CVE Board Meeting summary - 13 May 2020

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

CVE Board Meeting summary - 13 May 2020

Bazar, Jo E.

CVE Board Meeting – 13 May 2020

Members of CVE Board in Attendance

Tod Beardsley, Rapid7 (CNA Coordination Working Group Liaison)

Chris Coffin, The MITRE Corporation (MITRE At-Large)

Patrick Emsweller, Cisco Systems, Inc.

Kent Landfield, McAfee

Scott Lawler, LP3

Chris Levendis, The MITRE Corporation (MITRE CVE Program Leader/CVE Board Moderator)

Tom Millar, Cybersecurity and Infrastructure Security Agency (CISA)

Scott Moore, IBM

Kathleen Noble, Intel Corporation

Lisa Olson, Microsoft

Takayuki Uchiyama, Panasonic Corporation

David Waltermire, National Institute of Standards and Technology (NIST)

Members of MITRE CVE Team in Attendance

Jo Bazar

Christine Deal

Jonathan Evans

Chris Levendis

Lew Loren

 

Special Guest: Jay Gazlay

 

2:00 – 2:30: Interview with Jay Gazlay (30 mins)

2:30 – 3:00: Post interview discussion (30 mins)

3:00 – 3:30: Fuzzing topic  

3:30 – 3:40: Action items from the last meeting  

3:40 – 3:50:  Working Group and Root CNA - Q&A

3:50 – 4:00: Action items, wrap-up


#


Action Item


Responsible Party


Status


Comments

02.19.01

Identify the industries for active and pipeline CNAs so get a complete picture of the CNA profile.  

OCWG

In Process

5/13 Update: Will review at next OCWG meeting.

02.19.04

Develop strategy for expanding and growing the CNA program into existing and new industries (e.g., Energy, Automotive, Healthcare tech, etc.).

SPWG

Not Started

Assigned 2/19/2020.

4.1.04

Develop Non-responsiveness Policy to address CNA1 that continues to be unresponsive.

Jo Bazar (MITRE)

Pending

5/13 Update: Pending feedback from CNACWG.

 

4.1.07

Formalize Council of Roots responsibilities in anticipation of new Roots joining the program

SPWG

Not Started

Assigned on 4/1/2020

4.15.03

Follow up with RCNA1 about participating in the AWG so they can be involved with the design of the APIs.

Jonathan E./Jo B. (MITRE)

Completed

 

4.29.01

Add the following items to May 13th CVE Board agenda;

1. Interview with Jay G. (30 mins)

2. Post interview discussion (30 mins)

3. Fuzzing topic 

Jo B. (MITRE)

Completed

Assigned on 4/29/2020

4.29.02

Updating the CVE Board charter to address exceptions issues CVE board member voting.

Kent L.

Not Started

Assigned on 4/29/2020

4.29.03

Set up 2-day test meeting so Board members can test MS Teams functionality. 

Christine D. (MITRE)

OBE

5/13/20 Update: New meeting invite sent with MS teams link on May 12, 2020.

 

Interview – Jay Gazlay

  • The interview with Jay Gazlay was recorded; to access the recordings contact Jo Bazar.  

 

Post interview discussion

  • Post interview discussion was recorded; to access the recordings  contact Jo Bazar.  

 

Open Source Fuzzing

  • Kent suggested that the CVE Board sponsor a workshop on automated vulnerability identification, target will be open source. This workshop would then expand our open source conversations as well. David suggested putting out a call for papers on this topic, like what Google submitted about OSS-Fuzz. The group agreed on the approaches.

 

Open Discussion

CVE Board items voting priority

  • The group agreed that the CVE Board would be voting on the following in the order listed below:
    • Jay Gazlay Nomination
    • CVE Board Charter (Exceptions issues)
    • End of Life Process Document
    • CVE Board Charter (Exceptions usage for the first time)

Open Source Project Champion

  • Katie explained she is getting a lot of questions regarding SQLite, about CVEs and disputes and that there is no champion for Open Source projects. The group agreed this topic needs to be further discussed at a future board meeting.  

CVE Global Summit

  • Tod explained that October 14, 2020, is the day after patch Tuesday and would be difficult for some CNAs. The group agreed that Monday, October 19, 2020, would be a better date for the virtual CVE Global Summit. 

Future discussion items

The group agreed that the following discussion items need to be added to a future CVE Board agenda.

  • Open source problem discussion – Katie Noble (Intel)
    • Do a post mortem of DWF 
    • Host a workshop after Automated Vulnerability workshop
  • Sponsor Liaison position on CVE Board

Action Items from Board Meeting held on 13 May 2020


#


Action Item


Responsible Party


Status


Comments

5.13.01

Initiate vote for Jay Gazlay nomination to the CVE Board.

Chris L. (MITRE)

Not Started

Assigned on 5/13/2020

5.13.02

Take the lead for developing a proposal about approach for automated vulnerability identification workshop that includes an initial target participant list, and report back to next CVE Board Meeting on May 27, 2020.    

Kent L. (McAfee)

Not Started

Assigned on 5/13/2020

5.13.03

Add future discussion items from May 13, 2020 CVE Board meeting to future agenda (Open source project discussion and sponsor liaison)

Chris L. (MITRE)

Not Started

Assigned on 5/13/2020

 

Board Decisions

None

Next CVE Board Meeting 

Wednesday, May 27, 2020 at 2:00PM EDT

 


CVE_Board_Meeting_13 May 2020 Finalv1.pdf (389K) Download Attachment