Common Vulnerabilities and Exposures – CVE Board

CVE Board Meeting summary - 15 April 2020

classic Classic list List threaded Threaded
1 message Options
Jo E Bazar
Reply | Threaded
Open this post in threaded view
|

CVE Board Meeting summary - 15 April 2020

Jo E Bazar

CVE Board Meeting – 15 April 2020

Members of CVE Board in Attendance

Chris Coffin (MITRE at Large)

Patrick Emsweller, Cisco Systems, Inc.

Kent Landfield, McAfee

Scott Moore, IBM

Shannon Sabens, Trend Micro

Kathleen Noble, Intel

Takayuki Uchiyama, Panasonic Corporation

David Waltermire, National Institute of Standards and Technology (NIST)

Ken Williams, Broadcom Inc.

Members of MITRE CVE Team in Attendance

Jo Bazar

Christine Deal

Jonathan Evans

Lew Loren

 

2:00 – 2:15: Introductions, action items from the last meeting 

2:15 – 3:00: Working Groups

  • Outreach and Communications Working Group (OCWG): Shannon Sabens
  • CNA Coordination Working Group (CNACWG): Tod Beardsley
  • Quality Working Group (QWG): Jonathan Evans/Dave Waltermire
  • Automation Working Group (AWG): Lew Loren
  • Strategic Planning Working Group (SPWG): Kent Landfield

 

3:00 – 3:45: Root CNA Update

  • MITRE: Jo Bazar
  • JPCERT: Jonathan Evans
  • Root CNA Prospects – Jonathan Evans/Jo Bazar

 

3:45 – 3:55: Open Discussion  

3:55 – 4:00: Action items, wrap-up


#


Action Item


Responsible Party


Status


Comments

10.30.02

Update RBP threshold policy to include consequences for CNA’s with backlogs over the specific threshold.

MITRE (Jonathan E./Jo B.)

Completed

11/13 Update: RBP policy drafted and being reviewed by CVE team. Policy document will be sent to the CVE Board for awareness.

4/1 Update: Policy approved by Chris L, in process of updating CVE Website.

4/15 Update: Policy posted on CVE website.

02.19.01

Identify the industries for active and pipeline CNAs so get a complete picture of the CNA profile.  

OCWG

In Process

Assigned 2/19/2020.

02.19.04

Develop strategy for expanding and growing the CNA program into existing and new industries (e.g., Energy, Automotive, Healthcare tech, etc.).

SPWG

Not Started

Assigned 2/19/2020.

3.18.02

QWG develop a definition for the EOL tagging for presentation to the CVE Board. Once defined, the next step is to document the entire process. 

Lisa Olson/Jonathan E. (MITRE)

In Process

4/15 Update: Draft document developed; will be reviewed in QWG.

3.18.03

Send action items from CVE Global Summit for review/input. Once reviewed, add the action items to the CVE Board meeting minutes.

Jo B. (MITRE)

Completed

4/1 Update: Sent CVE Global Summit action items for review to CVE Board on 3/26; feedback due by 3/31/2020.

4/15 Update: Action items drafted and posted to SharePoint; there are too many to include with CVE Board meeting minutes.

3.18.04

Develop write up to send to the CNAs via the CNA mailing list to get their feedback on JSON 5.0 90-day transition. 

Lew L. (MITRE)

In Process

4/1 Update: Lew sent email on 3/30 to CNA Mailing list.

4.1.01

Update templates (Word, PowerPoint) with new CVE logo

Christine Deal (MITRE)

Completed

4/15 Update: Templates are ready; just waiting for CVE logo trademark.

4.1.02

Lew and development team develop a more granular set of milestones for April 13, 2020 AWG meeting.

Lew Loren (MITRE)

Completed

4/15 Update: Milestones developed for April 13 meeting.

4.1.03

Lew and Dave meet to review milestones before April 13th AWG meeting.

Lew Loren MITRE)

Completed

4/15 Update: Lew and Dave met and reviewed milestones.

4.1.04

Develop Non-responsiveness Policy to address CNA1 that continues to be unresponsive.

Jo Bazar (MITRE)

Not Started

Assigned on 4/1/2020

4.1.05

Develop milestones and timeline for RCNA1 and set up follow up meeting in next two weeks. 

Jo Bazar/Jonathan E. (MITRE)

Completed

4/15 Update: Timeline drafted; next bi-weekly meeting is scheduled for 4/29/2020.

