☐Beverly Alvarez, AMD
☐Ken Armstrong, EWA-Canada, An Intertek Company
☒Tod Beardsley, Rapid7
☒Chris Coffin, The MITRE Corporation (MITRE At-Large)
☐Jessica Colvin JPMorgan Chase
☒Mark Cox, Red Hat, Inc.
☒William Cox, Synopsys, Inc.
☒Patrick Emsweller, Cisco Systems, Inc.
☐Tim Keanini, Cisco Systems, Inc.
☒Kent Landfield, McAfee
☐Scott Lawler, LP3
☐Pascal Meunier, CERIAS/Purdue University
☒ Ken Munro, Pen Test Partners LLP
☐Kathleen Noble, Intel Corporation
☒Lisa Olson, Microsoft
☒Shannon Sabens, CrowdStrike
☒Takayuki Uchiyama, Panasonic Corporation
☒David Waltermire, National Institute of Standards and Technology (NIST)
☒James “Ken” Williams, Broadcom Inc.
Members of MITRE CVE Team in Attendance
09:05-10:35: Open discussion items
10:35-10:55: Review of Action items (see attached excel file)
See attached Excel spreadsheet for open actions items from prior meetings (CVE Board Meeting 31Mar21– Agenda and Action items)
– If it is not yet public and it is incorrect/untrue, it must be changed or omitted.
§ Non-blockers should be addressed in time but should not block the release of other content or the site itself.
§ OCWG will provide recommendation to the CVE Board for Phase 1 approval.
o Kent provided an update on ENISA, and how the CVE Program and ENISA can work together as we move forward with vulnerability management. We hope that ENISA and the CVE Program can partner in the future, with ENISA being a Top-Level Root.
§ Inside the Apache CNA, how we handle over 300 sub projects
§ How Red Hat operates as a CNA
§ Dissecting .Net Vulnerabilities
§ JPCERT/CC Root CNA Activities
§ Responding to Hostile Security researchers - best practices
§ Enhancing CVE Identification - The Yocto Project Example (Lightning)
o The Board agreed that the following additional topics could be added:
§ Chris L. 30 mins welcome and federation
§ Kris Britton / Dave W - web services available
§ Erin Alexander - CNA recruitment and onboarding
§ Automated Vuln Discovery
§ NVD CVSS scoring (bronze/silver/gold) with Chris Turner (specifically requested by the CNACWG)
§ The QWG and AWG proposed to the CVE Board, a recommendation to realign scopes of the two working groups, as there were duplicative discussions about the CVE record format that are occurring in both working groups.
· Quality Working Group
o Manages all changes to the format and the CVE Record format GitHub
o Single WG to discuss and work on changes
o Manages the CVE Record format release cycle in consultation with the AWG and SPWG and need to work out how to resource management of the GitHub repo
· Automation Working Group
o Manages the service development and associated service release cycle and decides when to adopt a given CVE Record format version
§ The CVE Board agreed with the updated scopes for the working groups as proposed.
See attached Excel spreadsheet (CVE Board Meeting 31Mar21– Agenda and Action items)
§ The CVE Board meeting recording archives are in transition to a new platform. Once the new platform is ready, the Board recordings will be readily available to CVE Board Members. Until then, to obtain a recording of a CVE Board Meeting, please reach out to CVE Program Secretariat ([hidden email]).
CVE_Board_Meeting 17 March 2021 FINALv1.pdf (364K) Download Attachment
|Free forum by Nabble||Edit this page|