CVE Board Meeting summary -24 June 2020

CVE Board Meeting – 24 June 2020

Members of CVE Board in Attendance

Tod Beardsley, Rapid7 

Chris Coffin, The MITRE Corporation (MITRE At-Large)

Patrick Emsweller, Cisco Systems, Inc.

Jay Gazlay, Cybersecurity and Infrastructure Security Agency (CISA)

Kent Landfield, McAfee

Scott Lawler, LP3

Tom Millar, Cybersecurity and Infrastructure Security Agency (CISA)

Scott Moore, IBM

Kathleen Noble, Intel Corporation

Lisa Olson, Microsoft

Shannon Sabens, Trend Micro/Zero Day Initiative (ZDI)

Takayuki Uchiyama, Panasonic Corporation

David Waltermire, National Institute of Standards and Technology (NIST)

Members of MITRE CVE Team in Attendance

Jo Bazar

Christine Deal

Jonathan Evans

Chris Levendis

Lew Loren

 

2:00 – 2:15: Introductions, action items from the last meeting 

2:15 – 3:00: Working Groups

• Outreach and Communications Working Group (OCWG): Shannon Sabens
• CNA Coordination Working Group (CNACWG): Tod Beardsley
• Quality Working Group (QWG): Jonathan Evans/Dave Waltermire
• Automation Working Group (AWG): Lew Loren
• Strategic Planning Working Group (SPWG): Kent Landfield

 

3:00 – 3:30: Root CNA Update

• MITRE: Jo Bazar
• JPCERT: Jonathan Evans
• Root CNA Prospects: Jonathan Evans/Jo Bazar

 

3:30– 3:50: Other discussions items

• CNA Response Timeframes – Tod Beardsley
• Conduct Postmortem – Chris Levendis
• EOL Process
• CNA Rules process
• Recommendation for Council of Working Chairs - Chris Levendis
• Pending Board Votes – Kent Landfield

1. EOL Vote
2. Coffin Exception
3. Terms and Definitions impact on the Board Charter

3:50– 3:55: Open Discussion  

3:55 – 4:00: Action items, wrap-up

#	Action Item	Responsible Party	Status	Comments
02.19.04	Develop strategy for expanding and growing the CNA program into existing and new industries (e.g., Energy, Automotive, Healthcare tech, etc.).	SPWG	Not Started	Assigned 2/19/2020.
4.1.04	Develop Non-responsiveness Policy to address CNA1 that continues to be unresponsive.	Jo Bazar (MITRE)	Pending	5/13 Update: Pending feedback from CNACWG. CNACWG will provide a recommended response time for CNAs to respond to MITRE requests.
4.1.07	Formalize Council of Roots responsibilities in anticipation of new Roots joining the program	SPWG	In progress	Assigned on 4/1/2020.
5.13.02	Take the lead for developing a proposal about approach for automated vulnerability identification workshop that includes an initial target participant list, and report back to next CVE Board Meeting.	Kent L.	In progress	6/10 Update: Recommend shifting report back date to June 24, 2020.
6.10.01	Contact RCNA1 to see if they are comfortable sharing their draft Dispute/Escalation policy with the SPWG (and receiving feedback)	Jo Bazar (MITRE)	In Progress	6/24 Update: Dispute policy still in draft.

 

 

• Outreach and Communications Working Group (OCWG): Shannon Sabens 

• OCWG meeting (June 12)

§  Thu is presenting the CVE Website mockup on June 26 for OCWG feedback.

§  Podcast on relationship and differences between NIST NVD and CVE has been delayed; however, podcast topRCNA1 have been reprioritized to have the CNA Success stories podcast be first.

§  ZDI Blog posted on CVE website and ZDI website on June 22.

§  The next OCWG meeting is on June 26.

• CNA Coordination Working Group (CNACWG): Tod Beardsley

• CNACWG meetings (June 17 and 18)

§  Euro and Asia meetings are taking off, with each meeting having at least two attendees.

§  Draft agenda for virtual CVE Global summit sent on June 24 to the CVE Board for review and feedback.

§  CNA Rules changes: Trivial rules changes do not need a vote; changes that impact the normal workflow of a CNA require a vote, with six month lead time for implementation. 

§  The next CNACWG meetings are July 1 and 2. US and Euro meetings will be held on July 1 and Asia meeting will be held on July 2.  

§   Quality Working Group (QWG): Dave Waltermire/Jonathan Evans

• QWG meeting (June 11)

§   Finalizing the operations bounds around tagging a CVE

–      There are 3 tag types: Container tags, reference tags and tags that appear in descriptions.

–      QWG will host a tag proposal meeting and serve as a gatekeeper; recommendations will be presented to the CVE board.

§  The next QWG meeting is June 25. 

