CVE Board Meeting – 15 April 2020
Members of CVE Board in Attendance
Chris
Coffin
(MITRE
at Large)
Patrick
Emsweller, Cisco
Systems, Inc.
Kent
Landfield, McAfee
Scott
Moore, IBM
Shannon
Sabens, Trend
Micro
Kathleen
Noble, Intel
Takayuki
Uchiyama, Panasonic
Corporation
David
Waltermire, National
Institute of Standards and Technology (NIST)
Ken
Williams, Broadcom
Inc.
Members
of MITRE CVE Team in Attendance
Jo
Bazar
Christine
Deal
Jonathan
Evans
Lew
Loren
2:00
– 2:15: Introductions, action items from the last meeting
2:15
– 3:00: Working Groups
-
Outreach
and Communications Working Group (OCWG): Shannon
Sabens
-
CNA
Coordination Working Group (CNACWG):
Tod Beardsley
-
Quality
Working Group (QWG):
Jonathan Evans/Dave Waltermire
-
Automation
Working Group (AWG): Lew Loren
-
Strategic
Planning Working Group
(SPWG): Kent Landfield
3:00
– 3:45: Root CNA Update
-
MITRE:
Jo Bazar
-
JPCERT:
Jonathan Evans
-
Root
CNA Prospects – Jonathan Evans/Jo Bazar
3:45
– 3:55: Open Discussion
3:55
– 4:00: Action items, wrap-up
#
|
Action Item
|
Responsible Party
|
Status
|
Comments
|
10.30.02
|
Update
RBP threshold policy to include consequences for CNA’s with backlogs over the specific threshold.
|
MITRE
(Jonathan E./Jo B.)
|
Completed
|
11/13
Update: RBP policy drafted and being reviewed by CVE team. Policy document will be sent to the CVE Board for awareness.
4/1
Update: Policy approved by Chris L, in process of updating CVE Website.
4/15
Update: Policy posted on CVE website.
|
02.19.01
|
Identify
the industries for active and pipeline CNAs so get a complete picture of the CNA profile.
|
OCWG
|
In
Process
|
Assigned
2/19/2020.
|
02.19.04
|
Develop
strategy for expanding and growing the CNA program into existing and new industries (e.g., Energy, Automotive, Healthcare tech, etc.).
|
SPWG
|
Not
Started
|
Assigned
2/19/2020.
|
3.18.02
|
QWG
develop a definition for the EOL tagging for presentation to the CVE Board. Once defined, the next step is to document the entire process.
|
Lisa
Olson/Jonathan E. (MITRE)
|
In
Process
|
4/15
Update: Draft document developed; will be reviewed in QWG.
|
3.18.03
|
Send
action items from CVE Global Summit for review/input. Once reviewed, add the action items to the CVE Board meeting minutes.
|
Jo
B. (MITRE)
|
Completed
|
4/1
Update: Sent CVE Global Summit action items for review to CVE Board on 3/26; feedback due by 3/31/2020.
4/15
Update: Action items drafted and posted to SharePoint; there are too many to include with CVE Board meeting minutes.
|
3.18.04
|
Develop
write up to send to the CNAs via the CNA mailing list to get their feedback on JSON 5.0 90-day transition.
|
Lew
L. (MITRE)
|
In
Process
|
4/1
Update: Lew sent email on 3/30 to CNA Mailing list.
|
4.1.01
|
Update
templates (Word, PowerPoint) with new CVE logo
|
Christine
Deal (MITRE)
|
Completed
|
4/15
Update: Templates are ready; just waiting for CVE logo trademark.
|
4.1.02
|
Lew
and development team develop a more granular set of milestones for April 13, 2020 AWG meeting.
|
Lew
Loren (MITRE)
|
Completed
|
4/15
Update: Milestones developed for April 13 meeting.
|
4.1.03
|
Lew
and Dave meet to review milestones before April 13th AWG meeting.
|
Lew
Loren MITRE)
|
Completed
|
4/15
Update: Lew and Dave met and reviewed milestones.
|
4.1.04
|
Develop
Non-responsiveness Policy to address CNA1 that continues to be unresponsive.
|
Jo
Bazar (MITRE)
|
Not
Started
|
Assigned
on 4/1/2020
|
4.1.05
|
Develop
milestones and timeline for RCNA1 and set up follow up meeting in next two weeks.
|
Jo
Bazar/Jonathan E. (MITRE)
|
Completed
|
4/15
Update: Timeline drafted; next bi-weekly meeting is scheduled for 4/29/2020.
|
4.1.07
|
Formalize
Council of Roots responsibilities in anticipation of new Roots joining the program
|
SPWG
|
Not
Started
|
Assigned
on 4/1/2020
|
-
Outreach and Communications Working Group (OCWG): Shannon
Sabens
-
No meeting since last CVE Board meeting; next OCWG meeting will be held on held on April 17, 2020.
