have these discussions so that we ensure they do what they have to do in Phase 1. The meetings go into what we want as an end-state to look like and we pare back from there.

§  The next AWG meetings are June 16 and 23, 2020.

• Strategic Planning (SPWG) – Kent Landfield

• SPWG meetings held June 1 and 8, 2020

§  We are in the final throes of the EOL process document and will soon be bringing that to the Board for vote. CNAs were given two weeks to comment; we have had discussions, but no comments that would affect the document. The document was sent to the tech editor (Christine) on June 8; we hope to get that tech edited by Monday’s meeting.  There has been good participation on the SPWG which is appreciated. Next step is to present the EOL document (after tech editing and adjudication) to the Board for a vote.

§  On the next SPWG meeting, we will hold a voice vote on the SPWG charter. We are also having a discussion with the AWG concerning their Sprint planning for the last sprint before they standup the production services and some User Registry requirement questions. We do not want to stand in the way of their progress. 

§  We are currently developing an official Terms and Definitions document, which will be useful during the development of the website and standardizing terms for document uses. We had a good discussion; it is something we need as a program so that we are all speaking the same language. Hopefully, Terms and Definitions document will be done by the end of July.

§  I am trying to get a workshop going around creative ways to deal with Open Source (OS) and OS-related issues. This automation workshop that involves fuzzing and other automated approaches to CVE is under development (planning has begun).

§  Chris L: When we get to the point where we are doing the automated workshop, does anybody object with my inviting the CWE group to that? There might be some value to the CWE side of things. May change depending on the agenda. (Nobody voiced an objection)

§  There is one more vote short term: the exceptions vote (regarding Chris Coffin’s participation).

§  The next SPWG meetings are June15 and 22, 2020.

• MITRE –Jo Bazar

• Requests to become a CNA

§  Received two CNA requests since the last CVE Board meeting (held on 5/27/20).

• On-Boarding

§  Zero onboarding sessions since the last CVE Board meeting.

§  Three CNA onboarding sessions scheduled in June. 

• CNA Announcements and News

§  One CNA announcements since last CVE Board meeting: Xiaomi

§  There are now 128 CNAs participating in the program in 21 countries

§  105 in total CNA pipeline: 15 in Q3’19; 16 in Q4’19; 23 in Q1’20 and 20 in Q2’20

• No pending CNA announcement.

–      CNAs missing disclosure policies and/or advisory locations (as required based on CNA rules 3.0)

§  We have emailed CNAs that are missing disclosures policies and/or advisory locations.  We have emailed 19 CNAs and we have received the requested information from 9 CNAs; 10 are outstanding.

§  JPCERT - Jonathan Evans

–      CNA Status Updates 6/9/20:

• Number of new CNAs: 0 
• Number of prospective CNAs we are working with: 2 
• CNA guidance material:

• The initial translation is complete, and they are now reviewing the slides internally. This is taking longer than anticipated, as the amount of their coordination work has recently increased more than expected. The PR review is complete, and they are now updating the materials; the plan is to finish everything (notes translation-process) by the end of this week.

 

• Root CNA Prospects – Jonathan Evans/Jo Bazar
• RCNA1 Root update:
• Jonathan and Jo met with RCNA1on June 10, 2020.

• The group reviewed the project timeline, updated the completion percentages, and added status updates.
• The RCNA1 team will join the CNA Onboarding session on June 17th to get an idea of how MITRE conducts CNA onboarding sessions.
• RCNA1 has a draft of their Dispute/Escalation policy
• Kent asked if he could get a copy of the draft policy
• Chris wants to add, as an action item, for us to ask RCNA1 if they are willing to share the current draft document with the SPWG (which will help inform the SPWG’s draft policy and also allow SPWG to provide feedback to RCNA1 on their draft policy)
• RCNA1 will officially announce to the community by the end of June, that RCNA1 Root is coming soon. Will be fully functional by September 30, 2020. 

• Jay asked if MITRE is getting enough material to be useful in terms of creating documentation and processes for onboarding future Root CNAs
• Chris replied: Once RCNA1 goes operational as a Root, we will learn things. As of right now, yes—RCNA1 is providing us with what we need. We will want to have some post on-boarding sessions with them once they are active to take note of lessons learned that can be added to the guidance materials.
• Dave suggested we should schedule some time shortly after the standup to have a kind of post-mortem discussion on this
• Chris L said we need to have timely post-mortem type discussion for the first several Root CNAs that we onboard
• Kent added that we need to build some process documentation (“how to guide”) on how to stand up a resourced CNA as a Root
• Chris would like to get to the point where we can provide approximate costs, depending on the scope (time, money, etc.)
• Dave added we need to learn where resources are being spent in the process, which may help us understand how to reduce those costs.

 

