CVE Board Meeting – 10 July 2019

Andy Balinsky, Cisco Systems, Inc.

Tod Beardsley, Rapid7

Patrick Emsweller, Cisco Systems, Inc.

Art Manion, CERT/CC (Software Engineering Institute, Carnegie Mellon University)

Beverly Alvarez, Lenovo Group Ltd.

Scott Moore, IBM

Lisa Olson, Microsoft

Kurt Seifried, Cloud Security Alliance

Kathleen Trimble, U.S. Department of Homeland Security (DHS)

Ken Williams, Broadcom Inc.

 

Members of MITRE CVE Team in Attendance

Jo Bazar

Chris Coffin

Jonathan Evans

Lew Loren

Joe Sain

 

2:00 – 2:15: Introductions, action items from the last meeting 

2:15 – 2:30: Working Groups

• CNA Coordination Working Group (CNACWG): Tod Beardsley
• Quality Working Group (QWG): Chris Coffin
• Automation Working Group (AWG): Lew Loren
• Strategic Planning Working Group (SPWG): Kent Landfield/Chris Coffin

 

2:30 – 2:45: Root CNA Update

• MITRE: Jonathan Evans
• JPCERT: Jonathan Evans/Chris Coffin

 

2:45 – 3:15: Walk Thru Future Discussion items

3:15 – 3:55: Open Discussion  

3:55 – 4:00: Action items, wrap-up

#	Action Item	Responsible Party	Status	Comments
1.23.1	Assemble additional operational guidance for program participation by CNAs (e.g., webinars, instructional videos).	MITRE (Evans/Sain)	In Process	MITRE assembled a list of guidance priorities and other areas of the program; the top five priorities are listed below: How to submit entries to MITRE using the web form  CVE ID assignment rule (Counting)  Becoming a CNA CVE Program (includes Root structure) How to request the MITRE CNA populate a CVE entry   4/3 Update: Jonathan has started assigning some of the individual modules to members of the CNA coordination team and content team. In addition, the CCWG is also reviewing and updating the existing online guidance. 6/12 Update: In process. Some of the draft scripts completed for the online individual modules and the existing online guidance are also being reviewed and updated.
2.6.9	Organize an event at Blackhat USA (August 2019) to celebrate 20 years of CVE.	MITRE (Joe S./Levendis)	Completed	6/12 Update: Contract is signed with Blackhat; waiting on confirmation of event date 8/7 or 8/8 before we can proceed with approvals. Once approved by BH, we can move forward with the event planning with Excalibur. The group agreed and the majority voted for August 7th. 6/13 Update: Approval form sent to BAH, pending approval. 6/26 Update: Approval received from BAH; space is available at the Excalibur. Excalibur is drafting up the contract.  7/10: Contract signed on July 3, 2019.
4.17.3	Break out future discussion items in the following categories: Ongoing, Future, and OBE. Report back to CVE Board and add for future discussions items.	MITRE (CVE Team)	In Process	6/26 Update: Discussed in the 6/24 SPWG call and decided to ask the Board to walk through the items in the CVE Board meeting on July 10. 7/10 Update: Agenda item set for today to start discussion
4.17.5	Research solution for storing, archiving, and central repository for CVE Board and WG meeting minutes, as well as tracking action items.	MITRE (CVE Team)	In Process	6/12 Update: CNA SharePoint site is up (MITRE partners account is required), Handshake account is used for current meeting recordings and we are moving the archive of recordings to Amazon glacier for cold storage.
4.17.7	Follow up with Kurt S. about the survey results; obtain for future use in QWG.	MITRE (Chris C.)	Completed	6/26 Update: Google docs report has been available since 5/14 and it has an image of the survey results. Sent an email to Kurt to get those results in a more accessible format. 6/27 Update: Kurt passed along the survey results in Excel format to the Cloud WG list
5.1.02	Send Cloud survey to CNA List so they can provide input.	Kurt S.	Completed	5/15 Update: Waiting on survey to close on item 4.17.1.
5.15.1	Create the invitation list for CVE celebration	ALL	Completed	6/26 Update:  The group started the draft list of invitees; list includes past/present CVE Board members and contributors. Send draft list to CVE Board for review/comment. 7/10: Draft list created, gathering email address and sending invites.
6.12.1	Send short names for CNA to review and provide input to CVE Board.	CNA Coordinators	Completed	6/26 Update: List sent to CVE Board for review June 26, 2019. 7/10: Next step, send to CNA list for their review and approval, action item 7.10.01.
6.12.2	Finalize “Trifold” or “Flyer” before CVE 20-year Milestone event in Las Vegas, on August 7th.	CVE Board (select) /MITRE	In Process	6.12 Update: Draft flyer sent to Beverly M., Kent L., Tod B., Shannon S., Andrea T. and Taki U. for review and feedback with a due date of June 28, 2019.
6.12.3	Develop Objectives/Goals for CVE Outreach and Communications WG, send to CVE Board for review and feedback. Next step is to send to CNA List for OCWG volunteers and participation.	MITRE (Jo Bazar)	In Process	6.26 Update: Draft sent to CVE Private Board for review and feedback; due to Jo Bazar by July 9, 2019. 7/10: Next step is to send to CNA List for OCWG volunteers and participation, NLT that COB 7/11/2019.
6.26.1	Send invite (Eventbrite) to CNA list, CVE Board members and other invitees for BlackHat 20-year event on August 7, 2019.	MITRE	In Process	7/10: Invites will be sent in 3 phases. Round 1: Invites sent on 7/3 with RSVP by 7/12 to current Board, current and former MITRE CVE team members, former Board members.   Round 2: Invites to be sent on 7/16 with RSVP by 7/23 to current CNAs (limit 2 per organization), current WG Members (if not part of Board or working groups).   Round 3 (TENTATIVE): Invites to be sent on 7/26 with RSVP by 7/31 to candidate CNAs
6.26.2	Update Charter to reflect new interview process of board nominations and that CVE Board member can send nominations directly to the private board list.	MITRE (Chris C.)	Not Started	Assigned 6/26/2019
6.26.3	Update Charter to reflect new Board nomination interview process. When a new Board member is nominated, a 30-minute interview is conducted during the next Board call.	MITRE (Chris C.)	Not Started	Assigned 6/26/2019

