CVE Board Meeting summary - 19 February 2020

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

CVE Board Meeting summary - 19 February 2020

Jo E Bazar

CVE Board Meeting – 19 February 2020

Tod Beardsley, Rapid7

Patrick Emsweller, Cisco Systems, Inc.

Kent Landfield, McAfee

Beverly Alvarez, Lenovo Group Ltd.

Scott Moore, IBM

Lisa Olson, Microsoft

Shannon Sabens, Trend Micro

Kathleen Noble, Intel

Takayuki Uchiyama, Panasonic Corporation

David Waltermire, National Institute of Standards and Technology (NIST)

Members of MITRE CVE Team in Attendance

Jo Bazar

Chris Coffin

Christine Deal

Jonathan Evans

Chris Levendis

Lew Loren

 

 

2:00 – 2:15: Introductions, action items from the last meeting 

2:15 – 2:30: Working Groups

  • Outreach and Communications Working Group (OCWG): Shannon Sabens
  • CNA Coordination Working Group (CNACWG): Tod Beardsley
  • Quality Working Group (QWG): Chris Coffin/Dave Waltermire
  • Automation Working Group (AWG): Lew Loren
  • Strategic Planning Working Group (SPWG): Kent Landfield

 

2:30 – 2:45: Root CNA Update

  • MITRE: Jo Bazar
  • JPCERT: Jonathan Evans/Chris Coffin

 

2:45 – 3:00: Dispute Process – Tod Beardsley

3:00 – 3:10: CVE Global Summit – Beverly Alvarez

3:10 – 3:25: CVE Global Summit Agenda – Tod Beardsley

3:25 – 3:55: Open Discussion  

3:55 – 4:00: Action items, wrap-up


#


Action Item


Responsible Party


Status


Comments

1.23.1

Assemble additional operational guidance for program participation by CNAs (e.g., webinars, instructional videos).

MITRE (Evans)

In Process

MITRE assembled a list of guidance priorities and other areas of the program; the top five priorities are listed below:

  1. How to submit entries to MITRE using the web form (CNA Submission process)
  2. CVE ID assignment rule (Counting) – DRAFT sent for inputs to CNACWG and OCWG
  3. Becoming a CNA – DRAFT sent for inputs to CNACWG and OCWG
  4. CVE Program (includes Root structure) 
  5. How to request MITRE CNA populate a CVE entry (CNA Process)
  6. How to create a CVE Entry (CNA Entry creation)

 

1/8 Update: Draft videos are uploaded to YouTube and CNACWG and OCWG will provide feedback NLT January 17.

2/5 Update: Feedback received from CNCWG and OCWG.

2/19 Update: Videos will be available on YouTube by April 1, 2020.

7.24.01

Develop a strategy for handling public but low-quality vulnerabilities, especially cases where the vendor or maintainer has not acknowledged the vulnerability.

MITRE

(Chris C./Jonathan E.)

Completed

9/4 Update: Outline drafted by Jonathan and is being reviewed by the CVE team.

2/19 Update: Based on a recent Board email, many Board members believe that populating with low quality information ASAP is the best option, as opposed to waiting for additional information.

8.21.01

Take the lead for contest open to the community to create new CVE logo.

OCWG

In Process

9/4 Update: OCWG discussed at last meeting and is seeking additional guidance from the CVE Board.

10/16 Update: Shannon provided a list of requirements/questions for the CVE Board to consider. 

2/5: CVE Logo contest underway.

2/19 Update: Over 276 votes so far from the CVE community; poll closes on February 21, 2020.

10.30.02

Update RBP threshold policy to include consequences for CNA’s with backlogs over the specific threshold.

MITRE (Jonathan E./Jo B.)

In Process

11/13 Update: RBP policy drafted and being reviewed by CVE team. Policy document will be sent to the CVE Board for review and comment.

 

02.05.01

Follow up with the development team on if the website will be ready for October 2020.

 

Chris L. (MITRE)

Not Started

Assigned 2/5/2020.

02.05.03

Get feedback from the CNAs on how often they would like to have the rules updated.

 

Tod B.

Not Started

Assigned 2/5/2020.

02.05.04

Beverly will follow-up with Lenovo about a CVE Global Summit decision and let MITRE know by February 10, 2020. 

Beverly A.

Completed

2/19 Update: Lenovo is following the World Health Organization (WHO) and the U.S. Government for guidance and information. The summit will proceed as planned. 

