CVE Board Meeting summary - 18 March 2020

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

CVE Board Meeting summary - 18 March 2020

Jo E Bazar

CVE Board Meeting – 18 March 2020

Tod Beardsley, Rapid7

Patrick Emsweller, Cisco Systems, Inc.

Kent Landfield, McAfee

Scott Lawler, LP3

Art Manion, CERT/CC (Software Engineering Institute, Carnegie Mellon University)

Beverly Alvarez, Lenovo Group Ltd.

Lisa Olson, Microsoft

Takayuki Uchiyama, Panasonic Corporation

David Waltermire, National Institute of Standards and Technology (NIST)

Members of MITRE CVE Team in Attendance

Jo Bazar

Christine Deal

Jonathan Evans

Chris Levendis

Lew Loren


2:00 – 2:15: Introductions, action items from the last meeting 

2:15 – 2:30: Working Groups

  • Outreach and Communications Working Group (OCWG): Shannon Sabens
  • CNA Coordination Working Group (CNACWG): Tod Beardsley
  • Quality Working Group (QWG): Jonathan Evans/Dave Waltermire
  • Automation Working Group (AWG): Lew Loren
  • Strategic Planning Working Group (SPWG): Kent Landfield


2:30 – 2:45: Root CNA Update

  • MITRE: Jo Bazar
  • JPCERT: Jonathan Evans


2:45 – 3:55: Open Discussion  

3:55 – 4:00: Action items, wrap-up


Action Item

Responsible Party




Assemble additional operational guidance for program participation by CNAs (e.g., webinars, instructional videos).

MITRE (Evans)

In Process

MITRE assembled a list of guidance priorities and other areas of the program; the top five priorities are listed below:

  1. How to submit entries to MITRE using the web form (CNA Submission process)
  2. CVE ID assignment rule (Counting) – DRAFT sent for inputs to CNACWG and OCWG
  3. Becoming a CNA – DRAFT sent for inputs to CNACWG and OCWG
  4. CVE Program (includes Root structure) 
  5. How to request MITRE CNA populate a CVE entry (CNA Process)
  6. How to create a CVE Entry (CNA Entry creation)

1/8 Update: Draft videos are uploaded to YouTube and CNACWG and OCWG will provide feedback NLT January 17.

2/5 Update: Feedback received from CNCWG and OCWG.

2/19 Update: Videos will be available on YouTube by April 1, 2020.


Take the lead for contest open to the community to create new CVE logo.



9/4 Update: OCWG discussed at last meeting and is seeking additional guidance from the CVE Board.

10/16 Update: Shannon provided a list of requirements/questions for the CVE Board to consider. 

2/5: CVE Logo contest underway.

2/19 Update: Over 276 votes so far from the CVE community; poll closes on February 21, 2020.

3/18 Update: Levendis is working on getting the new CVE logo and colors trademarked.


Update RBP threshold policy to include consequences for CNA’s with backlogs over the specific threshold.

MITRE (Jonathan E./Jo B.)

In Process

11/13 Update: RBP policy drafted and being reviewed by CVE team. Policy document will be sent to the CVE Board for awareness.



Follow up with the development team on if the website will be ready for October 2020.


Chris L. (MITRE)


3/18 Update: New website will be launched September 2020; the new and old website will run concurrently until December 2020, when the old website will be retired (but will be archived). 


Get feedback from the CNAs on how often they would like to have the rules updated.


Tod B.


2/19/20: The CNACWG agreed with an annual review period for the CNA Rules updates, but if needed, out of cycle updates at the six-month mark can be made. Minor changes (e.g., grammatical changes) are acceptable for an out of cycle update before a six-month waiting period if the minor changes do not impact the rules.


Identify the industries for active and pipeline CNAs so get a complete picture of the CNA profile.  


Not Started

Assigned 2/19/2020.


Develop strategy for expanding and growing the CNA program into existing and new industries (e.g., Energy, Automotive, Healthcare tech, etc.).


Not Started

Assigned 2/19/2020.


Follow up with Yves Younan & Madison Oliver about Dispute process proposal so they include an introduction explaining the purpose of the proposal, why is was developed and the problem it is trying to solve. 

Tod B.


Action completed.


Send email to CVE Global Summit attendees with parking, meeting protocol, etc., by COB 2/21/2020.



Email sent on 2/21/2020.


Working Group Updates

  • Outreach and Communications Working Group (OCWG): Shannon Sabens/Jo Bazar
    • No meeting since last OCWG meeting held on February 14, 2020:
      • Next meeting is scheduled for March 27, 2020.
      • The CVE logo contest has concluded; logo files have been obtained and the next step is to trademark the logo.
      • OCWG is finalizing the charter to be published on CVE Website.

