CVE Board Meeting summary - 18 September 2019

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

CVE Board Meeting summary - 18 September 2019

Bazar, Jo E.

CVE Board Meeting – 18 September 2019

Tod Beardsley, Rapid7

William Cox, Synopsys, Inc.

Patrick Emsweller, Cisco Systems, Inc.

Beverly Miller Alvarez, Lenovo Group Ltd.

Lisa Olson, Microsoft

Shannon Sabens, Trend Micro

Kathleen Trimble, U.S. Department of Homeland Security (DHS)

Takayuki Uchiyama, Panasonic Corporation

 

Members of MITRE CVE Team in Attendance

Chris Coffin

Christine Deal

Lew Loren

 

2:00 – 2:15: Introductions, action items from the last meeting 

2:15 – 2:30: Working Groups

  • Outreach and Communications Working Group (OCWG): Shannon Sabens
  • CNA Coordination Working Group (CNACWG): Tod Beardsley
  • Quality Working Group (QWG): Chris Coffin
  • Automation Working Group (AWG): Lew Loren
  • Strategic Planning Working Group (SPWG): Kent Landfield/Chris Coffin

 

2:30 – 2:45: Root CNA Update

  • MITRE: Jonathan Evans/Jo Bazar/Christine Deal
  • JPCERT: Jonathan Evans/Chris Coffin

 

2:45 – 3:55: Open Discussion  

3:55 – 4:00: Action items, wrap-up


#


Action Item


Responsible Party


Status


Comments

1.23.1

Assemble additional operational guidance for program participation by CNAs (e.g., webinars, instructional videos).

MITRE (Evans)

In Process

MITRE assembled a list of guidance priorities and other areas of the program; the top five priorities are listed below:

  1. How to submit entries to MITRE using the web form 
  2. CVE ID assignment rule (Counting) 
  3. Becoming a CNA
  4. CVE Program (includes Root structure)
  5. How to request the MITRE CNA populate a CVE entry

 

8/21 Update: Jonathan sent draft CNT1 and CNT2 to OCWG and CNACWG for review and feedback by 9/13/19.

4.17.5

Research solution for storing, archiving, and central repository for CVE Board and WG meeting minutes, recordings, as well as tracking action items.

MITRE (Lew L.)

In Process

6/12 Update: CNA SharePoint site is up (MITRE partners account is required), Handshake account is used for current meeting recordings and we are moving the archive of recordings to Amazon glacier for cold storage.   

8/21 Update: Next step is to move the recordings to the Amazon glacier for cold storage.   

6.26.2

Update Charter to reflect new interview process of board nominations and that CVE Board member can send nominations directly to the private board list. 

MITRE (Chris C.)/Kent L.

Not Started

Assigned 6/26/2019

6.26.3

Update Charter to reflect new Board nomination interview process. When a new Board member is nominated, a 30-minute interview is conducted during the next Board call.

MITRE (Chris C.)/Kent L.

Not Started

Assigned 6/26/2019

7.24.01

Develop a strategy for handling public but low-quality vulnerabilities, especially cases where the vendor or maintainer has not acknowledged the vulnerability.

MITRE

(Chris C./Jonathan E.)

In Process

9/4 Update: Outline drafted by Jonathan and is being reviewed by the CVE team.

7.24.02

Draft language clarifying CVE charter around organizational voting. (When do we merge votes based on organizational affiliation)

MITRE (Chris C.)/Kent L.

In Process

Assigned July 24, 2019

8.21.01

Take the lead for contest open to the community to create new CVE logo.

OCWG

In Process

9/4 Update: OCWG discussed at last meeting and is seeking additional guidance from the CVE Board.

8.21.03

Set up recurring status meeting with AWG and SPWG (Monthly).

MITRE (Lew Loren)

Completed

9/18 Update: Meeting invite sent on 9/17/19.

9.04.01

Review CNA Press Release Template from OCWG.

MITRE (Jo B./Jonathan E.)

In Process

9/16 Update: Currently in review and will send to MITRE Corporate Communications for review and feedback.

