CVE Board Meeting – 13 November 2019

Tod Beardsley, Rapid7

William Cox, Synopsys, Inc.

Patrick Emsweller, Cisco Systems, Inc.

Kent Landfield, McAfee

Scott Lawler, LP3

Scott Moore, IBM

Lisa Olson, Microsoft

Kathleen Trimble, U.S. Department of Homeland Security (DHS)

Takayuki Uchiyama, Panasonic Corporation

Members of MITRE CVE Team in Attendance

Jo Bazar

Chris Coffin

Jonathan Evans

 

2:00 – 2:15: Introductions, action items from the last meeting 

2:15 – 2:30: Working Groups

• Outreach and Communications Working Group (OCWG): Shannon Sabens
• CNA Coordination Working Group (CNACWG): Tod Beardsley
• Quality Working Group (QWG): Chris Coffin
• Automation Working Group (AWG): Lew Loren
• Strategic Planning Working Group (SPWG): Kent Landfield/Chris Coffin

 

2:30 – 2:45: Root CNA Update

• MITRE: Jo Bazar
• JPCERT: Jonathan Evans/Chris Coffin

 

2:45 – 3:00: CVE Global Summit – Beverly Alvarez

3:00 – 3:15: CNA Rules Revision Status – Jonathan Evans

3:15 – 3:45: Board Charter Updates – Chris Coffin/Kent Landfield

3:45 – 3:55: Open Discussion  

3:55 – 4:00: Action items, wrap-up

#	Action Item	Responsible Party	Status	Comments
1.23.1	Assemble additional operational guidance for program participation by CNAs (e.g., webinars, instructional videos).	MITRE (Evans)	In Process	MITRE assembled a list of guidance priorities and other areas of the program; the top five priorities are listed below: How to submit entries to MITRE using the web form (CNA Submission process) CVE ID assignment rule (Counting) – DRAFT sent for inputs to CNACWG and OCWG Becoming a CNA – DRAFT sent for inputs to CNACWG and OCWG CVE Program (includes Root structure)  How to request MITRE CNA populate a CVE entry (CNA Process) How to create a CVE Entry (CNA Entry creation)   10/30 Update: A timeline was prepared and will be shared at the next board meeting. “Becoming a CNA” will be sent by COB 11/1/19, and the CVE Board members will have two weeks to provide feedback. 11/13 Update: Feedback is due by 11/17 for Becoming a CNA, and the CVE Entry Creation is scheduled to be released NLT 11/17; feedback is due by 12/1/2019.
4.17.5	Research solution for storing, archiving, and central repository for CVE Board and WG meeting minutes, recordings, as well as tracking action items.	MITRE (Lew L.)	In Process	10/30 Update: The developers are setting up online storage in Glacier; download will be available after 90 days and will take a few days.
6.26.2	Update Charter to reflect new interview process of board nominations and that CVE Board member can send nominations directly to the private board list.	MITRE (Chris C.)/Kent L.	In Process	10/2 Update: Kent explained a draft is in process; once completed, Chris C. will provide his input and send to the CVE Board for review and feedback. The CVE Board should expect to receive a draft in the next few weeks.  10/30 Update: Kent and Chris have a meeting scheduled this week to finish the drafts of the documents. 11/13 Update: Updated Board Charter was sent to the Board for review on 11/5.
6.26.3	Update Charter to reflect new Board nomination interview process. When a new Board member is nominated, a 30-minute interview is conducted during the next Board call.	MITRE (Chris C.)/Kent L.	In Process	10/2 Update: Kent explained a draft is in process; once completed, Chris C. will provide his input and send to the CVE Board for review and feedback. The CVE Board should expect to receive a draft in the next few weeks.  10/30 Update: Kent and Chris have a meeting scheduled this week to finish the drafts of the documents. 11/13 Update: Updated Board Charter was sent to the Board for review on 11/5.
7.24.01	Develop a strategy for handling public but low-quality vulnerabilities, especially cases where the vendor or maintainer has not acknowledged the vulnerability.	MITRE (Chris C./Jonathan E.)	In Process	9/4 Update: Outline drafted by Jonathan and is being reviewed by the CVE team.
