CVE Board Meeting – 16 October 2019

Tod Beardsley, Rapid7

Mark Cox, Red Hat, Inc.

William Cox, Synopsys, Inc.

Patrick Emsweller, Cisco Systems, Inc.

Scott Lawler, LP3

Beverly Miller Alvarez, Lenovo Group Ltd.

Scott Moore, IBM

Lisa Olson, Microsoft

David Waltermire, National Institute of Standards and Technology (NIST)

Members of MITRE CVE Team in Attendance

Jo Bazar

Chris Coffin

Christine Deal

Jonathan Evans

Chris Levendis

Lew Loren

 

2:00 – 2:15: Introductions, action items from the last meeting 

2:15 – 2:30: Working Groups

• Outreach and Communications Working Group (OCWG): Shannon Sabens
• CNA Coordination Working Group (CNACWG): Tod Beardsley
• Quality Working Group (QWG): Chris Coffin
• Automation Working Group (AWG): Lew Loren
• Strategic Planning Working Group (SPWG): Kent Landfield/Chris Coffin

 

2:30 – 2:45: Root CNA Update

• MITRE: Jo Bazar
• JPCERT: Jonathan Evans/Chris Coffin

 

2:45 – 3:00: Quarterly Report Card - Jo Bazar  

3:00 – 3:55: Open Discussion  

3:55 – 4:00: Action items, wrap-up

#	Action Item	Responsible Party	Status	Comments
1.23.1	Assemble additional operational guidance for program participation by CNAs (e.g., webinars, instructional videos).	MITRE (Evans)	In Process	MITRE assembled a list of guidance priorities and other areas of the program; the top five priorities are listed below: How to submit entries to MITRE using the web form  CVE ID assignment rule (Counting)  Becoming a CNA CVE Program (includes Root structure) How to request the MITRE CNA populate a CVE entry   8/21 Update: Jonathan sent draft CNT1 and CNT2 to OCWG and CNACWG for review and feedback by 9/13/19. 10/2 Update: Jonathan has drafted the Assignment rules script and will sent to the group for review and feedback.
4.17.5	Research solution for storing, archiving, and central repository for CVE Board and WG meeting minutes, recordings, as well as tracking action items.	MITRE (Lew L.)	In Process	6/12 Update: CNA SharePoint site is up (MITRE partners account is required), Handshake account is used for current meeting recordings and we are moving the archive of recordings to Amazon glacier for cold storage.    8/21 Update: Next step is to move the recordings to the Amazon glacier for cold storage.    10/2 Update: Script is being developed so the current meeting recordings can be uploaded to Amazon Glacier.
6.26.2	Update Charter to reflect new interview process of board nominations and that CVE Board member can send nominations directly to the private board list.	MITRE (Chris C.)/Kent L.	In Process	10/2 Update: Kent explained a draft is in process; once completed, Chris C. will provide his input and send to the CVE Board for review and feedback. The CVE Board should expect to receive a draft in the next few weeks.
6.26.3	Update Charter to reflect new Board nomination interview process. When a new Board member is nominated, a 30-minute interview is conducted during the next Board call.	MITRE (Chris C.)/Kent L.	In Process	10/2 Update: Kent explained a draft is in process; once completed, Chris C. will provide his input and send to the CVE Board for review and feedback. The CVE Board should expect to receive a draft in the next few weeks.
7.24.01	Develop a strategy for handling public but low-quality vulnerabilities, especially cases where the vendor or maintainer has not acknowledged the vulnerability.	MITRE (Chris C./Jonathan E.)	In Process	9/4 Update: Outline drafted by Jonathan and is being reviewed by the CVE team.
7.24.02	Draft language clarifying CVE charter around organizational voting. (When do we merge votes based on organizational affiliation)	MITRE (Chris C.)/Kent L.	In Process	10/2 Update: Kent explained a draft is in process; once completed, Chris C. will provide his input and send to the CVE Board for review and feedback. The CVE Board should expect to receive a draft in the next few weeks.
8.21.01	Take the lead for contest open to the community to create new CVE logo.	OCWG	In Process	9/4 Update: OCWG discussed at last meeting and is seeking additional guidance from the CVE Board. 10/16 Update: Shannon provided a list of requirements/questions for the CVE Board to consider.
9.04.01	Review CNA Press Release Template from OCWG.	MITRE (Jo B./Jonathan E.)	Completed	10/16 Update: OCWG provided feedback; the template is ready for CNA Coordination team to distribute to new CNAs.

