CVE Board Meeting – 13 November 2019
William Cox,
Synopsys,
Inc.
Patrick Emsweller,
Cisco Systems,
Inc.
Kent Landfield,
McAfee
Scott Lawler,
LP3
Scott Moore,
IBM
Lisa Olson,
Microsoft
Kathleen Trimble,
U.S.
Department of Homeland Security (DHS)
Takayuki Uchiyama,
Panasonic
Corporation
Members of MITRE CVE Team in Attendance
Jo Bazar
Chris Coffin
Jonathan Evans 2:00
– 2:15: Introductions, action items from the last meeting
2:15
– 2:30: Working Groups
2:30
– 2:45: Root CNA Update
2:45
– 3:00: CVE Global Summit – Beverly
Alvarez
3:00
– 3:15: CNA Rules Revision Status – Jonathan
Evans
3:15
– 3:45: Board Charter Updates – Chris Coffin/Kent Landfield 3:45
– 3:55: Open Discussion 3:55
– 4:00: Action items, wrap-up
Working Group Updates
§
CNA Coordination Working Group (CNACWG): Tod Beardsley
CNA Updates
CVE Global Summit 2020
– Beverly Alvarez/Jo Bazar
§
CVE Global Summit calendar invite was sent to CVE Board Members and CNAs. The invite included the Skype link and nearby hotel information.
§
CVE Global Summit 2020 will be hosted by Lenovo. The Summit will be at Lenovo in Morrisville, NC, and will be held on Monday, March 2, and Tuesday, March 3.
CNA Rules Revision
Timeline – Jonathan Evans
Jonathan reminded the group that comments from the CNAs and CVE Board are due by COB Friday, November 15, 2019.
No comments have been received yet.
CNA Rules revision timeline:
§
Now – 10/30/19 – On Track –
Done
–
MITRE integrates the proposed changes into a single unified document
§
10/30/19 - 11/15/19 –
In Process
–
Unified draft CNA Rules 3.0 document sent out for review and comments by the Board and CNAs
–
All comments must be received by 11/15
§
11/16/19 – 12/1/19
–
MITRE integrates feedback received by the Board and CNAs
§
12/2/19 – 12/16/19
–
MITRE submits the final CNA Rules 3.0 document for a vote by the Board on 12/2/19
–
Board has two weeks to vote
§
12/16/19 – 12/31/19
–
CNA Rules 3.0 document sent for final technical edit
–
No substantive change will be made during the edit
§
1/2/2020
–
CNA Rules 3.0 is posted and in effect
Board Charter Updates
– Chris Coffin/Kent Landfield
Kent walked the CVE Board members through the following changes being made to the CVE Charter (the changes to the CVE Charter correspond to action items
6.26.2, 6.26.3, and 7.24.02 in the Board minutes):
1.
Update Charter to reflect new interview process of Board nominations and that CVE Board members can send nominations directly to the private Board list.
2.
Update Charter to reflect new Board nomination interview process: When a new Board member is nominated, a 30-minute interview is conducted during the next Board
call.
3.
Draft language clarifying CVE charter around organizational voting. (When do we merge votes based on organizational affiliation).
The following is a list of additional changes made to the Charter that were not listed as Board action items:
1.
Clarification that existing Board members are not allowed to nominate potential Board members from the organization where they are currently employed or affiliated.
2.
Added the ability for a failed nominee to be re-nominated 12 months later.
3.
WGs should use CVE Program-supplied email and storage facilities.
4.
Updated to use a single term to refer to the CNA Liaison; previously, multiple terms used.
5.
Clarified that the CNA Liaison voting process is a Board responsibility and not a CNACWG internal process. A nomination and voting process must include all program
of record CNAs. The Board moderator is responsible for managing all Board-related voting processes.
6.
Updated the terms “Board Moderator” and “Board Member” to lowercase for consistency.
The group had a healthy conversation regarding the roles of CNACWG Chair and the CNA Liaison—whether or not they should they be two separate roles, or
fulfilled by one or two people. The group agreed that the two roles can be fulfilled by one person or two persons.
Action Items from Board
Meeting held on 13 November 2019
Board Decisions
Future Discussion Topics 1.
Communication
a.
Outreach
OCWG
for most of this section (noted otherwise).
i. Localization –
should start in the QWG for guidance, then to the AWG for implementation.
ii. Upstream producers –
1.
CNA Recruitment
iii. Downstream users –
iv. Related Projects
1.
Vulnerability Description
a.
VDO
b.
CSAF
2.
Severity
a.
CVSS
3.
Product identification and management
a.
SBOM
b.
Metrics –
CVE Board
i. Community metrics (Public metrics)
ii. CNA specific metrics
iii. Program performance (Report card)
c.
Knowledge capture/transfer -
CVE Board
i. Record Working Group meetings
1.
Where to store the recordings?
ii. Issue tracking
iii. Storage of WG materials –
SharePoint site (CVE CNA site) 2.
Strategy
a.
Program Structure
SPWG
b.
Roles, responsibilities, and requirements
SPWG
i. Disclosure Policies
ii. Scope
1.
Non-vendor CNAs
a.
Add new non-vendor CNAs is on hold until the Board can come to an agreement on the requirements for this type of CNA
2.
Root CNA shopping
3.
Assigning CVE IDs to vulnerabilities in a non-CNA vendor’s product
c.
Coverage
– CVE Board
i. What’s in, What’s out
ii. End of life
iii. Software as a service
iv. Hardware
v. Open source software
i. Operationalizing Root CNAs -
SPWG
ii. For new CNAs -
CNACWG
iii. How to supply refreshers
CVE Board/CNACWG
i. CNA Process – Front Door or Back Door: How should CNAs communicate with each other, and
how would that information be managed?
ii. Requirement
iii. Scope statement best practices
iv. Rules Violations
i. Prevent duplicates
i. Formats
ii. Information requirements
4.
Split problem type in to vuln. type, root cause, or impact
5.
Don’t require references
iii. Should the description match the separate metadata fields
4.
CVE List -
QWG
a.
Formats (all different formats) –
CVE Board
i. How can the download formats be updated
or retired?
b.
CVE Tagging
i. Helps filtering
ii. How to identify the categories we need
iii. Should the tagging be attached to the product or the vulnerability?
iv. Could we leverage a product listing the CVE User Registry?
v. Can it be automated?
vi. EOL tagging
|
Free forum by Nabble | Edit this page |