CVE Board Meeting summary - 22January 2020

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

CVE Board Meeting summary - 22January 2020

Bazar, Jo E.

CVE Board Meeting – 22 January 2020

Tod Beardsley, Rapid7

Patrick Emsweller, Cisco Systems, Inc.

Kent Landfield, McAfee

Beverly Alvarez, Lenovo Group Ltd.

Scott Moore, IBM

Lisa Olson, Microsoft

Kathleen Noble, Intel

Takayuki Uchiyama, Panasonic Corporation

David Waltermire, National Institute of Standards and Technology (NIST)

Ken Williams, Broadcom Inc.

Members of MITRE CVE Team in Attendance

Jo Bazar

Chris Coffin

Christine Deal

Jonathan Evans

 

2:00 – 2:15: Introductions, action items from the last meeting 

2:15 – 2:30: Working Groups

  • Outreach and Communications Working Group (OCWG): Shannon Sabens
  • CNA Coordination Working Group (CNACWG): Tod Beardsley
  • Quality Working Group (QWG): Chris Coffin/Dave Waltermire
  • Automation Working Group (AWG): Lew Loren
  • Strategic Planning Working Group (SPWG): Kent Landfield

 

2:30 – 2:45: Root CNA Update

  • MITRE: Jo Bazar
  • JPCERT: Jonathan Evans/Chris Coffin

 

2:45 – 2:55: CVE Global Summit – Beverly Alvarez

2:55 – 3:10: CNA Rules Revision Status – Jonathan Evans

3:10 – 3:25: CVE Global Summit Agenda – Tod Beardsley

3:25 – 3:45: CNA Report Card – Jo Bazar

3:45 – 3:55: Open Discussion  

3:55 – 4:00: Action items, wrap-up


#


Action Item


Responsible Party


Status


Comments

1.23.1

Assemble additional operational guidance for program participation by CNAs (e.g., webinars, instructional videos).

MITRE (Evans)

In Process

MITRE assembled a list of guidance priorities and other areas of the program; the top five priorities are listed below:

  1. How to submit entries to MITRE using the web form (CNA Submission process)
  2. CVE ID assignment rule (Counting) – DRAFT sent for inputs to CNACWG and OCWG
  3. Becoming a CNA – DRAFT sent for inputs to CNACWG and OCWG
  4. CVE Program (includes Root structure) 
  5. How to request MITRE CNA populate a CVE entry (CNA Process)
  6. How to create a CVE Entry (CNA Entry creation)

 

1/8 Update: Draft videos are uploaded to YouTube and CNACWG and OCWG will provide feedback NLT January 17.

7.24.01

Develop a strategy for handling public but low-quality vulnerabilities, especially cases where the vendor or maintainer has not acknowledged the vulnerability.

MITRE

(Chris C./Jonathan E.)

In Process

9/4 Update: Outline drafted by Jonathan and is being reviewed by the CVE team.

8.21.01

Take the lead for contest open to the community to create new CVE logo.

OCWG

In Process

9/4 Update: OCWG discussed at last meeting and is seeking additional guidance from the CVE Board.

10/16 Update: Shannon provided a list of requirements/questions for the CVE Board to consider. 

10.30.02

Update RBP threshold policy to include consequences for CNA’s with backlogs over the specific threshold.

MITRE (Jonathan E./Jo B.)

In Process

11/13 Update: RBP policy drafted and being reviewed by CVE team. Policy document will be sent to the CVE Board for review and comment.

01.08.01

Send INCIBE press release to CVE Private Board to obtain quote for press release

Jo Bazar (MITRE)

Completed

1/22/20 Update: Scott Lawler provided a quote for INCIBE press release (THANK YOU, Scott). INCIBE announced their participation in the CNA program on January 16, 2020.

01.08.02

Send CNA Rules v3.0 to CVE Board for Vote.

Jonathan Evans (MITRE)

Completed

1/22/20 Update: Jonathan sent CNA Rules v3.0 on January 13, 2020, and voting period ends on February 1, 2020.

01.08.03

Follow up with 99 designs if the CVE Community can participate in the logo selection.

Shannon Sabens

Completed

1/22/20 Update: 99 designs confirmed that the CVE community can participate in the voting session; a link will be provided for voting.

