CVE Board Meeting summary - 1May2019

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

CVE Board Meeting summary - 1May2019

Bazar, Jo E.

Board Members in Attendance

Tod Beardsley, Rapid7

Mark Cox, Red Hat, Inc.

William Cox, Synopsys, Inc.

Kent Landfield, McAfee

Scott Lawler, LP3

Scott Moore, IBM

Lisa Olson, Microsoft

Ken Williams, Broadcom Inc.

Members of MITRE CVE Team in Attendance

Jo Bazar

Chris Coffin

Christine Deal

Jonathan Evans

Lew Loren

Anthony Singleton

Donna Trammell

 

Agenda

Agenda

2:00 – 2:15: Introductions, action items from the last meeting 

2:15 – 2:30: Working Groups

  • CNA Coordination Working Group (CCWG) - Tod Beardsley
  • Quality Working Group (QWG): Dave Waltermire/Chris Coffin
  • Cloud Security Alliance (CSA)– Kurt Seifried
  • Automation Working Group (AWG)– Lew Loren
  • Strategic Planning Working Group (SPWG)– Kent Landfield/Chris Coffin

 

2:30 – 2:45: Root CNA Update

  • MITRE – Jonathan Evans
  • JPCERT – Taki Uchiyama

 

2:45 – 3:30: CY19 Q1 Quarterly Report – Jonathan Evans

 

3:30 – 3:55: Open Discussion Board

3:55 – 4:00: Action items, wrap-up

Review of Action Items from Board Meeting held on 17 April 2019


#


Action Item


Responsible Party


Status


Comments

1.23.1

Assemble additional operational guidance for program participation by CNAs (e.g., webinars, instructional videos).

MITRE (Evans/Sain)

In Process

MITRE assembled a list of guidance priorities and other areas of the program; the top five priorities are listed below:

  1. How to submit entries to MITRE using the web form 
  2. CVE ID assignment rule (Counting) 
  3. Becoming a CNA
  4. CVE Program (includes Root structure)
  5. How to request the MITRE CNA populate a CVE entry

 

4/3 Update: Jonathan has started assigning some of the individual modules to members of the CNA coordination team and content team. In addition, the CCWG is also reviewing and updating the existing online guidance.

1.23.7

Contact GitHub to determine its interest in becoming a CNA.

Microsoft (Lisa Olson)

Completed

5/1 Update: Meeting with GitHub scheduled for Friday, May 3, to kick off the onboarding process. Scope will be a major topic of the meeting.

2.6.9

Organize an event at Blackhat USA (August 2019) to celebrate 20 years of CVE.

MITRE (Joe S./Levendis)

In Process

4/3 Update: Nothing has been started yet; Chris L. will check with MITRE to see if he can come up with anything. Board members indicated he feels like they could do some fund raising.

5/1 Update: Gathering RFPs from venues close to convention center (Mandalay Bay). We have received one RFP from the Excalibur Hotel and Casino.    

3.20.1

Document lessons learned from Microsoft automation submission process for other CNAs who want to move to GitHub automation process.

MITRE (Joe S.)

Not Started

4/17 Update: Will coordinate with Microsoft and the MITRE GitHub team.

3.20.11

Review alternatives for public facing CVE Board discussion group archives.

MITRE (Joe S.)

In process

4/17 Update: Gathering information on alternative hosting platforms. Plan is to begin transitioning to a new platform mid-May.

 

3.20.12

Provide feedback/comment on the Rules Revision process email (sent on March 21, 2019 at 1:51 p.m. by Jonathan E).

CVE Board

In Process

4/17 Update: Kent provided his feedback on 4/4.

3.20.13

Write up GDPR and GitHub issue.

MITRE (Lew L./Kent L.)

In Process

4/17 Update: Kent will be providing feedback and possibly a rewrite.

 

4.17.1

Assemble list of conferences and key meetings, call for Papers and due dates and add to CVE Board Agenda (Include 3rd vulnerability summit May 2019)

MITRE

(Jo B.)

In Process

5/1 Update: Draft list composed; adding Call for Papers dates if available.   

4.17.2

Readout of conferences the CVE Program participates in or attends. Provide an analysis and benefit of attending. IOT (Jan’19), HIMSS (Feb’19), PFIRST (April’19), VRDX (May 2019)

MITRE

(Jo B.)

Completed

5/1 Update: Readout included in Quarterly Report CY19 Q1. Moving forward, conferences attended by CVE Team will be included in the Report Card.