 

Working Group Updates

  • Outreach and Communications Working Group (OCWG): Shannon Sabens

     OCWG meeting held on September 13, 2019:

      • Shawn Richardson hosted the last meeting, but Shannon provided a brief update: The WG continues to build a “shopping list” of potential CNAs—Shawn asked Jonathan for a contact list for those who have inquired about being a CNA
      • Tomo contributed some names to add to the “shopping list” and some possible conferences of interest in Asia
      • Shannon will take CVE flyers to conferences she is attending
      • Shannon needs to follow up with Tod Beardsley to ask about his experience with t-shirt design contest (in reference to CVE logo contest)
      • Once an email template is created and approved, the idea is for OCWG members to split up the contact list and begin outreach that way
  • CNA Coordination Working Group (CNACWG): Tod Beardsley/Chris Coffin
    • CNACWG meeting held on September 11, 2019:

§   Discussed the CNA virtual summit; decided on a tentative date of October 16, 4:00 pm-8:00 pm EDT (following CVE Board meeting).

§   Proposed agenda for the summit is mid-year updates from all working groups and to discuss each of the 22 or so rule updates (discussions may be capped at 10 minutes each)

§   Tod is the designee to collect all the proposed rules revisions so he can send them all out to the group around October 7 for review (he will contact working group chairs)

§   Chris Coffin and Katie Trimble were on the Security Nation podcast this week; link will be shared once it is available (or you can Google Security Nation podcast)

  • Quality Working Group (QWG): Dave Waltermire/Chris Coffin
    • QWG meeting held on September 5, 2019:
      • Put together a one pager for the minimum data required in the description; it is a simple change to the CNA Rules. It does cause a lot of headaches on the content side because there is a lot of confusion in terms of what data CNAs should submit, and where. Providing clarity will help with this problem. Chris will follow up and give people a hard deadline (some time before October 1)
      • Before that, we used the language that Lisa Olson passed along with a few changes, after discussing with the group, for the SaaS update to the CNA Rules. I just need to send the language back out and make sure that people are still good with that
      • There are also a few others that Chris C promised to do a one pager on that he has not yet done; he will work on that and get it out before the deadline in the next few weeks
  • Automation Working Group (AWG) – Lew Loren
    • AWG meeting was held on September 16, 2019:  
      • Lew gave an overview on the fact that we are trying to take an agile approach to the development; if we try to get all the requirements nailed down in advance, we are going to spend too long on that without getting to actual coding
      • Sounded like the SPWG wanted to circle back and firm up some of the documentation that they provided so that we can get some crisper requirements out of that; this will be a huge benefit to AWG because we can focus more on development part and less on requirements solicitation which will support improvements in efficiency
      • We stood up a public work board for open source AWG work. Just hit the streets so it’s sparsely populated. We now have place where we can start posting feature requests, bug reports, and start tracking the progress of the work. That site will start being a repository of all the work. We would like to provide a single repository where folks can find all the information they might want.

§  Strategic Planning (SPWG) – Kent Landfield/Chris Coffin

    • SPWG meeting was held on September 16, 2019:
      1. Update by Lew on progress of AWG; will continue to provide that update once a month
      2. There will be a demo a the next meeting on the three services: 1) ID Allocation Service (the most work has been done on that one because it had the firmest requirements); 2) User Registry and 3) Authentication Services—there is the minimum amount of code required to demonstrate interoperability between the three services. Once the SPWG refines their requirements, we will likely build out more of the Authentication and User Registry services since that sounds like it is the highest priority (so that is what we will focus on next)

CNA Updates

  • MITRE – Jonathan Evans/Jo Bazar/Christine Deal
  • We received three CNA requests since the last CVE Board meeting:
  • We conducted one on-boarding sessions since the last boarding meeting.
  • We have four onboarding sessions scheduled
  • CNA Announcements and news this week:
      • One new CNA announcements this week: GitHub (Open Source Repos)
      • Duo merged with Cisco Systems, reducing the CNA count by one.
      • There are now 102 CNAs participating in the program 
      • 58 in CNA pipeline, with 35 entering the pipeline this calendar year.  7 = Q1; 11= Q2; 17= Q3 so far.
      • 2 pending CNA Announcements. 
  • JPCERT - Jonathan Evans/Chris Coffin
    •     No updates

 

