|
CVE Board Meeting – 10 July 2019
Andy Balinsky,
Cisco Systems, Inc.
Tod Beardsley,
Rapid7
Patrick Emsweller,
Cisco Systems,
Inc.
Art Manion,
CERT/CC (Software
Engineering Institute, Carnegie Mellon University)
Beverly Alvarez,
Lenovo Group
Ltd.
Scott Moore,
IBM
Lisa Olson,
Microsoft
Kurt Seifried,
Cloud
Security Alliance
Kathleen Trimble,
U.S.
Department of Homeland Security (DHS)
Ken Williams,
Broadcom
Inc.
Members of MITRE CVE Team in Attendance
Jo Bazar
Chris Coffin
Jonathan Evans
Lew Loren
Joe Sain
2:00 – 2:15:
Introductions, action items from the last meeting
2:15 – 2:30:
Working Groups
-
CNA Coordination Working Group (CNACWG):
Tod Beardsley
-
Quality Working Group (QWG):
Chris Coffin
-
Automation
Working Group (AWG): Lew Loren
-
Strategic Planning Working Group
(SPWG): Kent Landfield/Chris Coffin
2:30 – 2:45:
Root CNA Update
-
MITRE:
Jonathan Evans
-
JPCERT:
Jonathan Evans/Chris Coffin
2:45 – 3:15:
Walk Thru Future Discussion items
3:15 – 3:55:
Open Discussion
3:55 – 4:00: Action items, wrap-up
#
|
Action Item
|
Responsible Party
|
Status
|
Comments
|
1.23.1
|
Assemble additional operational guidance for program participation by CNAs
(e.g., webinars, instructional videos).
|
MITRE (Evans/Sain)
|
In Process
|
MITRE assembled a list of guidance priorities and other areas of the program;
the top five priorities are listed below:
-
How to submit entries to MITRE using the web form
-
CVE ID assignment rule (Counting)
-
Becoming a CNA
-
CVE Program (includes Root structure)
-
How to request the MITRE CNA populate a CVE entry
4/3 Update: Jonathan has started assigning some of the individual modules
to members of the CNA coordination team and content team. In addition, the CCWG is also reviewing and updating the existing online guidance.
6/12 Update: In process. Some of the draft scripts completed for the online
individual modules and the existing online guidance are also being reviewed and updated.
|
2.6.9
|
Organize an event at Blackhat USA (August 2019) to celebrate 20 years of
CVE.
|
MITRE (Joe S./Levendis)
|
Completed
|
6/12 Update: Contract is signed with Blackhat; waiting on confirmation of
event date 8/7 or 8/8 before we can proceed with approvals. Once approved by BH, we can move forward with the event planning with Excalibur. The group agreed and the majority voted for August 7th.
6/13 Update: Approval form sent to BAH, pending approval.
6/26 Update: Approval received from BAH; space is available at the Excalibur.
Excalibur is drafting up the contract.
7/10: Contract signed on July 3, 2019.
|
4.17.3
|
Break out future discussion items in the following categories: Ongoing, Future,
and OBE. Report back to CVE Board and add for future discussions items.
|
MITRE (CVE Team)
|
In Process
|
6/26 Update: Discussed in the 6/24 SPWG call and decided to ask the Board
to walk through the items in the CVE Board meeting on July 10.
7/10 Update: Agenda item set for today to start discussion
|
4.17.5
|
Research solution for storing, archiving, and central repository for CVE
Board and WG meeting minutes, as well as tracking action items.
|
MITRE (CVE Team)
|
In Process
|
6/12 Update: CNA SharePoint site is up (MITRE partners account is required),
Handshake account is used for current meeting recordings and we are moving the archive of recordings to Amazon glacier for cold storage.
|
4.17.7
|
Follow up with Kurt S. about the survey results; obtain for future use in
QWG.
|
MITRE (Chris C.)
|
Completed
|
6/26 Update: Google docs report has been available since 5/14 and it has
an image of the survey results. Sent an email to Kurt to get those results in a more accessible format.
6/27 Update: Kurt passed along the survey results in Excel format to the
Cloud WG list
|
5.1.02
|
Send Cloud survey to CNA List so they can provide input.
|
Kurt S.
|
Completed
|
5/15 Update: Waiting on survey to close on item 4.17.1.
|
5.15.1
|
Create the invitation list for CVE celebration
|
ALL
|
Completed
|
6/26 Update: The group started the draft list of invitees; list includes
past/present CVE Board members and contributors. Send draft list to CVE Board for review/comment.