4.17.3

Break out future discussion items in the following categories: Ongoing, Future, and OBE. Report back to CVE Board and add for future discussions items.

MITRE (CVE Team)

In Process

5/1 Update: MITRE CVE Team met to review the discussion items and the future discussion items will be categorized into appropriate functional areas. 

4.17.4

Talk to Katie about ICS-CERT becoming a root CNA and schedule a meeting with ICS-CERT.

MITRE (Chris L.)

Completed

5/1 Update: MITRE has started the conversation with Katie.  

4.17.5

Research solution for storing, archiving, and central repository for CVE Board and WG meeting minutes, as well as tracking action items.

MITRE (CVE Team)

Not Started

Assigned 4/17/2019

4.17.7

Follow up with Kurt S. about the survey results; obtain for future use in QWG.

MITRE (Chris C.)

In Process

5/1 Update: Survey is still open, and Kurt will provide the results once survey is closed; expected to be around Fall timeframe. Action: Kurt send survey to CNA list for their input.

 

Working Group Updates

  • CNA Coordination Working Group (CNACWG): Tod Beardsley/Chris Coffin
    • CNACWG met on Wednesday April 24, 2019. The group finalized the agenda and distributed to the CNA Summit attendees and added to the CNA registration form.
    • CNACWG is reviewing and updating the CNA onboarding slides and developing guidance on GitHub.
    • The CNACWG charter was finalized and sent on April 23, 2019, to the CVE Board for review and comment. 
    • CNA Summit registration ends on Friday May 3, 2019 at 10:00pm EDT.
      • As of May 1, CNA summit attendees total 70; 6 will be attend remotely and 64 will attend in person (includes 11 MITRE staff).
      • A total of 37 organization are participating; 1 MITRE, 4 Non-CNAs/Board Members, and 32 CNAs. 
  • Quality Working Group (QWG): Dave Waltermire/Chris Coffin
    • QWG met on Thursday, April 18, 2019. The group talked about the interview process discussion, discussed what was missing from the last interview, and identified and prioritized potential interviewees for the next round of interviews. 
    • QWG will ensure the interviewees understand how the information will be used before the interviews are conducted. Information gathered from the interviews will be held within the QWG unless consent has been provided by the interviewee. The purpose of the interviews will be to identify common themes or patterns to better understand CVE use cases by the community.
    • The meeting concluded with a discussion about CVE tagging and categorization. The discussion is ongoing. 
  • Cloud Security Alliance Working Group (CSAWG)
    • No Updates
  • Automation Working Group (AWG) – Lew Loren 
    • QWG met on Monday, April 29, 2019. The ID Allocation Service code has been uploaded to GitHub and shared with the AWG. The code can be accessed on the CVE website, under AWG linksà https://cveproject.github.io/docs/
    • Developers feedback is expected in the next couple of weeks.
    • Requirements gathering for User Registry and Authentication is in progress. Documentation from Infrastructure and Architecture Definition Meeting (held February 26 and 27) is being used for the basis of the requirements. Once requirements are gathered, Schmitty will send to developers to work up the code.
  • Strategic Planning (SPWG) – Kent Landfield/Chris Coffin 
    • SPWG met on Monday, April 29, 2019. The group reviewed Root CVE Numbering Authority (CNA) Roles and Responsibilities Overview (v5.6 Draft.pptx)
      • The group reviewed the deck and scrubbed through the comments.
      • Next steps are to begin drafting the document that provides details.
    • During the next meeting on Wednesday, May 15, the group will determine what role to begin outlining next (CNA-LR, ADP, Mentors).

CNA Updates

  • MITRE – Jonathan Evans
    • Organizations in on-boarding process
      • Bosch - Moving ahead and making good progress. They are working on their counting rules homework.
      • GitHub - Meeting on Friday, May 3, to get the onboarding started and discuss scope. 
      • Eaton – Onboarding session scheduled for Wednesday, May 8.
    • Requests to be a CNA
      • Mitel Networks requested to be a CNA
      • Honeywell and Cyberark requested to be a CNA
      • Indiana University requested to be a CNA for scientific software.  Their scope needs to be clarified before moving ahead with the on-boarding process
    • Removals - Netgear requested to be removed as a CNA.
  • JPCERT - Takayuki Uchiyama
    • No Updates

 

Open Discussion Items

  • Quarterly Report Card CY19 Q1 
    • Jonathan walked through the summary slides of the Quarterly Report Card for CY19 Q1. The report card was well received. There were no questions or comments regarding the summary or charts.