 

Working Group Updates

  • Outreach and Communications Working Group (OCWG): Shannon Sabens
    • OCWG meeting was held on February 14, 2020:
      • CVE logo contest was officially launched on January 29, 2020. We received over 260 logo design concepts and the OCWG down selected to eight logo design finalists. Voting is in process and ends February 21, 2020.
      • OCWG charter is ready to be finalized.

§  CNA Coordination Working Group (CNACWG): Tod Beardsley

  • CNACWG meeting held on February 12, 2020:
    • CNACWG was tasked with discussing how comfortable they are with rule changes. The CNACWG agreed with an annual review period for the CNA Rules updates, but if needed, out of cycle update at the six month mark can be made.  Minor changes (e.g., grammatical changes) are acceptable for an out of cycle update before a six-month waiting period if the minor changes do not impact the rules.
    • Next CNACWG meeting scheduled for February 26, 2020, will be canceled due to RSA.
    • Dispute process has been drafted and will be presented in today’s meeting.
  • Quality Working Group (QWG): Dave Waltermire/Chris Coffin
    • QWG meeting was held on February 6, 2020:
      • The CVE tagging discussion continues, and Art Manion believes there should be product level tagging. Chris Coffin explained that entry level tagging serves the purposes and use cases the QWG has defined. If it’s determined that the entry level tagging is useful, then product level tagging can be added later.
  • Automation Working Group (AWG) – Lew Loren
    • AWG meeting was held on February 17, 2020:
    • Finalizing JSON 5.0 schema; the most recent change was adding the Reject state to the schema. This change does not impact any other changes. 
      • Review period is open until COB Friday, February 21, 2020.
      • If no issues are raised, the next step is to develop a roll out schedule and present the schedule and the approved version of the Schema to the SPWG. 
    • We are putting together the Entry Submission and Upload service; development is going well. We are currently soliciting feedback on functionality.
  • Strategic Planning (SPWG) – Kent Landfield 
    • SPWG meeting was held February 10, 2020:
      • Jay Jacobs and Sasha Romanosky joined the SPWG meeting to discuss Exploit Prediction Scoring System (EPSS) and the EPSS calculator. They would like to see EPSS scores added to the CVE feeds. The SPWG expressed concerns about the stability of the EPSS and our lack of tooling support for ADPs.
      • Plan to return to the top toward the end of the year when both sides should be more prepared
      • https://www.kennaresearch.com/tools/epss-calculator/
      • https://arxiv.org/abs/1908.04856

 

CNA Updates

  • MITRE –Jo Bazar
  • Requests to become a CNA
    • Received nine CNA requests since the last CVE Board meeting (held on 1/22/20).
  • On-Boarding
    • Conducted three onboarding sessions since the last boarding meeting.
    • Five CNA onboarding sessions scheduled in February/March. Four of the organizations opted for the new CNA On-boarding format, that uses the draft YouTube Videos.
  • CNA Announcements and News
      • Four CNA announcements since last Board meeting: Alias Robotics, TCPdump, Google LLC, and Ampere Computing
      • There are now 116 CNAs participating in the program in 22 countries
      • 79 in total CNA pipeline, 7 = Q2; 16= Q3, 17 = Q4 and 15 = Q1’20 so far
      • One pending CNA announcements. 
  • JPCERT - Jonathan Evans/Chris Coffin
    • No Updates

 

CVE Global Summit 2020 – Beverly Alvarez

  • Beverly explained there are 58 people signed up for the CVE Global Summit; we are planning on 60.
  • The list of attendees has been sent over for badging. Facilities will have signs directing people where to park; designated parking for the event will be on the parking deck. There is limited space at Lenovo. There will also be a sign directing people to the correct entrance. Parking instructions will be provided, and Lenovo staff will available to direct staff to the meeting room.
  • Continental breakfast, boxed lunch, coffee, and snacks will be provided both days. 
  • The group agreed to Chatham House Rules for the CNA Summit.
  • Jo will send a message to CVE Global Summit attendees with the parking information, meeting protocol.  

 

§   The group reviewed the draft agenda.

 

CVE Dispute Process – Tod Beardsley

§  Draft dispute process has been prepared by CNACWG, and the Board agreed that we should press ahead with discussing this proposal at the CNA Summit.

§  Tod presented the CVE dispute procedure process for the Board’s feedback. Tod explained at the last CNA Summit, the current dispute process was not transparent; CNAs expressed that the dispute process should documented and is an official process that CNAs can reference as needed.