 

• Outreach and Communications Working Group (OCWG): Shannon Sabens/Jo Bazar

–       OCWG meeting held on October 11, 2019: 

§   OCWG made a few scheduling changes; revised calendar invites were sent earlier this week. The group talked about identifying conferences that OCWG members will be/or are planning to attend in 2020 so coverage can be coordinated. Next steps are to identify and prioritize conferences that should be attended in 2020.

§   A draft intro letter for potential CNAs was shared with the group for feedback.

–       The CNA press release document has been finalized for CNA Coordination team to offer new CNAs.

–      CVE logo questions from OCWG for the CVE Board:

• What is the expected time frame?
• The desired timeframe would be the March 2020 CNA Summit
• How will we promote the contest?
• Need clarification from Shannon on this question
• Do we have any commitment to purchasing any of their packages?
• Need clarification Shannon on this question
• Does the board have any requirements for/about the logo design?
• Chris L. has the action to follow up with MITRE legal office about language for CVE logo use and inquire about approvals that will be needed for new CVE logo.

§  CNA Coordination Working Group (CNACWG): Tod Beardsley/Chris Coffin

• CNACWG meeting held on October 9, 2019:

§   Virtual summit is today, October 16, 2019, 4:00 p.m. – 8:00 p.m. EDT.

§   CNACWG nominations in process for new Chair; at the next CNACWG meeting, a final vote will be casted, and a chair will be confirmed.

• Quality Working Group (QWG): Dave Waltermire/Chris Coffin
• No meeting last week, next meeting is tomorrow October 17, 2019 at 1:00 p.m. EDT.
• Automation Working Group (AWG) – Lew Loren

• AWG meeting was held on October 14, 2019:
1. Met with Schmitty to iron out the requirements for authentication, authorization and user registry.
2. Developers are looking into various options:  Developer #1 exploring Amazon Web Services to determine if the architecture would preclude any option for our services; if not, we are fine. Developer #2 is exploring what some of the options will be. Schmitty is also looking at available options, since he has a lot of experience with this.
3. Once we decide on a single solution, we will present the solutions to the SPWG.
4. Chandan modified the JSON Scheme to include the CVSS scoring. The meeting attendees approved the changes Chandan made. Next steps, development team to confirm the changes don’t cause recoding for the content production system.
5. Lew advised a new domain name for the new CVE website will need to be identified. 
1. The group talked about possible domain names and agreed that the SPWG should down select CVE domain names and then send to CVE board for approval. 
6. Lew has requested that the developers put their weight of effort behind the user registry and the authentication and authorization services; we hope in the next couple weeks to identify an adequate solution and a time frame for implementation.
1. Strategic Planning (SPWG) – Kent Landfield/Chris Coffin
• SPWG meeting was held on October 14, 2019:
1. Reviewed the requirements for Root CNA and CNA-LR; these roles still need to be clarified.

• MITRE –Jo Bazar

• Received one CNA requests since the last CVE Board meeting.
• Conducted one on-boarding session since the last boarding meeting.
• One onboarding session scheduled.

• CNA Announcements and news this week:

• One new CNA announcements since last board meeting: Tigera
• There are now 104 CNAs participating in the program 
• 58 in CNA pipeline, with 35 entering the pipeline this calendar year.  7 = Q1; 8= Q2; 23= Q3, 2 = Q4 so far.
• Two pending CNA Announcements.
• JPCERT - Jonathan Evans/Chris Coffin
• No updates

 

§  Jo Bazar provided an overview the CY19 Q3 results. The Board expressed concerns about the CNAs that have outstanding RBPs. The group agreed to discuss the CNA that is holding out on populating CVE entries at the next CVE Board meeting. In addition, MITRE needs to provide the CVE Board with their strategy to work off their RBP backlog.   

 

MITRE team presented the CNA Rules revision timeline. 