• CVE Board Resignation – Andy Balinsky (Emeritus Status Recommended)
• Andy Balinsky would like to resign; should we list him as an Emeritus status? Kent said he is one of the originals I think he should be listed as Emeritus. Shannon asked what are the rights and responsibilities for Emeritus (i.e., can they vote)? Kent: It is in the charter. Emeritus status means they were formerly active on the Board; they must have made significant contributions to CVE and may from time to time be called upon to consult. Chris—not sure if he even wants to be Emeritus. Dave: What were his significant contributions? Kent: He was very active in the early days. He has written a document or two to support the cloud. Chris: He was a big proponent of the increased tempo of Board meetings and of program federation. Chris C: does Emeritus status require that person to do anything going forward? No, it does not involve any action on his part. Kent: It is a show of respect for someone who has contributed to the program for many years. Calling for a voice vote. No dissenters on the call. All agreed.
• The group agreed that Andy will resign from the CVE Board and be re-listed with an Emeritus Status.  MITRE will reach out and inform Andy and ask if he still wants to be on the Board mailing list. If not now and wants to be removed, he can get re-added at any point in time going forward. He just has to notify MITRE.
• Publishing RBP Metrics
• Chris advocated that the CVE Program should broadcast RBP metrics to the general public, in a way that we are not revealing who has those RBPs, as a program health metric. Ideally, that would spur the community to action to help us identify those RPBs. He tried to generate a conversation about this on the mailing list but has not received any feedback.
• Chris wants to do this—it allows transparency (Jonathan is concerned it may stimulate too much immediate help from the community before we are prepared to deal with it). Chris does not share that concern.
• Dave: There are ways you could effectively deal with that problem by queuing them into a backlog and dealing with them later; I think we should move cautiously forward and deal with the outcomes as we see them. I do not suspect we will get a flood of requests.
• Shannon: Because it’s a moving target, I think we should establish what constitutes a baseline of normalcy without throwing it all out there
• Kent disagrees—he thinks we should put it all out there
• Dave agrees with Kent but can understand Shannon’s viewpoint. RBPs are going to go up over time as the number of CVEs go up over time. Instead of graphing the total number of RBPs, graph the total number of RBPs relative to the number of allocated CVEs. Need to show the number as a ratio.
• Chris: Right now, we are not talking about doing something hourly or daily (it will be much broader timeframe) but we are moving towards real time public facing metrics. So RBPs will become more real time metrics than they are now. The new services should allow for a reduction (not elimination) of RBPs.
• Dave wants to show the progress and be able to tell the story for the recent vast reduction in RBPs.
• How should this information be presented? We are making tremendous progress if you chart assignments vs. RBPs over time. Do we agree that RBPs should be broadcast to the general public in a non-CNA specific way? (No objections) YES.

–      Next step: We must figure out the process, make a recommendation on what the reporting timeframe is, how often we refresh the metrics, what’s the process for the community to report RBPs to us. Maybe this needs to be done through the SPWG to the Board. We need to think all this through.

• Sponsor Liaison Board position
• When we were conducting our last Board member vote, this idea was generated, and we agreed at the time that this would be a post board member vote. Do we want to move forward with a sponsor liaison position or do we not?
• Kent: I do not see the value. I think it sends the wrong message to the world. We are trying to remove the U.S specific aspects from literature and focus on the fact that this is a global effort. Having a sponsor liaison board position spotlights DHS and sends wrong message from PR perspective. In every case, the sponsors have been added to the Board because of their quality and their individual capabilities.
• Shannon: I agree with Kent; it would be over representation of an entity.
• Katie: Thinks it is disingenuous to try and hide the fact that DHS sponsors the program. The liaison position allows for flexibility. If someone comes in to replace Jay, they should not have to go through the entire process again. They do not have to be a voting member.
• Shannon: Yes, I would entertain that if they were a non-voting member.
• Chris:  Think about a future where there is maybe more than just one sponsor; if we think about that future, that bodes well for a sponsor liaison position because it is anyone bringing cash to the program. If it is a non-voting position, they get to be heard by their Board colleagues but not have any undo influence.
• Jay: I think the only part of this conversation that brings me any real pause is the discussion of voting vs. non-voting. CISA will ask why they are working on a program that will not allow you to vote?
• Tom disagrees and thinks a non-voting member makes sense
• Dave: Prefers always having a direct conversation with DHS rather than working through a conduit (MITRE). That is the value of having this liaison position.
• Kent: There is not a need for this position today.
• Jay: Suggest that we table this topic until a time when CISA is no longer the sole sponsor.
• Katie: When we nominated Jay to the Board, I brought up the concern that Jay is in that position now but what happens when he leaves and is in a different position? We are not planning for something that is never going to happen. CISA re-organizes every two years.
• Chris: We agreed for our first discussion on this needed to be post-Jay. Jay should have confidence that he was brought on as an individual board member.
• Shannon: To grow globally and to round out as an international body, we cannot and should not hide a DHS presence, but we need to give the impression of DHS neutrality. She wants new, globally located CNAs to have that comfort.
• Dave: We need to assuage concerns with transparency; one way we are transparent is with minutes of the Board being public documents. We share the recordings too. These conversations are all public. The conversations the sponsor has with MITRE are NOT public conversations. To some degree, by having the sponsor participate in the Board, we are providing a better avenue of transparency than by other means.
• No consensus
• Next steps: Kent proposes that Dave or Katie write up the value and limits and we can discuss this on a future call (with boundaries). 

#	Action Item	Responsible Party	Status	Comments
6.10.01	Contact RCNA1 to see if they are comfortable sharing their draft Dispute/Escalation policy with the SPWG (and receiving feedback)	Jo Bazar (MITRE)	Not Started	Assigned on 6/10/2020.
6.10.02	Contact Andy Belinsky to let him know that the Board would like to grant him Emeritus status (and explain what that means)	Chris L/Jo Bazar (MITRE)	Completed	Email sent to Andy on 6/11/20.
6.10.03	Draft parameters regarding sponsor liaison position and present to board by August 19 board call.	Dave W/ Katie N	Not Started	Assigned on 6/10/2020.
6.10.04	Write up post-mortem notes for DWF discussion	Katie N.	In process	Assigned on 6/10/2020.
6.10.05	Proposed CNA Rules changes v3.1, go through, mark necessary changes, further discuss with Board and CNACWG.   Link here-> https://partners.mitre.org/sites/CVE_CNA/Shared%20Documents/1.%20CNA%20Rules	All	In process	Assigned on 6/10/2020.
6.10.06	After RCNA1 Root CNA is stood up, schedule a post-mortem that includes developing process documentation (i.e., “how to guide”).	TBD	Not Started	Assigned on 6/10/2020.

 

None

Wednesday, June 24, 2020 at 2:00PM EDT