CVE Board Meeting summary -17MAR2021

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

CVE Board Meeting summary -17MAR2021

CVE Program Secretariat

Members of CVE Board in Attendance

Beverly Alvarez, AMD

Ken Armstrong, EWA-Canada, An Intertek Company

Tod Beardsley, Rapid7 

Chris Coffin, The MITRE Corporation (MITRE At-Large)

Jessica Colvin JPMorgan Chase

Mark Cox, Red Hat, Inc.

William Cox, Synopsys, Inc.

Patrick Emsweller, Cisco Systems, Inc.

Jay Gazlay, Cybersecurity and Infrastructure Security Agency (CISA)

Tim Keanini, Cisco Systems, Inc.

Kent Landfield, McAfee

Scott Lawler, LP3

Art Manion, CERT/CC (Software Engineering Institute, Carnegie Mellon University)

Pascal Meunier, CERIAS/Purdue University

Ken Munro, Pen Test Partners LLP

Tom Millar, Cybersecurity and Infrastructure Security Agency (CISA)

Kathleen Noble, Intel Corporation

Lisa Olson, Microsoft

Shannon Sabens, CrowdStrike

Takayuki Uchiyama, Panasonic Corporation

David Waltermire, National Institute of Standards and Technology (NIST)

James “Ken” Williams, Broadcom Inc.


Members of MITRE CVE Team in Attendance

Jo Bazar

Kris Britton

Christine Deal

Jonathan Evans

Chris Levendis

09:00-09:05:     Introductions and Roll Call

09:05-10:35:     Open discussion items 

10:35-10:55:     Review of Action items (see attached excel file)

10:55-11:00:     Wrap-up

New Actions items from today’s Board Meeting

 See attached Excel spreadsheet for open actions items from prior meetings (CVE Board Meeting 31Mar21– Agenda and Action items)

Discussion Items

  • OCWG ownership/deployment recommendations website content – Shannon Sabens (CrowdStrike)   
    • The Board agreed on OCWG approach for approving the CVE Website content.
      • Listed below are the criteria for blocker/not a blocker (as we are on a time crunch to get the new website out the door):
        • Not a blocker:
          • If it is public today, then it is not a blocker to go forward.
          • It is not ideally written.
          • It is unappealing to look at.

o     Blocker:

       If it is not yet public and it is incorrect/untrue, it must be changed or omitted.

§  Non-blockers should be addressed in time but should not block the release of other content or the site itself.

§  OCWG will provide recommendation to the CVE Board for Phase 1 approval.

  • ENISA Update – Kent Landfield (McAfee)

o   Kent provided an update on ENISA, and how the CVE Program and ENISA can work together as we move forward with vulnerability management. We hope that ENISA and the CVE Program can partner in the future, with ENISA being a Top-Level Root.

  • CVE Summit logistics, agreements, questions, ideas, CFP so far – Tod Beardsley (Rapid 7)
    • The CVE Summit is tentatively scheduled for Thursday, May 13, from 4PM to 8PM EDT, and Friday, May 14, from 9AM to 1PM EDT. So far, there are enough topics to cover about 4 hours. Listed below are the topics gathered so far:

§  Inside the Apache CNA, how we handle over 300 sub projects

§  How Red Hat operates as a CNA

§  Dissecting .Net Vulnerabilities

§  JPCERT/CC Root CNA Activities

§  Responding to Hostile Security researchers - best practices

§  Enhancing CVE Identification - The Yocto Project Example (Lightning)

o   The Board agreed that the following additional topics could be added:

§  Chris L. 30 mins welcome and federation

§  Kris Britton / Dave W - web services available

§  Erin Alexander - CNA recruitment and onboarding

§  Automated Vuln Discovery

§  NVD CVSS scoring (bronze/silver/gold) with Chris Turner (specifically requested by the CNACWG)

  • Managing the CVE Record Format – David Waltermire (NIST)

§  The QWG and AWG proposed to the CVE Board, a recommendation to realign scopes of the two working groups, as there were duplicative discussions about the CVE record format that are occurring in both working groups. 

·       Quality Working Group

o   Manages all changes to the format and the CVE Record format GitHub

o   Single WG to discuss and work on changes

o   Manages the CVE Record format release cycle in consultation with the AWG and SPWG and need to work out how to resource management of the GitHub repo

·       Automation Working Group

o   Manages the service development and associated service release cycle and decides when to adopt a given CVE Record format version

§  The CVE Board agreed with the updated scopes for the working groups as proposed.

Board Decisions


Next CVE Board Meetings 

  • Wednesday, March 31, 2021 2:00pm-4:00pm (EDT)
  • Wednesday, April 14, 2021 9:00am-11:00am (EDT)
  • Wednesday, April 28, 2021 2:00pm-4:00pm (EDT)
  • Wednesday, May 12, 2021 9:00am-11:00am (EDT)
  • Wednesday, May 26, 2021 2:00pm-4:00pm (EDT)
  • Wednesday, June 9, 2021 9:00am-11:00am (EDT)
  • Wednesday, June 23, 2021 2:00pm-4:00pm (EDT)

Open Discussion Items (to be discussed at future meetings)

See attached Excel spreadsheet (CVE Board Meeting 31Mar21– Agenda and Action items)

CVE Board Recordings

§  The CVE Board meeting recording archives are in transition to a new platform. Once the new platform is ready, the Board recordings will be readily available to CVE Board Members. Until then, to obtain a recording of a CVE Board Meeting, please reach out to CVE Program Secretariat ([hidden email]).  






CVE_Board_Meeting 17 March 2021 FINALv1.pdf (364K) Download Attachment