Agenda Items for Upcoming Meetings

  • Future discussion items
  • Rules revision list
  • Up and coming conferences and key meetings

Action Items from Board Meeting held on 1 May 2019

#

Action Item

Responsible Party

Status

Comments

5.1.01

Send QWG guidance document to Mark Cox.

MITRE (Chris C.)

Completed

5/1: Sent the briefer guidance document to Mark immediately following the Board meeting.

 

5.1.02

Send Cloud survey to CNA List so they can provide input.

Kurt S.

Not Started

Assigned on May 1, 2019

 

Board Decisions

  •   None

Future Discussion Topics

  1. How can the program better communicate its future vision for the evolution and sustainability of the CVE program? How can CVE better market the CVE program and communicate the changes that are being implemented?
  2. How can better status and metrics be provided to community stakeholders?
  3. CNA Process – Front Door or Back Door: How should CNAs communicate with each other, and how would that information be managed?
    1. Set up an excel spreadsheet to share contact info amongst the CNAs
  4. CNA Scope Issues 
    1. The Board discussed that CNA documentation around roles and responsibilities are needed. Current documentation is not clear, CNAs assign and populate CVEs within their scope. Scope may or may not cover CVEs for their customers.
    2. CNA Rules - The rules state CNAs must be responsive but do not provide a specific time frame. The rules state if a CNA plans to assign a CVE for a vulnerability in another vendor’s product, the assigning CNA should contact the vendor and give them the option to make the assignment.  This must be clarified in the rule’s revision process.
    3. Root CNAs - A given Root has a scope. A portion of the scope gets delegated to a CNA (i.e., product or area of research). If a portion of the scope is not delegated to a CNA, that scope stays with the Root. It is the Root’s responsibility to assign and populate as the CNA of last resort.
    4. Action Item – CNA Rules must be updated to reflect this new approach.
  5. Eliminate duplicate CVEs discussion
    1. The Board discussed that specifying CNA scope will help eliminate duplicate CVE assignments. Art explained that having open communication with other CNAs when making CVE assignments is critical; keeping this communication at the CNA level (not at Root/Primary level) will help prevent duplication.
      1. Recommendation 1: Process recommendation needs to be added to CNA guidance.
      2. Recommendation 2: CNA rules must be updated to minimize duplicate assignments.
    1. Jonathan Evans explained that duplication of CVE assignments occurs the most with DWF.
  1. Researcher CNAs
    1. The Board discussed researcher CNAs that have ambiguous scopes. These CNAs have issued thousands of CVEs.
      1. Recommendation 1: Avoid adding any new researcher CNAs until there are specific guidelines for what qualifies as a researcher CNA. This includes defined scope rules yet to be determined.
      2. Recommendation 2: Make the scope naturally programmatic for researcher CNAs.
      3. Recommendation 3: Change the process for researcher CNAs. Who is responsible for coordinating the assignment of the IDs? Who issues the CVE ID and who populates the information? There should be an easier way for companies to request a CVE ID.
      4. Recommendation 4: Better define roles and responsibilities for researcher CNAs.
      5. Recommendation 5: Explore the possibility of researchers participating in the CNA program without becoming CNAs.
      6. Recommendation 6: Need a testing/certification program for CNAs to make sure they can adequately perform their role, especially researchers.
    1. The Board agreed to explore better solutions regarding the researcher CNA ambiguous scope issue.
  1. Operationalize Root CNAs effectively
    1. Further discussion is needed regarding how to operationalize Root CNAs more effectively.
    2. Additional discussion regarding MITRE’s role in operationalizing roots is needed.
  2. Product Type Tagging/Categorization
    1. As the production numbers for CVEs go up, there will be an increasing need to view a subset of the overall CVE master list
    2. Define a list of common product areas/domains to be used for categorizing CVE entries (e.g.., Medical devices, automotive, industrial, etc.)
    3. The tags/categories should be attached to the products and not to the CVE entries directly.
    4. Product listings in CVE User Registry would be a potential location.
    5. Can it be automated?
  3. Future of CVSS
    1. Assigning multiple CVSS to a single CVE.
    2. Hill discussions around CVSS.
  4. Discuss how we can better handle the international community (English requirements of Guidance, Documentation, CVE IDs)