7/10: Draft list created, gathering email address and sending invites.
|
6.12.1
|
Send short names for CNA to review
and provide input to CVE Board.
|
CNA
Coordinators
|
Completed
|
6/26 Update: List sent to CVE Board
for review June 26, 2019.
7/10: Next step, send to CNA list
for their review and approval, action item 7.10.01.
|
6.12.2
|
Finalize “Trifold” or “Flyer” before
CVE 20-year Milestone event in Las Vegas, on August 7th.
|
CVE
Board (select)
/MITRE
|
In
Process
|
6.12 Update: Draft flyer sent to
Beverly M., Kent L., Tod B., Shannon S., Andrea T. and Taki U. for review and feedback with a due date of June 28, 2019.
|
6.12.3
|
Develop Objectives/Goals for CVE
Outreach and Communications WG, send to CVE Board for review and feedback. Next step is to send to CNA List for OCWG volunteers and participation.
|
MITRE
(Jo Bazar)
|
In
Process
|
6.26 Update: Draft sent to CVE Private
Board for review and feedback; due to Jo Bazar by July 9, 2019.
7/10: Next step is to send to CNA
List for OCWG volunteers and participation, NLT that COB 7/11/2019.
|
6.26.1
|
Send invite (Eventbrite) to CNA list, CVE Board members and other invitees
for BlackHat 20-year event on August 7, 2019.
|
MITRE
|
In Process
|
7/10: Invites will be sent in 3 phases.
Round 1:
Invites sent on 7/3 with RSVP by 7/12 to current Board, current and former
MITRE CVE team members,
former Board members.
Round 2:
Invites to be sent on 7/16 with RSVP by 7/23 to current CNAs (limit 2
per organization),
current WG Members (if not part of Board or working groups).
Round 3 (TENTATIVE):
Invites to be sent on 7/26 with RSVP by 7/31 to candidate CNAs
|
6.26.2
|
Update Charter to reflect new interview process of board nominations and
that CVE Board member can send nominations directly to the private board list.
|
MITRE (Chris C.)
|
Not Started
|
Assigned 6/26/2019
|
6.26.3
|
Update Charter to reflect new Board nomination interview process. When a
new Board member is nominated, a 30-minute interview is conducted during the next Board call.
|
MITRE (Chris C.)
|
Not Started
|
Assigned 6/26/2019
|
-
CNA Coordination Working Group (CNACWG): Tod Beardsley/Chris Coffin
-
The CNACWG met on Wednesday, July 3, 2019. The group discussed how to get open source projects more involved in the CVE program. EOL continues be discussed,
the CNACWG group members are split 50/50 on whether EOL CVEs should be supported. Next step is to bring recommendation to the SPWG.
-
A follow-up CNACWG is scheduled to accommodate Asia-based CNAs, on July 17, 2019 at 8:00pm EST, 9:00am (Japan). This is the first meeting scheduled for
this time zone.
-
Quality Working Group (QWG): Dave Waltermire/Chris Coffin
-
The QWG met on Thursday, June 27, 2019. The group introduced the defining parameters regarding responsiveness (CNA to CNA, or requester to CNA). This conversation
led to the CVE user registry and how that can be used to store contact information.
-
Dave and Chris met to discuss ongoing issues, CNA rules revisions, and creation of one-page write-ups on the recent QWG topics.
-
Next meeting is scheduled for July 15, 2019 and will feature the interview with Art Manion and Madison Quinn Oliver from CERT/CC.
-
A meeting is scheduled on July 25, 2019 with Alex Gaynor to discuss assigning CVE IDs to OSS-Fuzz results. See https://www.openwall.com/lists/oss-security/2019/06/15/2.
-
Automation Working Group (AWG) – Lew Loren
-
The AWG met on Monday, July 8, 2019. Progress continues with the three existing services: CVE ID Allocation, CVE User Registry, and Credentialing, Authentication,
and Authorization Services (CA&A).
-
The AWG will stand up a publicly available Work Board to post requirements and pull-down task descriptions to encourage others to contribute to the development
of services. A preliminary version of the work board should be available in the next couple of weeks.
-
CVE User Registry and CA&A are on hold. The CVE Operations team is investigating the use of AWS Managed Services (AMS) to manage the CVE AWS environment,
and it possible that the CA&A functionality could be covered by AMS..
-
Reminder: All code
is available on GitHub. A Docker container containing the three services in an executable form is available to be downloaded and tested.