01.08.04

Draft Researcher CNA Requirements for CVE Board to review and vote

Chris Coffin (MITRE)

In Process

1/22/20 Update: Draft sent to CVE Team for review and feedback. Shared on screen with Board and got some feedback. Should be ready to use once we finalize CNA requirements.

 

Working Group Updates

  • Outreach and Communications Working Group (OCWG): Shannon Sabens
    • OCWG meeting was held on January 17, 2020:
      • Press Release template for CNAs to use for new CNA announcements:  
        • We reviewed the first CNA press release and identified areas where we can help incoming CNAs with their preleases. The next step is to prepare a press kit for incoming CNAs.
      • CVE Logo contest - https://99designs.com/how-it-works
        • Shannon confirmed that the CVE Community can vote on the final logo selection. Next steps, obtain approval from sponsor and COR. Once approved, the logo contest can begin.
      • OCWG charter was drafted and sent to the group for review and feedback.

§  CNA Coordination Working Group (CNACWG): Tod Beardsley

  • CNACWG meeting held on January 15, 2020:
    • Draft agenda for the CVE Global Summit was sent to the CVE Board and will be reviewed during Board meeting on 1/22.
    • Moved away from Google drive and are officially SharePoint documents; however, Google will be used for working documents.
    • CNACWG charter was updated to v1.3 to remove the Google references.
    • CNA onboarding videos have been reviewed; Sam will work with Jo to ensure recommended changes are included in the FINAL videos.
  • Quality Working Group (QWG): Dave Waltermire/Chris Coffin
    • QWG meeting was held on January 9, 2020:
      •  We continued to discuss tagging of CVE entries. 
  • Automation Working Group (AWG) – Lew Loren 
    • No meeting held since the last CVE Board meeting; next AWG meeting will be held on January 24, 2020:
    • Lisa met with Lew Loren and Matt Bianchi offline about Microsoft being a beta tester for the new replacement pilot for GitHub.
  • Strategic Planning (SPWG) – Kent Landfield

CNA Updates

  • MITRE –Jo Bazar
  • Requests to become a CNA
    • Received five CNA requests since the last CVE Board meeting.
  • On-Boarding
    • Conducted three onboarding sessions since the last boarding meeting.
    • One CNA onboarding sessions scheduled in January.
    • CNA Announcements and News
      • Two CNA announcements since last Board meeting: INCIBE and Cybellum.
      • There are now 112 CNAs participating in the program in 21 countries.
      • 75 in CNA pipeline, Q2; 16= Q3, 23 = Q4 and 6 = Q1’20 so far.
      • Two pending CNA Announcements.
  • JPCERT - Jonathan Evans/Chris Coffin
    • JPCERT is in the process of onboarding a Sub-CNA.
    • JPCERT is working with the CNA Coordination team about the requirements and processes for onboarding a sub-CNA.
    • JPCERT will handle the onboarding activities without the involvement of the MITRE CNA.

 

CVE Global Summit 2020 – Beverly Alvarez

  • Breakfast/Lunch and snacks will be covered for both days.
  • The CVE Global Summit invites have been sent via Eventbrite; responses are due no later than February 2, 2020. Attendees planning to attend in person are required to register. As of the Board meeting on 1/22, 34 people were registered to attend in person.
  • A reminder message will be sent to the CVE Board and CNA Discussion list on Friday, 1/24/2020.

 

§  CNA Rules v3.0 revisions sent on January 13, 2020 and the voting period will end on February 1, 2020.  We have thus far received one vote to approve.

CVE Global Summit Agenda – Tod Beardsley 

§  Tod presented the CVE Global Summit agenda and the group discussed topics that would fill the open slots. Topics include: Dave Waltermire briefing the group on NVD activities related to CVE, CNA submission of CVSS scoring, and other topics of interest; Intel briefing about hardware vulnerabilities; Kent Landfield briefing about Internationalization; Jonathan Evens briefing about Rules revisions that did not make the v3.0; medical devices and other technologies covered within the CVE Program.

 

CNA Report Card – Jo Bazar 

§  Jo Bazar reviewed the CNA Report Card and addressed questions and recommendations from the CVE Board. Recommendation to add content and graphs will be incorporated in the next quarterly report. The group’s recommendations will improve the value and quality of the report.

Open Discussion Items

§  Chris Coffin presented the draft language for the Researcher CNA requirements for feedback from the Board. The group offered their recommendation to the draft language.