Open Discussion Items

  • Shannon Siebens: Wall Street Journal announced that FIRST was going to temporarily expel Huawei based on attorney advice, related to potential U.S. sanctions. It may just be something we need to watch; wanted to make sure that the group was aware.
    • Chris C: As far as we are concerned, every company goes through legal issues and problems and if we were to try and keep up with those and how it may potentially affect the CVE Program, it would get out of hand. It’s in the public interest to allow any company, if they’re selling products, allow them to publish security advisories and CVEs.
    • Chris C reminded the group that CNAs are not getting access to privileged information; it’s more of a one-way flow of information
    • Taki said the suspension may have something to do with a membership fee
  • Tod Beardsley: Wants to pose the question—is there a rule for updating the rules? What is the mechanism for amending them? Does CVE Board vote on individual ones?
    • Chris C: We do have a process, because we did this once before and then Jonathan made some changes to that process and sent it out to the Board list. Nothing currently in the Charter for the how the CNA Rules are updated.
    • Tod: We need a published rule about updating a rule. Something should be published on how to update the rules.
    • Chris C: It would also help with the timing of updates. We initially discussed this would be a yearly process, but there may be exceptional cases where out of band updates are necessary.

 

Action Items from Board Meeting held on 18 September 2019

  •   None

Board Decisions

  •   None

Future Discussion Topics

1.      Communication 

a.       Outreach OCWG for most of this section (noted otherwise).

                                                              i.      Localization – should start in the QWG for guidance, then to the AWG for implementation.

                                                            ii.      Upstream producers –  

1.      CNA Recruitment 

                                                          iii.      Downstream users –   

                                                          iv.      Related Projects

1.      Vulnerability Description

a.       VDO
b.      CSAF

2.      Severity

a.       CVSS

3.      Product identification and management

a.       SBOM
        1. CWE
          1. hardware

b.      Metrics – CVE Board

                                                              i.      Community metrics (Public metrics)

                                                            ii.      CNA specific metrics 

                                                          iii.      Program performance (Report card)

c.       Knowledge capture/transfer - CVE Board

                                                              i.      Record Working Group meetings

1.      Where to store the recordings?

                                                            ii.      Issue tracking

                                                          iii.      Storage of WG materials – SharePoint site (CVE CNA site)

2.      Strategy 

a.       Program Structure SPWG

b.      Roles, responsibilities, and requirements SPWG

                                                              i.      Disclosure Policies

                                                            ii.      Scope

1.      Non-vendor CNAs

a.       Add new non-vendor CNAs is on hold until the Board can come to an agreement on the requirements for this type of CNA

2.      Root CNA shopping

3.      Assigning CVE IDs to vulnerabilities in a non-CNA vendor’s product
        1. CNA scope to the cooperative sub-CNAs

c.       Coverage CVE Board

                                                              i.      What’s in, What’s out

                                                            ii.      End of life

                                                          iii.      Software as a service

                                                          iv.      Hardware

        1. Define (not a wrench)

                                                            v.      Open source software

    1. Goals - CVE Board
  1. Operations
    1. Guidance

                                                              i.      Operationalizing Root CNAs - SPWG

        1. What is MITRE’s role
        2. How to best operationalize Root CNAs

                                                            ii.      For new CNAs - CNACWG

        1. What is needed?
        2. What are the best formats?
        3. How to minimize one-on-one guidance

                                                          iii.      How to supply refreshers CVE Board/CNACWG

    1. CNA Management - CNACWG

                                                              i.      CNA Process – Front Door or Back Door: How should CNAs communicate with each other, and how would that information be managed?

                                                            ii.      Requirement

        1. Responsiveness
        2. Time to populate
        3. RBP start time

                                                          iii.      Scope statement best practices

                                                          iv.      Rules Violations

        1. Assignment correction processes (e.g. reject, split, merge) should account for violations
    1. Assignments – CVE Board

                                                              i.      Prevent duplicates

        1. How can CNA scopes help?
    1. Submissions QWG and CVE Board, AWG handle format implementation

                                                              i.      Formats

                                                            ii.      Information requirements

        1. Add impact
        2. Add publication data
        3. Add vulnerability type

4.      Split problem type in to vuln. type, root cause, or impact

5.      Don’t require references

                                                          iii.      Should the description match the separate metadata fields

4.      CVE List - QWG

a.       Formats (all different formats) – CVE Board

                                                              i.      How can the download formats be updated or retired?

b.      CVE Tagging

                                                              i.      Helps filtering

                                                            ii.      How to identify the categories we need

                                                          iii.      Should the tagging be attached to the product or the vulnerability?

                                                          iv.      Could we leverage a product listing the CVE User Registry?

                                                            v.      Can it be automated?

                                                          vi.      EOL tagging

    1. Prose description, do we need it?

 

 

 

 

 


CVE_Board_Meeting_18 SEPT 2019_FINAL.pdf (583K) Download Attachment