Patrick Emsweller, Cisco Systems, Inc.
Kent Landfield, McAfee
Beverly Alvarez, Lenovo Group Ltd.
Scott Moore, IBM
Lisa Olson, Microsoft
Kathleen Noble, Intel
Takayuki Uchiyama, Panasonic Corporation
David Waltermire, National Institute of Standards and Technology (NIST)
Ken Williams, Broadcom Inc.
Members of MITRE CVE Team in Attendance
2:15 – 2:30: Working Groups
2:30 – 2:45: Root CNA Update
2:45 – 2:55: CVE Global Summit – Beverly Alvarez
2:55 – 3:10: CNA Rules Revision Status – Jonathan Evans
3:10 – 3:25: CVE Global Summit Agenda – Tod Beardsley
3:25 – 3:45: CNA Report Card – Jo Bazar
3:45 – 3:55: Open Discussion
§ CNA Coordination Working Group (CNACWG): Tod Beardsley
§ CNA Rules v3.0 revisions sent on January 13, 2020 and the voting period will end on February 1, 2020. We have thus far received one vote to approve.
§ Tod presented the CVE Global Summit agenda and the group discussed topics that would fill the open slots. Topics include: Dave Waltermire briefing the group on NVD activities related to CVE, CNA submission of CVSS scoring, and other topics of interest; Intel briefing about hardware vulnerabilities; Kent Landfield briefing about Internationalization; Jonathan Evens briefing about Rules revisions that did not make the v3.0; medical devices and other technologies covered within the CVE Program.
§ Jo Bazar reviewed the CNA Report Card and addressed questions and recommendations from the CVE Board. Recommendation to add content and graphs will be incorporated in the next quarterly report. The group’s recommendations will improve the value and quality of the report.
§ Chris Coffin presented the draft language for the Researcher CNA requirements for feedback from the Board. The group offered their recommendation to the draft language.
§ Next step is to include the new CNA requirements in the Roles and Responsibilities document that the SPWG is developing.
a. Outreach OCWG for most of this section (noted otherwise).
i. Localization – should start in the QWG for guidance, then to the AWG for implementation.
ii. Upstream producers –
1. CNA Recruitment
iii. Downstream users –
iv. Related Projects
1. Vulnerability Description
3. Product identification and management
b. Metrics – CVE Board
i. Community metrics (Public metrics)
ii. CNA specific metrics
iii. Program performance (Report card)
c. Knowledge capture/transfer - CVE Board
i. Record Working Group meetings
1. Where to store the recordings?
ii. Issue tracking
iii. Storage of WG materials – SharePoint site (CVE CNA site)
a. Program Structure SPWG
b. Roles, responsibilities, and requirements SPWG
i. Disclosure Policies
1. Non-vendor CNAs
a. Add new non-vendor CNAs is on hold until the Board can come to an agreement on the requirements for this type of CNA
2. Root CNA shopping
3. Assigning CVE IDs to vulnerabilities in a non-CNA vendor’s product
c. Coverage – CVE Board
i. What’s in, What’s out
ii. End of life
iii. Software as a service
v. Open source software
i. Operationalizing Root CNAs - SPWG
ii. For new CNAs - CNACWG
iii. How to supply refreshers CVE Board/CNACWG
i. CNA Process – Front Door or Back Door: How should CNAs communicate with each other, and how would that information be managed?
iii. Scope statement best practices
iv. Rules Violations
i. Prevent duplicates
ii. Information requirements
4. Split problem types in to vuln. type, root cause, or impact
5. Don’t require references
iii. Should the description match the separate metadata fields
4. CVE List - QWG
a. Formats (all different formats) – CVE Board
i. How can the download formats be updated or retired?
b. CVE Tagging
i. Helps filtering
ii. How to identify the categories we need
iii. Should the tagging be attached to the product or the vulnerability?
iv. Could we leverage a product listing the CVE User Registry?
v. Can it be automated?
vi. EOL tagging
CVE_Board_Meeting_ 22 January 2020 FINAL.pdf (565K) Download Attachment
|Free forum by Nabble||Edit this page|