    • “The CNA program is reserved for proprietary and open-source maintainers, coordinators, researchers, and other organizations within the industry that have an established track record of good security management and practices. The CNA program is not applicable to individuals. For those individuals, and the general public, CVE IDs can always be obtained from a current CVE CNA organization.” 

§  Next step is to include the new CNA requirements in the Roles and Responsibilities document that the SPWG is developing.

 

Action Items from Board Meeting held on 22 January 2020


#


Action Item


Responsible Party


Status


Comments

01.22.01

Send an email reminder to CVE Board and CNA Discussion list, about the details of the CNA summit and that an Eventbrite invite has been sent.  

Jo Bazar (MITRE)

Not Started

Assigned 1/22/2020.

01.22.02

Schedule meeting with Kent, Dave and MITRE development team for February 5th and 6th.

Jo Bazar (MITRE)

Not Started

Assigned 1/22/2020.

 

Board Decisions

  • None

Future Discussion Topics

1.     Communication 

a.      Outreach OCWG for most of this section (noted otherwise).

                                                  i.     Localization – should start in the QWG for guidance, then to the AWG for implementation.

                                                ii.     Upstream producers –  

1.     CNA Recruitment 

                                              iii.     Downstream users –   

                                               iv.     Related Projects

1.     Vulnerability Description

a.      VDO
b.     CSAF

2.     Severity

a.      CVSS

3.     Product identification and management

a.      SBOM
        1. CWE
          1. hardware

b.     Metrics – CVE Board

                                                  i.     Community metrics (Public metrics)

                                                ii.     CNA specific metrics 

                                              iii.     Program performance (Report card)

c.      Knowledge capture/transfer - CVE Board

                                                  i.     Record Working Group meetings

1.     Where to store the recordings?

                                                ii.     Issue tracking

                                              iii.     Storage of WG materials – SharePoint site (CVE CNA site)

2.     Strategy 

a.      Program Structure SPWG

b.     Roles, responsibilities, and requirements SPWG

                                                  i.     Disclosure Policies

                                                ii.     Scope

1.     Non-vendor CNAs

a.      Add new non-vendor CNAs is on hold until the Board can come to an agreement on the requirements for this type of CNA

2.     Root CNA shopping

3.     Assigning CVE IDs to vulnerabilities in a non-CNA vendor’s product
        1. CNA scope to the cooperative sub-CNAs

c.      Coverage CVE Board

                                                  i.     What’s in, What’s out

                                                ii.     End of life

                                              iii.     Software as a service

                                               iv.     Hardware

        1. Define (not a wrench)

                                                v.     Open source software

    1. Goals - CVE Board
  1. Operations
    1. Guidance

                                                  i.     Operationalizing Root CNAs - SPWG

        1. What is MITRE’s role
        2. How to best operationalize Root CNAs

                                                ii.     For new CNAs - CNACWG

        1. What is needed?
        2. What are the best formats?
        3. How to minimize one-on-one guidance

                                              iii.     How to supply refreshers CVE Board/CNACWG

    1. CNA Management - CNACWG

                                                  i.     CNA Process – Front Door or Back Door: How should CNAs communicate with each other, and how would that information be managed?

                                                ii.     Requirement

        1. Responsiveness
        2. Time to populate
        3. RBP start time

                                              iii.     Scope statement best practices

                                               iv.     Rules Violations

        1. Assignment correction processes (e.g. reject, split, merge) should account for violations
    1. Assignments – CVE Board

                                                  i.     Prevent duplicates

        1. How can CNA scopes help?
    1. Submissions QWG and CVE Board, AWG handle format implementation

                                                  i.     Formats

                                                ii.     Information requirements

        1. Add impact
        2. Add publication data
        3. Add vulnerability type

4.     Split problem types in to vuln. type, root cause, or impact

5.     Don’t require references

                                              iii.     Should the description match the separate metadata fields

4.     CVE List - QWG

a.      Formats (all different formats) – CVE Board

                                                  i.     How can the download formats be updated or retired?

b.     CVE Tagging

                                                  i.     Helps filtering

                                                ii.     How to identify the categories we need

                                              iii.     Should the tagging be attached to the product or the vulnerability?

                                               iv.     Could we leverage a product listing the CVE User Registry?

                                                v.     Can it be automated?

                                               vi.     EOL tagging

    1. Prose description, do we need it?

 

 

 

 

 


CVE_Board_Meeting_ 22 January 2020 FINAL.pdf (565K) Download Attachment