7.24.02	Draft language clarifying CVE charter around organizational voting. (When do we merge votes based on organizational affiliation)	MITRE (Chris C.)/Kent L.	In Process	10/2 Update: Kent explained a draft is in process; once completed, Chris C. will provide his input and send to the CVE Board for review and feedback. The CVE Board should expect to receive a draft in the next few weeks.    10/30 Update: Kent and Chris have a meeting scheduled this week to finish the drafts of the documents. 11/13 Update: Updated Board Charter was sent to the Board for review on 11/5.
8.21.01	Take the lead for contest open to the community to create new CVE logo.	OCWG	In Process	9/4 Update: OCWG discussed at last meeting and is seeking additional guidance from the CVE Board. 10/16 Update: Shannon provided a list of requirements/questions for the CVE Board to consider.
10.16.01	Follow up with MITRE legal about CVE logo language and design usage and required approvals.	MITRE (Chris L.)	Not Started	Assigned October 16, 2019
10.16.02	MITRE communicate RBP backlog strategy to CVE Board.	MITRE (Chris L.)	In Progress	11/13 Update: To date, 331 (19%) CVE Entries have been populated from the MITRE backlog (was 1,700), with 1,369 remaining. Based on the current run rate, the remaining MITRE backlog can be worked off by the end of January.  The CVE Entries are taking longer due to counting issues, and CNAs unable to help us identify which CVE ID goes with which vulnerabilities.
10.16.04	SPWG down select CVE domain names and present options to CVE Board for final selection and approval.	MITRE (Chris C.)	Completed	10/30 Update: CVE Domain names were sent to CVE Board members for consideration on 10/24/2019. SPWG working on down-selecting CVE domain names. 11/13 Update: Four CVE Domains were selected by the SPWG.
10.16.05	Send CNA Press template to CVE Board.	MITRE (Jo Bazar)	In Process	10/30 Update: Press release sent to CVE Board for input due NLT 10/28/2019. Re-send to Kent for review. 11/13 Update: Feedback received and forwarded feedback to OCWG for review.
10.30.01	Send CVE Global Summit 2020 HOLD_THE_DATE calendar invites to CNA list (placeholder with hotel information.	MITRE (Beverly A./Jo B.)	Completed	Invite sent on 11/5/2019
10.30.02	Update RBP threshold policy to include consequences for CNA’s with backlogs over the specific threshold.	MITRE (Jonathan E./Jo B.)	In Process	11/13 Update: RBP policy drafted and being reviewed by CVE team. Policy document will be sent to the CVE Board for review and comment.

 

• Outreach and Communications Working Group (OCWG): Shannon Sabens/Jo Bazar
• OCWG meeting was held on November 1, 2019:
• CVE Logo contest - https://99designs.com/how-it-works
• The group discussed a plan, identified tasks, and divvied them out to team members.

§  CNA Coordination Working Group (CNACWG): Tod Beardsley

• CNACWG meeting held on November 6, 2019:
• CVE Global Summit Agenda task not yet started.
• The draft agenda will be ready before Thanksgiving. One day will be dedicated to CNAs, and one day will be focused on the CVE Program. There will also be a call for papers for topics of interest by the CNA community. 

• Quality Working Group (QWG): Dave Waltermire/Chris Coffin
• QWG meeting was held on October 31, 2019:
• Use case interview with Patrick Emsweller and Omar Santos from CISCO is scheduled for November 21, 2019, and the next use case interview will be with NIST.
• The group had a good discussion around tagging; tags should not be included in the description except in the case of some kinds of state tags (e.g., EOL). SaaS and Medical Devices are examples of content-related tags.
• Automation Working Group (AWG) – Lew Loren/Chris Coffin

• No AWG since last Board meeting. 
• SPWG/AWG meeting is November 18, 2019. Update on the Tech stack on the user registry and authentication, authorization, and credentialing services.
1. Strategic Planning (SPWG) – Kent Landfield
• SPWG was held on November 4, 2019:
1. Down selected the CVE Domain names.
2. Internationalization of CVE content, localization, and changes to software. 
3. Reviewed the CVE Charter updates.