4.1.07

Formalize Council of Roots responsibilities in anticipation of new Roots joining the program

SPWG

Not Started

Assigned on 4/1/2020

 

Working Group Updates

  • Outreach and Communications Working Group (OCWG): Shannon Sabens 
    • No meeting since last CVE Board meeting; next OCWG meeting will be held on held on April 17, 2020. 
  • CNA Coordination Working Group (CNACWG): Tod Beardsley
  • CNACWG meeting held on April 8, 2020:
    • Still working up a CVE transfer system
    • Conducted a doodle poll to determine alternate meeting times for EU/APAC meetings; will be sending out invites soon 

o   Quality Working Group (QWG): Dave Waltermire/Jonathan Evans 

    • QWG meeting held on April 2, 2020: 
      • Tagging:
        • Defining requirements for JSON for tagging
        • NIST currently has plans for reference tags, which can conflict with CVE tag issues; needs further discussions 
      • Discussions:
        • Can CVEs move from populated to reserved?
          • The general position is that this should never happen
          • If a CNA accidentally populated a CVE Entry, downstream users of CVE are relying on the information in the entry. It would cause more confusion to move the entry back to reserved. The CNA should update the entry to explain what happened and provide context to the users.
        • How CNAs can extend the CVE JSON format to include additional fields:
          • Consensus was that these fields have been beneficial to the program and are essential to the dynamism of the CVE Entry content.
          • We want a more formal way of allowing CNAs to provide definitions for these fields rather than having users guess.  We want something like XML's namespaces.
    • QWG Meeting times:  QWG has been moved to 4-5pm EST so more can attend
  • Automation Working Group (AWG) – Lew Loren  

      AWG meeting was held on April 13, 2020: 

      • Roll out plan for JSON 5.0:
        • Reviewed the transition roll out plan for JSON 5.0 against the transition plan for ESUS (entry submission and upload service)
        • JSON Converter to help CNA transition; developed an upconverter to download data in 4.0, and downconverter upload into 5.0 format.
        • Joe Whittemore will be posting a validator for the JSON Schema
        • ESUS depends heavily on the JSON format; stubbed up partial version will be rolled out first with API, then next will be the database with realistic data.

§  Changing the meeting and frequency to every Tuesday from 4-5pm 

§  Meetings to line up with SPWG, so sprint reviews can be accommodated, and planning can occur before the AWG meeting

§  Moved meeting from bi-weekly to weekly

§  The ID Allocations services will be reviewed at the next meeting

  • Strategic Planning (SPWG) – Kent Landfield  
    • SPWG meeting was held on April 13, 2020:
      • Five different options for the EOL policy were discussed
        • EOL policy document is drafted and will be updated to include the five options

 

CNA Updates

  • MITRE –Jo Bazar
  • Requests to become a CNA

§  Received five CNA requests since the last CVE Board meeting (held on 4/1/20).

  • On-Boarding

§  Conducted two onboarding sessions since the last boarding meeting.

§  Two CNA onboarding sessions scheduled.

  • CNA Announcements and News

§  Two CNA announcement since last CVE Board meeting: Vivo Communications and Zscaler

§  There are now 118 CNAs participating in the program in 21 countries

§  91 in total CNA pipeline: 15 in Q3’19; 15 in Q4’19; 25 in Q1’20 and 5 in Q2’20

§  Three pending CNA announcements.

§  JPCERT - Jonathan Evans

    • No Updates 
  • Root CNA Prospects – Jonathan Evans/Jo Bazar
    • RCNA1 Root update:
      • Jonathan and Jo met with RCNA1 on April 15, 2020, to review the draft timeline and milestones. Meeting is scheduled every two weeks to review status of tasks; meetings scheduled through the end of September.
      • The meeting went very well; we reviewed the tasks, milestones, and timelines. The next meeting is scheduled for April 29, 2020. At that meeting, we will review tasks, get status updates, and adjust timelines as needed.

 

Open Discussion Items

  • Katie Noble informed the group that the ETSI/LOT9 Group is putting together a European standard to comply with European Union regulations. When she originally read the implementation plan, it required that all vendors utilize the CVE format and become CNAs. However, she believes that the requirement that all vendors become CNAs has been removed but as soon as she has a new draft implementation plan, she will send it along to the group.

 

Action Items from Board Meeting held on 15 April 2020


#


Action Item


Responsible Party


Status


Comments

4.15.01

Follow up with JP/CERT having a representative or providing updates about JP/CERT.

Jonathan E. (MITRE)

Not Started

Assigned on 4/15/2020

4.15.02

Send RCNA1 Root milestones and timelines to CVE private board.

Jo B. (MITRE)

Completed

Sent to CVE Board on 4/15/2020

4.15.03

Follow up with RCNA1 about participating in the AWG so they can be involved with the design of the APIs.

Jonathan E./Jo B. (MITRE)

Not Started

Assigned on 4/15/2020

4.15.04

Send EOL tagging draft document to Kent so he can incorporate into EOL document.

Jonathan E. (MITRE)

Not Started

Assigned on 4/15/2020

4.15.05

Send CVE Board Charter 3.1 for review and vote.

Jo B. (MITRE)

Not Started

Assigned on 4/15/2020

 

Board Decisions

None

Next CVE Board Meeting 

Wednesday, April 29, 2020 at 2:00PM EDT

 

 


CVE_Board_Meeting_15 April 2020 FINAL.pdf (502K) Download Attachment
Free forum by Nabble Edit this page