§  CNA Coordination Working Group (CNACWG): Tod Beardsley

  • CNACWG meeting held on February 26/March 11, 2020:
    • None of the CNAs on the call cared about obfuscating email addresses in the CNA lists. The CNACWG resoundingly thinks we should keep doing what we're doing. Also, mailto: URI handlers are always broken because nobody routes them correctly, but that's not CVE's fault.
    • We also talked about volunteer opportunities to pitch CVE at upcoming events, and Tod will coordinate with Jo to get that lightning talk deck disseminated.
  • Quality Working Group (QWG): Dave Waltermire/Jonathan Evans 
    • No meeting since last QWG meeting was held on February 6, 2020:
      • Next QWG meeting will be March 19, 2020.
      • We need guidance from the Board around the tagging proposal and EOL products.
        • Kent L. suggested a proposal from the QWG to the CVE Board.
        • At the CVE Global summit, there were concerns about scoping to a specific product family, when not all the versions are retired. The group agreed EOL needs to be further defined.
        • Chris C. developed an EOL deck that helps with defining EOL that was produced from the QWG.
        • Jonathan explained at the last QWG there was a discussion about unofficial tags being used in the JSON.
        • Lisa offered to work with Jonathan to develop the definition of the EOL tag. Once defined, the next step is to document the process. 
  • Automation Working Group (AWG) – Lew Loren 
    • AWG meeting was held on March 16, 2020:
      •  Finalizing on the JSON 5.0 scheme; Lew explained changes received at the end of the process are being lumped into two categories: 1) straight forward/non-contentious and 2) additional discussion needed. For the changes that require additional discussion, we will kick back to QWG for further discussion. If the QWG can work up the requirements 4 weeks before the transition period, the changes can be rolled into the JSON 5.0 Scheme.
        • The group discussed whether a 90-day transition is enough time for CNAs and downstream users, like NVD.
        • Lew will develop write up to send to the CNAs via the CNA mailing list to get their feedback on a 90-transition time. 
      • Sprint planning is underway; scheduling and task being planned.
      • Cognito is in the process of being deployed.
  • Strategic Planning (SPWG) – Kent Landfield 
    • SPWG meeting was held March 16, 2020:
      • Discussed the recent CNA revocations and MITRE inactive policy. MITRE will publish the inactive policy on the CVE Webpage. 
      • Discussed how to handle organization with multiple CNAs; the group agreed as the program grows to 250-300 CNAs, this could be an issue.  The group agreed that an organization can join the CNA program only covering a subset of products and are not required to join as an entire organization.
      • SPWG charter still needs to be finalized, in progress.
      • SPWG agreed that CVE terminology, specifically the various roles (i.e., Child, Parent, ADP, Mentor, etc.) in the CNA program, needs to be further defined. The SPWG will discuss the set of definitions and terms to be used, document them, and send them to the Board for final approval.
      • The group discussed how are working groups terminated and how it should be done. Draft process underway.
      • The group also discussed Domain naming, AWG issues, requirements, CVE ID Allocation and the AWG Sprint Reviews.

CNA Updates

  • MITRE –Jo Bazar
  • Requests to become a CNA
    • Received nine CNA requests since the last CVE Board meeting (held on 2/19/20).
  • On-Boarding
    • Conducted six onboarding sessions since the last boarding meeting.
    • No CNA onboarding sessions scheduled. 
  •  CNA Announcements and News

§  One CNA announcement since last CVE Board meeting: GitHub (Product Only)

§  One CNA Removed from the CNA program.

§  There are now 116 CNAs participating in the program in 21 countries

§  84 in total CNA pipeline, 7 = Q2; 15= Q3, 15 = Q4 and 22 = Q1’20 so far

§  Three pending CNA announcements.

  • JPCERT - Jonathan Evans
    • JPCERT talking to CNA1 about becoming a CNA.
  • Root CNA Prospects – Jonathan Evans/Jo Bazar
    • CNA2 in the Root CNA process, CNA2 reviewing on-boarding guidance. Looking at covering medical devices as well. We need to confirm if ICS related CNAs are good with CNA2 as a Root CNA. 
      • David explained that we need to ensure Root CNAs are set up for success.
      • Chris L. explained that CNA2 is already a CNA and has a good understanding of what is required to be a Root CNA; they plan to have the resources/funding and the infrastructure to support sub-CNAs before they become a Root CNA.
      • The suggestion was made to do a staggered approach to help with Root CNA transition, as not to overwhelm the new Root CNAs.
      • Jonathan explained that Root CNAs will have processes and documentation to fulfill before they are brought on as a Root CNA. 
    • CNA3 is interested in becoming a Root CNA, conversations underway.


Open Discussion Items

§  Poll results: Which Dial-in service do you prefer?

      A poll was sent out about which dial-in service do you prefer for CVE Program meetings. The overwhelming popular vote was Zoom.

§  Chris Coffin departure from CVE Program

      Chris Levendis announced that Chris Coffin is no longer working on the CVE program.

      Dave explained that Chris Coffin is still interested in being a CVE Board member.

      The group discussed how do we represent Chris Coffin as a CVE Board member on the CVE website. 

      The group agreed to update Chris Coffin’s affiliation to state MITRE “at large” and Chris Levendis to state MITRE “Moderator and Team Lead” on the CVE board members page.   

§  CVE Team WFH: The CVE Team is working from home until further notice due to COVID-19.

§  NISTIR 8246(Draft):

    Kent reminded the CVE Board that comments are due by COB Friday, March 20, 2020.

§  At the Summit, Dave Waltermire, one of the co-authors of NISTIR 8246, gave a presentation on the document as its targeted towards CNAs and ADPs.  NIST is expecting comments on the document to close on Friday, March 20, 2020.


Action Items from Board Meeting held on 18 March 2020


Action Item

Responsible Party




Update Chris Coffin affiliation to state MITRE “at large” and Chris Levendis affiliation to state Moderator/Team Lead CVE webpage, CVE Board members.





CVE Website updated 3/18/2020.


QWG develop a definition for the EOL tagging for presentation to the CVE Board. Once defined, the next step is to document the entire process. 

Lisa Olson/Jonathan E. (MITRE)

Not started

Assigned 3/18/20.


Send action items from CVE Global Summit for review/input. Once reviewed, add the action items to the CVE Board meeting minutes.


Not started

Assigned 3/18/20.


Develop write up to send to the CNAs via the CNA mailing list to get their feedback on JSON 5.0 90-day transition. 

Lew L. (MITRE)

Not started

Assigned 3/18/20.


Board Decisions


Next CVE Board Meeting

Wednesday, April 1, 2020 at 2:00PM EDT



CVE_Board_Meeting_18 March 2020 FINAL.pdf (513K) Download Attachment