• MITRE –Jo Bazar

• Requests to become a CNA
• Received eight CNA requests since the last CVE Board meeting.
• On-Boarding
• Conducted one on-boarding session since the last boarding meeting. 
• Three organizations actively working through the guided examples.
• One CNA onboarding sessions scheduled in December 2019.

• CNA Announcements and News

• Two CNA announcements since last Board meeting: Splunk and ABB.
• There are now 106 CNAs participating in the program. 
• 68 in CNA pipeline, with 42 entering the pipeline this calendar year.  7 = Q1; 8= Q2; 22= Q3, 12 = Q4 so far.
• Two pending CNA Announcements.
• JPCERT - Jonathan Evans/Chris Coffin
• No updates

 

§  CVE Global Summit calendar invite was sent to CVE Board Members and CNAs. The invite included the Skype link and nearby hotel information.

§  CVE Global Summit 2020 will be hosted by Lenovo. The Summit will be at Lenovo in Morrisville, NC, and will be held on Monday, March 2, and Tuesday, March 3.

• NetApp will be hosting the FIRST-TC in Raleigh, NC, on Wednesday, March 4 and Thursday, March 5.

 

Jonathan reminded the group that comments from the CNAs and CVE Board are due by COB Friday, November 15, 2019.  No comments have been received yet.

 

CNA Rules revision timeline: 

§  Now – 10/30/19 – On Track – Done

–      MITRE integrates the proposed changes into a single unified document

§  10/30/19 - 11/15/19 – In Process

–      Unified draft CNA Rules 3.0 document sent out for review and comments by the Board and CNAs

–      All comments must be received by 11/15

§  11/16/19 – 12/1/19

–      MITRE integrates feedback received by the Board and CNAs

§  12/2/19 – 12/16/19

–      MITRE submits the final CNA Rules 3.0 document for a vote by the Board on 12/2/19

–      Board has two weeks to vote

§  12/16/19 – 12/31/19

–      CNA Rules 3.0 document sent for final technical edit

–      No substantive change will be made during the edit

§  1/2/2020

–      CNA Rules 3.0 is posted and in effect

 

Kent walked the CVE Board members through the following changes being made to the CVE Charter (the changes to the CVE Charter correspond to action items 6.26.2, 6.26.3, and 7.24.02 in the Board minutes):

 

1.     Update Charter to reflect new interview process of Board nominations and that CVE Board members can send nominations directly to the private Board list.

2.     Update Charter to reflect new Board nomination interview process: When a new Board member is nominated, a 30-minute interview is conducted during the next Board call.

3.     Draft language clarifying CVE charter around organizational voting. (When do we merge votes based on organizational affiliation).

 

The following is a list of additional changes made to the Charter that were not listed as Board action items:

 

1.     Clarification that existing Board members are not allowed to nominate potential Board members from the organization where they are currently employed or affiliated.

2.     Added the ability for a failed nominee to be re-nominated 12 months later.

3.     WGs should use CVE Program-supplied email and storage facilities.

4.     Updated to use a single term to refer to the CNA Liaison; previously, multiple terms used.

5.     Clarified that the CNA Liaison voting process is a Board responsibility and not a CNACWG internal process. A nomination and voting process must include all program of record CNAs. The Board moderator is responsible for managing all Board-related voting processes.

6.     Updated the terms “Board Moderator” and “Board Member” to lowercase for consistency.

 

The group had a healthy conversation regarding the roles of CNACWG Chair and the CNA Liaison—whether or not they should they be two separate roles, or fulfilled by one or two people. The group agreed that the two roles can be fulfilled by one person or two persons.