§  Tod will follow up with Yves Younan & Madison Oliver about the dispute process proposal so they can include an introduction explaining the purpose of the proposal, why is was developed, and the problem it is trying to solve. 

Open Discussion Items

§   None

 

Action Items from Board Meeting held on 19 February 2020


#


Action Item


Responsible Party


Status


Comments

02.19.01

Add Sectors for current and pipeline CNAs and develop strategy for sectors.

OCWG

Not Started

Assigned 2/19/2020.

02.19.02

Follow up with Yves Younan & Madison Oliver about Dispute process proposal so they include an introduction explaining the purpose of the proposal, why is was developed and the problem it is trying to solve. 

Tod B.

Not Started

Assigned 2/19/2020.

02.19.03

Send email to CVE Global Summit attendees with parking, meeting protocol, etc., by COB 2/21/2020.

Jo B. (MITRE)

Not Started

Assigned 2/19/2020.

 

Board Decisions

  • None

Future Discussion Topics

1.     Communication 

a.      Outreach OCWG for most of this section (noted otherwise).

                                                  i.     Localization – should start in the QWG for guidance, then to the AWG for implementation.

                                                ii.     Upstream producers –  

1.     CNA Recruitment 

                                              iii.     Downstream users –   

                                               iv.     Related Projects

1.     Vulnerability Description

a.      VDO
b.     CSAF

2.     Severity

a.      CVSS

3.     Product identification and management

a.      SBOM
        1. CWE
          1. hardware

b.     Metrics – CVE Board

                                                  i.     Community metrics (Public metrics)

                                                ii.     CNA specific metrics 

                                              iii.     Program performance (Report card)

c.      Knowledge capture/transfer - CVE Board

                                                  i.     Record Working Group meetings

1.     Where to store the recordings?

                                                ii.     Issue tracking

                                              iii.     Storage of WG materials – SharePoint site (CVE CNA site)

2.     Strategy 

a.      Program Structure SPWG

b.     Roles, responsibilities, and requirements SPWG

                                                  i.     Disclosure Policies

                                                ii.     Scope

1.     Non-vendor CNAs

a.      Add new non-vendor CNAs is on hold until the Board can come to an agreement on the requirements for this type of CNA

2.     Root CNA shopping

3.     Assigning CVE IDs to vulnerabilities in a non-CNA vendor’s product
        1. CNA scope to the cooperative sub-CNAs

c.      Coverage CVE Board

                                                  i.     What’s in, What’s out

                                                ii.     End of life

                                              iii.     Software as a service

                                               iv.     Hardware

        1. Define (not a wrench)

                                                v.     Open source software

    1. Goals - CVE Board
  1. Operations
    1. Guidance

                                                  i.     Operationalizing Root CNAs - SPWG

        1. What is MITRE’s role
        2. How to best operationalize Root CNAs

                                                ii.     For new CNAs - CNACWG

        1. What is needed?
        2. What are the best formats?
        3. How to minimize one-on-one guidance

                                              iii.     How to supply refreshers CVE Board/CNACWG

    1. CNA Management - CNACWG

                                                  i.     CNA Process – Front Door or Back Door: How should CNAs communicate with each other, and how would that information be managed?

                                                ii.     Requirement

        1. Responsiveness
        2. Time to populate
        3. RBP start time

                                              iii.     Scope statement best practices

                                               iv.     Rules Violations

        1. Assignment correction processes (e.g. reject, split, merge) should account for violations
    1. Assignments – CVE Board

                                                  i.     Prevent duplicates

        1. How can CNA scopes help?
    1. Submissions QWG and CVE Board, AWG handle format implementation

                                                  i.     Formats

                                                ii.     Information requirements

        1. Add impact
        2. Add publication data
        3. Add vulnerability type

4.     Split problem types in to vuln. type, root cause, or impact

5.     Don’t require references

                                              iii.     Should the description match the separate metadata fields

4.     CVE List - QWG

a.      Formats (all different formats) – CVE Board

                                                  i.     How can the download formats be updated or retired?

b.     CVE Tagging

                                                  i.     Helps filtering

                                                ii.     How to identify the categories we need

                                              iii.     Should the tagging be attached to the product or the vulnerability?

                                               iv.     Could we leverage a product listing the CVE User Registry?

                                                v.     Can it be automated?

                                               vi.     EOL tagging

    1. Prose description, do we need it?

 

 

 

 

 


CVE_Board_Meeting_ 19 February 2020 FINAL.pdf (564K) Download Attachment