 

• CNA Coordination Working Group (CNACWG): Tod Beardsley/Chris Coffin
• The CNACWG met on Wednesday, July 3, 2019. The group discussed how to get open source projects more involved in the CVE program. EOL continues be discussed, the CNACWG group members are split 50/50 on whether EOL CVEs should be supported. Next step is to bring recommendation to the SPWG.
• A follow-up CNACWG is scheduled to accommodate Asia-based CNAs, on July 17, 2019 at 8:00pm EST, 9:00am (Japan). This is the first meeting scheduled for this time zone.   
• Quality Working Group (QWG): Dave Waltermire/Chris Coffin
• The QWG met on Thursday, June 27, 2019. The group introduced the defining parameters regarding responsiveness (CNA to CNA, or requester to CNA). This conversation led to the CVE user registry and how that can be used to store contact information. 
• Dave and Chris met to discuss ongoing issues, CNA rules revisions, and creation of one-page write-ups on the recent QWG topics.
• Next meeting is scheduled for July 15, 2019 and will feature the interview with Art Manion and Madison Quinn Oliver from CERT/CC.
• A meeting is scheduled on July 25, 2019 with Alex Gaynor to discuss assigning CVE IDs to OSS-Fuzz results. See https://www.openwall.com/lists/oss-security/2019/06/15/2.
• Automation Working Group (AWG) – Lew Loren 
• The AWG met on Monday, July 8, 2019. Progress continues with the three existing services: CVE ID Allocation, CVE User Registry, and Credentialing, Authentication, and Authorization Services (CA&A). 
• The AWG will stand up a publicly available Work Board to post requirements and pull-down task descriptions to encourage others to contribute to the development of services. A preliminary version of the work board should be available in the next couple of weeks.
• CVE User Registry and CA&A are on hold. The CVE Operations team is investigating the use of AWS Managed Services (AMS) to manage the CVE AWS environment, and it possible that the CA&A functionality could be covered by AMS..  
• Reminder: All code is available on GitHub. A Docker container containing the three services in an executable form is available to be downloaded and tested.
• Upload Service (replace GitHub): Chandan (Juniper) provided a version of Vulnogram that includes a Creative Common Zero license. Vulnogram is designed to work with the Github API. We are looking at whether we can modify the Vulnogram API calls to point them to a new API for the AWG services. If this works, it gives us a way to replace the GitHub functionality, minimizes the disruption existing CNAs using the GitHub pilot, and enables us to reuse open source software contributed by the community.