 

#	Action Item	Responsible Party	Status	Comments
11.13.01	Update CNACWG charter to reflect updates to the voting process, CNACWG Chair role and CNA Liaison role, to match CVE Charter.	Tod Beardsley	Not Started	Assigned 11/13/2019
11.13.02	Send updated CVE Charter process and revised due dates.	MITRE (Chris Coffin)	Completed	Assigned 11/13/2019

 

• None

1.     Communication 

a.      Outreach OCWG for most of this section (noted otherwise).

                                                  i.     Localization – should start in the QWG for guidance, then to the AWG for implementation.

                                                ii.     Upstream producers –  

1.     CNA Recruitment 

                                              iii.     Downstream users –   

                                               iv.     Related Projects

1.     Vulnerability Description

a.      VDO

b.     CSAF

2.     Severity

a.      CVSS

3.     Product identification and management

a.      SBOM

4. CWE
1. hardware

b.     Metrics – CVE Board

                                                  i.     Community metrics (Public metrics)

                                                ii.     CNA specific metrics 

                                              iii.     Program performance (Report card)

c.      Knowledge capture/transfer - CVE Board

                                                  i.     Record Working Group meetings

1.     Where to store the recordings?

                                                ii.     Issue tracking

                                              iii.     Storage of WG materials – SharePoint site (CVE CNA site)

2.     Strategy 

a.      Program Structure SPWG

b.     Roles, responsibilities, and requirements SPWG

                                                  i.     Disclosure Policies

                                                ii.     Scope

1.     Non-vendor CNAs

a.      Add new non-vendor CNAs is on hold until the Board can come to an agreement on the requirements for this type of CNA

2.     Root CNA shopping

3.     Assigning CVE IDs to vulnerabilities in a non-CNA vendor’s product

4. CNA scope to the cooperative sub-CNAs

c.      Coverage – CVE Board

                                                  i.     What’s in, What’s out

                                                ii.     End of life

                                              iii.     Software as a service

                                               iv.     Hardware

1. Define (not a wrench)

                                                v.     Open source software

4. Goals - CVE Board
2. Operations
1. Guidance

                                                  i.     Operationalizing Root CNAs - SPWG

1. What is MITRE’s role
2. How to best operationalize Root CNAs

                                                ii.     For new CNAs - CNACWG

1. What is needed?
2. What are the best formats?
3. How to minimize one-on-one guidance

                                              iii.     How to supply refreshers CVE Board/CNACWG

2. CNA Management - CNACWG

                                                  i.     CNA Process – Front Door or Back Door: How should CNAs communicate with each other, and how would that information be managed?

                                                ii.     Requirement

1. Responsiveness
2. Time to populate
3. RBP start time

                                              iii.     Scope statement best practices

                                               iv.     Rules Violations

1. Assignment correction processes (e.g. reject, split, merge) should account for violations
2. Assignments – CVE Board

                                                  i.     Prevent duplicates

1. How can CNA scopes help?
3. Submissions QWG and CVE Board, AWG handle format implementation

                                                  i.     Formats

                                                ii.     Information requirements

1. Add impact
2. Add publication data
3. Add vulnerability type

4.     Split problem type in to vuln. type, root cause, or impact

5.     Don’t require references

                                              iii.     Should the description match the separate metadata fields

4.     CVE List - QWG

a.      Formats (all different formats) – CVE Board

                                                  i.     How can the download formats be updated or retired?

b.     CVE Tagging

                                                  i.     Helps filtering

                                                ii.     How to identify the categories we need

                                              iii.     Should the tagging be attached to the product or the vulnerability?

                                               iv.     Could we leverage a product listing the CVE User Registry?

                                                v.     Can it be automated?

                                               vi.     EOL tagging

3. Prose description, do we need it?