Chris Coffin, The MITRE Corporation (MITRE At-Large)
Patrick Emsweller, Cisco Systems, Inc.
Kent Landfield, McAfee
Scott Moore, IBM
Kathleen Noble, Intel Corporation
Shannon Sabens, Trend Micro/Zero Day Initiative (ZDI)
Takayuki Uchiyama, Panasonic Corporation
David Waltermire, National Institute of Standards and Technology (NIST)
Ken Williams, Broadcom Inc.
Members of MITRE CVE Team in Attendance
2:15 – 3:00: Working Groups
3:00 – 3:30: Root CNA Update
3:50– 3:55: Open Discussion
3:55 – 4:00: Action items, wrap-up
§ Shannon said that the group is spread out and doing too many things--need to focus on prime directive which is outreach to potential CNAs (and reaching out more broadly into the community). In short, the podcast we want to do has run into logistical challenges and will not be ready for tomorrow. Shannon will meet with Tod and Jo next week to re-schedule. She will re-update the Board after they meet.
§ Jay Gazlay told the group that CISA is onboarding the end of July someone whose job is going to be solely to recruit CNAs.
§ The next OCWG meeting June 12, 2020.
§ No update
§ The next CNACWG meetings are June 17 & 18, 2020. US and Euro meetings will be held on June 17 and Japan meeting will held on June 18.
§ Quality Working Group (QWG): Dave Waltermire/Jonathan Evans
§ Talking through tagging and have come to a consensus in the WG on the set of tags we would like to support initially both at the container level, the EOL (at time of assignment), the exclusively hosted service. We are starting to talk about the disputed tag, although we have not come to a consensus on that. We have also come to consensus on the list of reference tags (which are basically characterizations of which type of reference the CVE data format uses). We have added a few—based on reference types that NVD uses. We have changed the names of a couple; the final list is out on SharePoint site. We have started conversations with the AWG regarding how to get that deployed in the format—we talked about that yesterday. It looks like we are going to enumerate those tag values in the format. That is work we are coordinating with Joe Whitmore on to get addressed in that format. Continuing to talk about tagging: two areas of focus are around how do we provide for extensibility in the tagging process (so if a CNA wants to use an experimental tag, how would they go about doing that?). And we are also working on trying to formalize the process by which we will vet, review, and approve new tags both for the reference type tags and the container-based tags. We are trying to brainstorm right now about how much review do we need, what WGs need to provide feedback, whether the Board needs to approve, etc. We are hoping to have that conversation tomorrow.
§ The next QWG meetings are June 11, 2020.
§ Overall, it is steady as she goes. Since the last Board meeting, we have continued to have conversations about minimum requirements for the rollout of the AWG services; in particular, we have gone through the Entry Submission and Upload (ESUS) service. We are in the process of turning to user registry discussion. My expectation is that once we move through that one, we should be done identifying the minimum viable product (MVP) services. Simultaneously, we have been having meetings about the new website and content that should go in and how it should be organized. There is some crossover work between AWG/QWG pertaining to the tags. This conversation is occurring early enough that I am not anticipating any issues incorporating it into the JSON 5.0 schema for initial rollout. We are finishing up sprint on the AWG services; we asked Kent to carve out time in the SPWG so we can discuss that on Monday.
§ Dave: Brought up on last AWG call that they want to create a registry of current tags with definitions, so they have started brainstorming on that. We need to determine how to operationalize that. We need to also think about providing guidelines for how they should be used (e.g., EOL tag could point to EOL document).
§ Chris: Thanks to everyone who has participated in the MVP discussions and website discussions (card sorting). That will make Phase 1 services more effective and will make the website better.
§ User registry MVP discussions—still have two meetings to go—important to have these discussions so that we ensure they do what they have to do in Phase 1. The meetings go into what we want as an end-state to look like and we pare back from there.
§ The next AWG meetings are June 16 and 23, 2020.
§ We are in the final throes of the EOL process document and will soon be bringing that to the Board for vote. CNAs were given two weeks to comment; we have had discussions, but no comments that would affect the document. The document was sent to the tech editor (Christine) on June 8; we hope to get that tech edited by Monday’s meeting. There has been good participation on the SPWG which is appreciated. Next step is to present the EOL document (after tech editing and adjudication) to the Board for a vote.
§ On the next SPWG meeting, we will hold a voice vote on the SPWG charter. We are also having a discussion with the AWG concerning their Sprint planning for the last sprint before they standup the production services and some User Registry requirement questions. We do not want to stand in the way of their progress.
§ We are currently developing an official Terms and Definitions document, which will be useful during the development of the website and standardizing terms for document uses. We had a good discussion; it is something we need as a program so that we are all speaking the same language. Hopefully, Terms and Definitions document will be done by the end of July.
§ I am trying to get a workshop going around creative ways to deal with Open Source (OS) and OS-related issues. This automation workshop that involves fuzzing and other automated approaches to CVE is under development (planning has begun).
§ Chris L: When we get to the point where we are doing the automated workshop, does anybody object with my inviting the CWE group to that? There might be some value to the CWE side of things. May change depending on the agenda. (Nobody voiced an objection)
§ There is one more vote short term: the exceptions vote (regarding Chris Coffin’s participation).
The next SPWG meetings are June15 and 22, 2020.
§ Received two CNA requests since the last CVE Board meeting (held on 5/27/20).
§ Zero onboarding sessions since the last CVE Board meeting.
§ Three CNA onboarding sessions scheduled in June.
§ One CNA announcements since last CVE Board meeting: Xiaomi
§ There are now 128 CNAs participating in the program in 21 countries
§ 105 in total CNA pipeline: 15 in Q3’19; 16 in Q4’19; 23 in Q1’20 and 20 in Q2’20
– CNAs missing disclosure policies and/or advisory locations (as required based on CNA rules 3.0)
§ We have emailed CNAs that are missing disclosures policies and/or advisory locations. We have emailed 19 CNAs and we have received the requested information from 9 CNAs; 10 are outstanding.
§ JPCERT - Jonathan Evans
– CNA Status Updates 6/9/20:
– Next step: We must figure out the process, make a recommendation on what the reporting timeframe is, how often we refresh the metrics, what’s the process for the community to report RBPs to us. Maybe this needs to be done through the SPWG to the Board. We need to think all this through.
Wednesday, June 24, 2020 at 2:00PM EDT
CVE_Board_Meeting_10 June 2020 FINALv1.pdf (596K) Download Attachment
|Free forum by Nabble||Edit this page|