§  Strategic Planning (SPWG) – Kent Landfield/Chris Coffin 

0. Met on Monday, July 8, 2019. The Root CNA Roles and Responsibilities document was sent for review and feedback. 

 

• MITRE – Jonathan Evans
• Moving forward with Company1
• Contacted by Company2, lead from the FIRST conference
• JPCERT - Takayuki Uchiyama
•  No Updates

 

Future Discussion Items

• See edits below in blue.

 

• Up and coming conferences and key meetings

#	Action Item	Responsible Party	Status	Comments
7.10.01	Send short names to CNA list for their review and input.	MITRE (Jo Bazar)	Not Started	Assigned July 10, 2019.
7.10.02	Send email to CNA List for OCWG volunteers and participation, NLT that COB 7/11/2019.	MITRE (Jo Bazar)	In Process	Assigned July 10, 2019.

 

• None

1.     Communication 

a.      Outreach OCWG for most of this section (noted otherwise).

                                                  i.     Localization – should start in the QWG for guidance, then to the AWG for implementation.

                                                ii.     Upstream producers –  

1.     CNA Recruitment 

                                              iii.     Downstream users –   

                                               iv.     Related Projects

1.     Vulnerability Description

a.      VDO

b.     CSAF

2.     Severity

a.      CVSS

3.     Product identification and management

a.      SBOM

4. CWE
1. hardware

b.     Metrics – CVE Board

                                                  i.     Community metrics (Public metrics)

                                                ii.     CNA specific metrics 

                                              iii.     Program performance (Report card)

c.      Knowledge capture/transfer - CVE Board

                                                  i.     Record Working Group meetings

1.     Where to store the recordings?

                                                ii.     Issue tracking

                                              iii.     Storage of WG materials – Sharepoint site (CVE CNA site)

2.     Strategy 

a.      Program Structure SPWG

b.     Roles, responsibilities, and requirements SPWG

                                                  i.     Disclosure Policies

                                                ii.     Scope

1.     Non-vendor CNAs

a.      Add new non-vendor CNAs is on hold until the Board can come to an agreement on the requirements for this type of CNA

2.     Root CNA shopping

3.     Assigning CVE IDs to vulnerabilities in a non-CNA vendor’s product

4. CNA scope to the cooperative sub-CNAs

c.      Coverage – CVE Board

                                                  i.     What’s in, What’s out

                                                ii.     End of life

                                              iii.     Software as a service

                                               iv.     Hardware

1. Define (not a wrench)

                                                v.     Open source software

4. Goals - CVE Board
2. Operations
1. Guidance

                                                  i.     Operationalizing Root CNAs - SPWG

1. What is MITRE’s role
2. How to best operationalize Root CNAs

                                                ii.     For new CNAs - CNACWG

1. What is needed?
2. What are the best formats?
3. How to minimize one-on-one guidance

                                              iii.     How to supply refreshers CVE Board/CNACWG

2. CNA Management - CNACWG

                                                  i.     CNA Process – Front Door or Back Door: How should CNAs communicate with each other, and how would that information be managed?

                                                ii.     Requirement

1. Responsiveness
2. Time to populate
3. RBP start time

                                              iii.     Scope statement best practices

                                               iv.     Rules Violations

1. Assignment correction processes (e.g. reject, split, merge) should account for violations
2. Assignments – CVE Board

                                                  i.     Prevent duplicates

1. How can CNA scopes help?
3. Submissions QWG and CVE Board, AWG handle format implementation

                                                  i.     Formats

                                                ii.     Information requirements

1. Add impact
2. Add publication data
3. Add vulnerability type

4.     Split problem type in to vuln. type, root cause, or impact

5.     Don’t require references

                                              iii.     Should the description match the separate metadata fields

4.     CVE List - QWG

a.      Formats (all different formats) – CVE Board

                                                  i.     How can the download formats be updated or retired?

b.     CVE Tagging

                                                  i.     Helps filtering

                                                ii.     How to identify the categories we need

                                              iii.     Should the tagging be attached to the product or the vulnerability?

                                               iv.     Could we leverage a product listing the CVE User Registry?

                                                v.     Can it be automated?

                                               vi.     EOL tagging

3. Prose description, do we need it?