-
CNA Coordination Working Group (CNACWG): Tod Beardsley
-
CNACWG meeting held on April 8, 2020:
-
Still working up a CVE transfer system
-
Conducted a doodle poll to determine alternate meeting times for EU/APAC meetings; will be sending out invites soon
o
Quality Working Group (QWG): Dave Waltermire/Jonathan Evans
-
QWG meeting held on April 2, 2020:
-
Tagging:
-
Defining requirements for JSON for tagging
-
NIST currently has plans for reference tags, which can conflict with CVE tag issues; needs further discussions
-
Discussions:
-
Can CVEs move from populated to reserved?
-
The general position is that this should never happen
-
If a CNA accidentally populated a CVE Entry, downstream users of CVE are relying on the information in the entry. It would cause more confusion to move
the entry back to reserved. The CNA should update the entry to explain what happened and provide context to the users.
-
How CNAs can extend the CVE JSON format to include additional fields:
-
Consensus was that these fields have been beneficial to the program and are essential to the dynamism of the CVE Entry content.
-
We want a more formal way of allowing CNAs to provide definitions for these fields rather than having users guess. We want something like XML's namespaces.
-
QWG Meeting times: QWG has been moved to 4-5pm EST so more can attend
-
Automation Working Group (AWG) – Lew Loren
–
AWG meeting was held on April 13, 2020:
-
Roll out plan for JSON 5.0:
-
Reviewed the transition roll out plan for JSON 5.0 against the transition plan for ESUS (entry submission and upload service)
-
JSON Converter to help CNA transition; developed an upconverter to download data in 4.0, and downconverter upload into 5.0 format.
-
Joe Whittemore will be posting a validator for the JSON Schema
-
ESUS depends heavily on the JSON format; stubbed up partial version will be rolled out first with API, then next will be the database with realistic data.
§
Changing the meeting and frequency to every Tuesday from 4-5pm
§
Meetings to line up with SPWG, so sprint reviews can be accommodated, and planning can occur before the AWG meeting
§
Moved meeting from bi-weekly to weekly
§
The ID Allocations services will be reviewed at the next meeting
-
Strategic Planning (SPWG) – Kent Landfield
-
SPWG meeting was held on April 13, 2020:
-
Five different options for the EOL policy were discussed
-
EOL policy document is drafted and will be updated to include the five options
§
Received five CNA requests since the last CVE Board meeting (held on 4/1/20).
§
Conducted two onboarding sessions since the last boarding meeting.
§
Two CNA onboarding sessions
scheduled.
-
CNA
Announcements and News
§
Two CNA announcement since last CVE Board meeting: Vivo Communications and Zscaler
§
There are now 118 CNAs participating in the program in 21 countries
§
91 in total CNA pipeline:
15 in Q3’19; 15 in Q4’19; 25 in Q1’20 and 5 in Q2’20
§
Three pending CNA announcements.
§
JPCERT - Jonathan Evans
-
Root CNA Prospects – Jonathan Evans/Jo Bazar
-
RCNA1 Root update:
-
Jonathan and Jo met with
RCNA1 on April 15, 2020, to review the draft timeline and milestones. Meeting is scheduled every two weeks to review status of tasks; meetings scheduled through the end of September.
-
The meeting went very well; we reviewed the tasks, milestones, and timelines. The next meeting is scheduled for
April 29, 2020. At that meeting, we will review tasks, get status updates, and adjust timelines as needed.
-
Katie Noble informed the group that the
ETSI/LOT9
Group is putting together a European standard to comply with European Union regulations. When she originally read the implementation plan, it required that all vendors utilize the CVE format and become CNAs. However, she believes that the requirement that
all vendors become CNAs has been removed but as soon as she has a new draft implementation plan, she will send it along to the group.
Action Items from Board
Meeting held on 15 April 2020
#
|
Action Item
|
Responsible Party
|
Status
|
Comments
|
4.15.01
|
Follow up with JP/CERT having a representative or providing updates about JP/CERT.
|
Jonathan E. (MITRE)
|
Not Started
|
Assigned on 4/15/2020
|
4.15.02
|
Send
RCNA1
Root milestones and timelines to CVE private board.
|
Jo B. (MITRE)
|
Completed
|
Sent to CVE Board on 4/15/2020
|
4.15.03
|
Follow up with
RCNA1 about
participating in the AWG so they can be involved with the design of the APIs.
|
Jonathan E./Jo B. (MITRE)
|
Not Started
|
Assigned on 4/15/2020
|
4.15.04
|
Send EOL tagging draft document to Kent so he can incorporate into EOL document.
|
Jonathan E. (MITRE)
|
Not Started
|
Assigned on 4/15/2020
|
4.15.05
|
Send CVE Board Charter 3.1 for review and vote.
|
Jo B. (MITRE)
|
Not Started
|
Assigned on 4/15/2020
|
None
Wednesday, April 29, 2020 at 2:00PM EDT