§  Now – 10/30/19

–      MITRE integrates the proposed changes into a single unified document

§  10/30/19 - 11/15/19

–      Unified draft CNA Rules 3.0 document sent out for review and comments by the Board and CNAs

–      All comments must be received by 11/15

§  11/16/19 – 12/1/19

–      MITRE integrates feedback received by the Board and CNAs

§  12/2/19 – 12/16/19

–      MITRE submits the final CNA Rules 3.0 document for a vote by the Board on 12/2/19

–      Board has two weeks to vote

§  12/16/19 – 12/31/19

–      CNA Rules 3.0 document sent for final technical edit

–      No substantive change will be made during the edit

§   1/2/2020

–      CNA Rules 3.0 is posted and in effect

 

#	Action Item	Responsible Party	Status	Comments
10.16.01	Follow up with MITRE legal about CVE logo language and design usage and required approvals.	MITRE (Chris L.)	Not Started	Assigned October 16, 2019
10.16.02	MITRE communicate RBP backlog strategy to CVE Board.	MITRE (Chris L.)	Not Started	Assigned October 16, 2019
10.16.03	Send 20-year press release to CVE Board and CNA Discussion list.	MITRE (Jo Bazar)	Not Started	Assigned October 16, 2019
10.16.04	SPWG down select CVE domain names and present options to CVE Board for final selection and approval.	MITRE (Chris C.)	Not Started	Assigned October 16, 2019
10.16.05	Send CNA Press template to CVE Board.	MITRE (Jo Bazar)	Not Started	Assigned October 16, 2019

 

• None

1.     Communication 

a.      Outreach OCWG for most of this section (noted otherwise).

                                                  i.     Localization – should start in the QWG for guidance, then to the AWG for implementation.

                                                ii.     Upstream producers –  

1.     CNA Recruitment 

                                              iii.     Downstream users –   

                                               iv.     Related Projects

1.     Vulnerability Description

a.      VDO

b.     CSAF

2.     Severity

a.      CVSS

3.     Product identification and management

a.      SBOM

4. CWE
1. hardware

b.     Metrics – CVE Board

                                                  i.     Community metrics (Public metrics)

                                                ii.     CNA specific metrics 

                                              iii.     Program performance (Report card)

c.      Knowledge capture/transfer - CVE Board

                                                  i.     Record Working Group meetings

1.     Where to store the recordings?

                                                ii.     Issue tracking

                                              iii.     Storage of WG materials – SharePoint site (CVE CNA site)

2.     Strategy 

a.      Program Structure SPWG

b.     Roles, responsibilities, and requirements SPWG

                                                  i.     Disclosure Policies

                                                ii.     Scope

1.     Non-vendor CNAs

a.      Add new non-vendor CNAs is on hold until the Board can come to an agreement on the requirements for this type of CNA

2.     Root CNA shopping

3.     Assigning CVE IDs to vulnerabilities in a non-CNA vendor’s product

4. CNA scope to the cooperative sub-CNAs

c.      Coverage – CVE Board

                                                  i.     What’s in, What’s out

                                                ii.     End of life

                                              iii.     Software as a service

                                               iv.     Hardware

1. Define (not a wrench)

                                                v.     Open source software

4. Goals - CVE Board
2. Operations
1. Guidance

                                                  i.     Operationalizing Root CNAs - SPWG

1. What is MITRE’s role
2. How to best operationalize Root CNAs

                                                ii.     For new CNAs - CNACWG

1. What is needed?
2. What are the best formats?
3. How to minimize one-on-one guidance

                                              iii.     How to supply refreshers CVE Board/CNACWG

2. CNA Management - CNACWG

                                                  i.     CNA Process – Front Door or Back Door: How should CNAs communicate with each other, and how would that information be managed?

                                                ii.     Requirement

1. Responsiveness
2. Time to populate
3. RBP start time

                                              iii.     Scope statement best practices

                                               iv.     Rules Violations

1. Assignment correction processes (e.g. reject, split, merge) should account for violations
2. Assignments – CVE Board

                                                  i.     Prevent duplicates

1. How can CNA scopes help?
3. Submissions QWG and CVE Board, AWG handle format implementation

                                                  i.     Formats

                                                ii.     Information requirements

1. Add impact
2. Add publication data
3. Add vulnerability type

4.     Split problem type in to vuln. type, root cause, or impact

5.     Don’t require references

                                              iii.     Should the description match the separate metadata fields

4.     CVE List - QWG

a.      Formats (all different formats) – CVE Board

                                                  i.     How can the download formats be updated or retired?

b.     CVE Tagging

                                                  i.     Helps filtering

                                                ii.     How to identify the categories we need

                                              iii.     Should the tagging be attached to the product or the vulnerability?

                                               iv.     Could we leverage a product listing the CVE User Registry?

                                                v.     Can it be automated?

                                               vi.     EOL tagging

3. Prose description, do we need it?