CVE Board Meeting – 13 May 2020
Members of CVE Board in Attendance
Tod
Beardsley, Rapid7 (CNA
Coordination Working Group Liaison)
Chris
Coffin, The
MITRE Corporation (MITRE
At-Large)
Patrick
Emsweller, Cisco
Systems, Inc.
Kent
Landfield, McAfee
Scott
Lawler, LP3
Chris
Levendis, The
MITRE Corporation (MITRE
CVE Program Leader/CVE Board Moderator)
Tom
Millar, Cybersecurity
and Infrastructure Security Agency (CISA)
Scott
Moore, IBM
Kathleen
Noble, Intel
Corporation
Lisa
Olson, Microsoft
Takayuki
Uchiyama, Panasonic
Corporation
David
Waltermire, National
Institute of Standards and Technology (NIST)
Members
of MITRE CVE Team in Attendance
Jo
Bazar
Christine
Deal
Jonathan
Evans
Chris
Levendis
Lew
Loren
Special
Guest:
Jay Gazlay
2:00
– 2:30: Interview with Jay Gazlay (30 mins)
2:30
– 3:00: Post interview discussion (30 mins)
3:00
– 3:30: Fuzzing topic
3:30
– 3:40: Action items from the last meeting
3:40
– 3:50: Working Group and Root CNA - Q&A
3:50
– 4:00: Action items, wrap-up
#
|
Action Item
|
Responsible Party
|
Status
|
Comments
|
02.19.01
|
Identify
the industries for active and pipeline CNAs so get a complete picture of the CNA profile.
|
OCWG
|
In
Process
|
5/13
Update: Will review at next OCWG meeting.
|
02.19.04
|
Develop
strategy for expanding and growing the CNA program into existing and new industries (e.g., Energy, Automotive, Healthcare tech, etc.).
|
SPWG
|
Not
Started
|
Assigned
2/19/2020.
|
4.1.04
|
Develop
Non-responsiveness Policy to address CNA1 that continues to be unresponsive.
|
Jo
Bazar (MITRE)
|
Pending
|
5/13
Update: Pending feedback from CNACWG.
|
4.1.07
|
Formalize
Council of Roots responsibilities in anticipation of new Roots joining the program
|
SPWG
|
Not
Started
|
Assigned
on 4/1/2020
|
4.15.03
|
Follow
up with RCNA1 about participating in the AWG so they can be involved with the design of the APIs.
|
Jonathan
E./Jo B. (MITRE)
|
Completed
|
|
4.29.01
|
Add
the following items to May 13th CVE Board agenda;
1.
Interview with Jay G. (30 mins)
2.
Post interview discussion (30 mins)
3.
Fuzzing topic
|
Jo
B. (MITRE)
|
Completed
|
Assigned
on 4/29/2020
|
4.29.02
|
Updating
the CVE Board charter to address exceptions issues CVE board member voting.
|
Kent
L.
|
Not
Started
|
Assigned
on 4/29/2020
|
4.29.03
|
Set
up 2-day test meeting so Board members can test MS Teams functionality.
|
Christine
D. (MITRE)
|
OBE
|
5/13/20
Update: New meeting invite sent with MS teams link on May 12, 2020.
|
-
The interview with Jay Gazlay was recorded; to access the recordings contact Jo Bazar.
Post
interview discussion
-
Post interview discussion was recorded; to access the recordings contact Jo Bazar.
-
Kent suggested that the CVE Board sponsor a workshop on automated vulnerability identification, target will be open source. This workshop would then expand
our open source conversations as well. David suggested putting out a call for papers on this topic, like what Google submitted about OSS-Fuzz. The group agreed on the approaches.
CVE Board items voting priority
-
The group agreed that the CVE Board would be voting on the following in the order listed below:
-
Jay Gazlay Nomination
-
CVE Board Charter (Exceptions issues)
-
End of Life Process Document
-
CVE Board Charter (Exceptions usage for the first time)
Open Source Project Champion
-
Katie explained she is getting a lot of questions regarding SQLite, about CVEs and disputes and that there is no champion for Open Source projects. The
group agreed this topic needs to be further discussed at a future board meeting.
CVE Global Summit
-
Tod explained that October 14, 2020, is the day after patch Tuesday and would be difficult for some CNAs. The group agreed that Monday, October 19, 2020,
would be a better date for the virtual CVE Global Summit.
Future discussion items
The group agreed that the following discussion items need to be added to a future CVE Board agenda.
-
Open source problem discussion – Katie Noble (Intel)
-
Do a post mortem of DWF
-
Host a workshop after Automated Vulnerability workshop
-
Sponsor Liaison position on CVE Board
Action Items from Board
Meeting held on 13 May 2020
#
|
Action Item
|
Responsible Party
|
Status
|
Comments
|
5.13.01
|
Initiate vote for Jay Gazlay nomination to the CVE Board.
|
Chris L. (MITRE)
|
Not Started
|
Assigned on 5/13/2020
|
5.13.02
|
Take the lead for developing a proposal about approach for automated vulnerability identification workshop that includes an initial target participant
list, and report back to next CVE Board Meeting on May 27, 2020.
|
Kent L. (McAfee)
|
Not Started
|
Assigned on 5/13/2020
|
5.13.03
|
Add future discussion items from May 13, 2020 CVE Board meeting to future agenda (Open source project discussion and sponsor liaison)
|
Chris L. (MITRE)
|
Not Started
|
Assigned on 5/13/2020
|
None
Wednesday, May 27, 2020 at 2:00PM EDT