CVE Board Meeting – 16 October 2019
Mark Cox,
Red Hat, Inc.
William Cox,
Synopsys,
Inc.
Patrick Emsweller,
Cisco Systems,
Inc.
Scott Lawler,
LP3
Beverly Miller Alvarez,
Lenovo Group
Ltd.
Scott Moore,
IBM
Lisa Olson,
Microsoft
David Waltermire,
National
Institute of Standards and Technology (NIST)
Members of MITRE CVE Team in Attendance
Jo Bazar
Chris Coffin
Christine Deal
Jonathan Evans
Chris Levendis
Lew Loren
2:00
– 2:15: Introductions, action items from the last meeting
2:15
– 2:30: Working Groups
2:30
– 2:45: Root CNA Update
2:45
– 3:00: Quarterly Report Card - Jo
Bazar
3:00
– 3:55: Open Discussion 3:55
– 4:00: Action items, wrap-up
Working Group Updates
–
OCWG meeting held on October 11, 2019:
§
OCWG made a few scheduling changes; revised calendar invites were sent earlier this week. The group talked about identifying conferences that OCWG members will
be/or are planning to attend in 2020 so coverage can be coordinated. Next steps are to identify and prioritize conferences that should be attended in 2020.
§
A draft intro letter for potential CNAs was shared with the group for feedback.
–
The CNA press release document has been finalized for CNA Coordination team to offer new CNAs.
–
CVE logo questions from OCWG for the CVE Board:
§
CNA Coordination Working Group (CNACWG): Tod Beardsley/Chris Coffin
§
Virtual summit is today, October 16, 2019, 4:00 p.m. – 8:00 p.m. EDT.
§
CNACWG nominations in process for new Chair; at the next CNACWG meeting, a final vote will be casted, and a chair will be confirmed.
CNA Updates
Quarterly Report Card
– Jo Bazar
§
Jo Bazar provided an overview the CY19 Q3 results. The Board expressed concerns about the CNAs that have outstanding RBPs. The group agreed to discuss the CNA
that is holding out on populating CVE entries at the next CVE Board meeting. In addition, MITRE needs to provide the CVE Board with their strategy to work off their RBP backlog.
Open
Discussion Items
MITRE team presented the CNA Rules revision timeline.
§
Now – 10/30/19
–
MITRE integrates the proposed changes into a single unified document
–
Unified draft CNA Rules 3.0 document sent out for review and comments by the Board and CNAs
–
All comments must be received by 11/15
§
11/16/19 – 12/1/19
–
MITRE integrates feedback received by the Board and CNAs
§
12/2/19 – 12/16/19
–
MITRE submits the final CNA Rules 3.0 document for a vote by the Board on 12/2/19
–
Board has two weeks to vote
§
12/16/19 – 12/31/19
–
CNA Rules 3.0 document sent for final technical edit
–
No substantive change will be made during the edit
§
1/2/2020
–
CNA Rules 3.0 is posted and in effect
Action Items from Board
Meeting held on 16 October 2019
Board Decisions
Future Discussion Topics 1.
Communication
a.
Outreach
OCWG
for most of this section (noted otherwise).
i. Localization –
should start in the QWG for guidance, then to the AWG for implementation.
ii. Upstream producers –
1.
CNA Recruitment
iii. Downstream users –
iv. Related Projects
1.
Vulnerability Description
a.
VDO
b.
CSAF
2.
Severity
a.
CVSS
3.
Product identification and management
a.
SBOM
b.
Metrics –
CVE Board
i. Community metrics (Public metrics)
ii. CNA specific metrics
iii. Program performance (Report card)
c.
Knowledge capture/transfer -
CVE Board
i. Record Working Group meetings
1.
Where to store the recordings?
ii. Issue tracking
iii. Storage of WG materials –
SharePoint site (CVE CNA site) 2.
Strategy
a.
Program Structure
SPWG
b.
Roles, responsibilities, and requirements
SPWG
i. Disclosure Policies
ii. Scope
1.
Non-vendor CNAs
a.
Add new non-vendor CNAs is on hold until the Board can come to an agreement on the requirements for this type of CNA
2.
Root CNA shopping
3.
Assigning CVE IDs to vulnerabilities in a non-CNA vendor’s product
c.
Coverage
– CVE Board
i. What’s in, What’s out
ii. End of life
iii. Software as a service
iv. Hardware
v. Open source software
i. Operationalizing Root CNAs -
SPWG
ii. For new CNAs -
CNACWG
iii. How to supply refreshers
CVE Board/CNACWG
i. CNA Process – Front Door or Back Door: How should CNAs communicate with each other, and
how would that information be managed?
ii. Requirement
iii. Scope statement best practices
iv. Rules Violations
i. Prevent duplicates
i. Formats
ii. Information requirements
4.
Split problem type in to vuln. type, root cause, or impact
5.
Don’t require references
iii. Should the description match the separate metadata fields
4.
CVE List -
QWG
a.
Formats (all different formats) –
CVE Board
i. How can the download formats be updated
or retired?
b.
CVE Tagging
i. Helps filtering
ii. How to identify the categories we need
iii. Should the tagging be attached to the product or the vulnerability?
iv. Could we leverage a product listing the CVE User Registry?
v. Can it be automated?
vi. EOL tagging
|
Free forum by Nabble | Edit this page |