-
Upload Service (replace GitHub): Chandan (Juniper) provided a version of Vulnogram that includes a Creative Common Zero license. Vulnogram is designed
to work with the Github API. We are looking at whether we can modify the Vulnogram API calls to point them to a new API for the AWG services. If this works, it gives us a way to replace the GitHub functionality, minimizes the disruption existing CNAs using
the GitHub pilot, and enables us to reuse open source software contributed by the community.
§
Strategic Planning (SPWG) – Kent Landfield/Chris Coffin
-
Met on Monday, July 8, 2019. The Root CNA Roles and Responsibilities document was sent for review and feedback.
-
MITRE – Jonathan Evans
-
Moving forward with Company1
-
Contacted by Company2, lead from the FIRST conference
-
JPCERT - Takayuki Uchiyama
Future Discussion Items
Agenda Items for Upcoming
Meetings
-
Up and coming conferences and key meetings
Action Items from Board
Meeting held on 10 July 2019
#
|
Action Item
|
Responsible Party
|
Status
|
Comments
|
7.10.01
|
Send short names to CNA list for their review and input.
|
MITRE
(Jo Bazar)
|
Not Started
|
Assigned July 10, 2019.
|
7.10.02
|
Send email to CNA List for OCWG volunteers and participation, NLT that COB 7/11/2019.
|
MITRE
(Jo Bazar)
|
In Process
|
Assigned July 10, 2019.
|
1.
Communication
a.
Outreach
OCWG
for most of this section (noted otherwise).
i. Localization –
should start in the QWG for guidance, then to the AWG for implementation.
ii. Upstream producers –
1.
CNA Recruitment
iii. Downstream users –
iv. Related Projects
1.
Vulnerability Description
a.
VDO
b.
CSAF
2.
Severity
a.
CVSS
3.
Product identification and management
a.
SBOM
-
CWE
-
hardware
b.
Metrics –
CVE Board
i. Community metrics (Public metrics)
ii. CNA specific metrics
iii. Program performance (Report card)
c.
Knowledge capture/transfer -
CVE Board
i. Record Working Group meetings
1.
Where to store the recordings?
ii. Issue tracking
iii. Storage of WG materials –
Sharepoint site (CVE CNA site)
2.
Strategy
a.
Program Structure
SPWG
b.
Roles, responsibilities, and requirements
SPWG
i. Disclosure Policies
ii. Scope
1.
Non-vendor CNAs
a.
Add new non-vendor CNAs is on hold until the Board can come to an agreement on the requirements for this type of CNA
2.
Root CNA shopping
3.
Assigning CVE IDs to vulnerabilities in a non-CNA vendor’s product
-
CNA scope to the cooperative sub-CNAs
c.
Coverage
– CVE Board
i. What’s in, What’s out
ii. End of life
iii. Software as a service
iv. Hardware
-
Define (not a wrench)
v. Open source software
-
Goals -
CVE Board
-
Operations
-
Guidance
i. Operationalizing Root CNAs -
SPWG
-
What is MITRE’s role
-
How to best operationalize Root CNAs
ii. For new CNAs -
CNACWG
-
What is needed?
-
What are the best formats?
-
How to minimize one-on-one guidance
iii. How to supply refreshers
CVE Board/CNACWG
-
CNA Management -
CNACWG
i. CNA Process – Front Door or Back Door: How should CNAs communicate with each other, and
how would that information be managed?
ii. Requirement
-
Responsiveness
-
Time to populate
-
RBP start time
iii. Scope statement best practices
iv. Rules Violations
-
Assignment correction processes (e.g. reject, split, merge) should account for violations
-
Assignments –
CVE Board
i. Prevent duplicates
-
How can CNA scopes help?
-
Submissions
QWG and CVE Board, AWG handle format implementation
i. Formats
ii. Information requirements
-
Add impact
-
Add publication data
-
Add vulnerability type
4.
Split problem type in to vuln. type, root cause, or impact
5.
Don’t require references
iii. Should the description match the separate metadata fields
4.
CVE List -
QWG
a.
Formats (all different formats) –
CVE Board
i. How can the download formats be updated
or retired?
b.
CVE Tagging
i. Helps filtering
ii. How to identify the categories we need
iii. Should the tagging be attached to the product or the vulnerability?
iv. Could we leverage a product listing the CVE User Registry?
v. Can it be automated?
vi. EOL tagging
-
Prose description, do we need it?
|