• Automation Working Group (AWG) – Lew Loren

• AWG meetings (June 16 and 23)

• The ID Reservation (IDR) System Schedule (Formerly known as ID Allocation) follows;
• June 26
• External System Request (ESR) architecture diagram
• OpenAPI YAML file for IDR
• July 10
• ID Library endpoints, User Registry endpoints, algorithm changes (last year allocation)
• Deployed to playground and ESR submitted pen test not required
• Request code review from community
• July 17
• External System Request (ESR) response [production quality, test URL, consider adding a comment to the JSON that marks it as test, not yet live]
• Host a test/staging environment on AWS so people can test on IDR with dummy data to augment current automated tests, we will put out a call for participants
• Potentially with a load testing schedule
• Begin schedule planning for the other services
• July 31
• IDR goes “live” and is available to the community for production use
• CPS uses IDR instead of generating its own IDs [verifying impact to the CPS code later this week, this will not impact CNA ability to develop their IDR interface code but could cause this date to change]

§  AWG charter is in the process of being finalized.

§  The next AWG meetings are June 30 and July 7.

• Strategic Planning (SPWG) – Kent Landfield

• SPWG meetings (June15 and 22)

§  EOL document sent for review and comment, feedback due NLT July 1

• SPWG approves moving forward on the EOL document.

§  CVE domain acquisition process is underway; MITRE extended offer for CVE.org.

§  Suggestion was made for another mailing list that includes all CVE Board members and CNAs, ADPS, etc., to make getting feedback from the community easier.

§  CVE Definition list is underway. Dave and Katie have taken the lead with reviewing and editing the document.

§  SPWG charter was approved and was posted to the CVE website on June 15.

§  The next SPWG meetings are June 29 and July 6.

• MITRE –Jo Bazar

• Requests to become a CNA

§  Received five CNA requests since the last CVE Board meeting (held on June 10).

–      On-Boarding

§  Four onboarding sessions since the last CVE Board meeting:

§  One CNA onboarding sessions scheduled in June. 

• CNA Announcements and News

§  One CNA announcement since last CVE Board meeting: openEuler

§  There are now 129 CNAs participating in the program in 21 countries

§  110 in total CNA pipeline: 15 in Q3’19; 16 in Q4’19; 23 in Q1’20 and 20 in Q2’20

• No CNA pending announcements.

–      CNAs missing disclosure policies and/or advisory locations (as required based on CNA rules 3.0)

§  We have emailed the 20 CNAs with missing disclosures policies and/or advisory locations; we have received the requested information from 13 CNAs, and 7 remain outstanding.

§  JPCERT - Jonathan Evans

–      CNA Status Updates June 24:

• Number of new CNAs: 0 
• Number of prospective CNAs we are working with: 2 

• Regarding the CNA on-boarding slides translation:

• The PR review is finished, and we are now arranging and fixing small parts. We are planning on finishing everything (notes translation-process) by the end of this week. The translation process is complete.
• We have placed the pptx files in MITRE’s SharePoint folder in the OCWG section: 11. CNA Slides > CNA On-Boarding
• The next step would be the voice-overs and we are planning on starting the process after the first release of the translated slides.

 

• Root CNA Prospects – Jonathan Evans/Jo Bazar
• RCNA1 Root update:
• June 24 meeting was rescheduled to July 1.

 

• CNA Response Timeframes – Tod Beardsley
• CNACWG recommends that CNAs respond to requests within 6 weeks total, with 3 attempts made and 2 weeks to respond.
• Conduct Postmortem – Chris Levendis
• Suggests conducting postmortem discussions around the EOL document process and CNA rules changes process to document lessons learned and how we can do it better. The group agreed and Katie will be taking the lead to get these meetings scheduled.

• Recommendation to form a CNA Rules changes working group.
• EOL postmortem will be first meeting to be scheduled, on/around July 15, 2020

§  Recommendation for Council of Working Chairs - Chris Levendis

• The suggestion was made to have a separate meeting that would be include the WG Chairs to tee-up decisions to recommend to the CVE Board.
• MITRE will schedule the first meeting to discuss, how often and the duration of this new working group, as well as determine the goals and objectives, process for working groups updates, and process for bringing issues to the CVE Board for a decision.   
• Pending Board Votes will occur in the following order:
• Coffin Exception: Board vote needed for the Coffin exception
• EOL Document Vote: The EOL document needs to be sent to the Board with a recommendation to approve the documented process as the official EOL process for the CVE Program.
• Terms and Definitions impact on the Board Charter: CVE Moderator will be replaced with Secretariat, which more accurately aligns with the to-be program structure.
• CVE Board Membership
• Recommendation was made to relook at the CVE Board charter regarding what defines activity as a CVE Board member. There have been observations that some CVE Board members have been inactive for some time, not voting, calling into the meetings, etc.
• MITRE will send a message to all the CVE Board members if they want to continue being on the CVE Board. 
• CVE Board membership will be added to the agenda for the next board meeting.

#	Action Item	Responsible Party	Status	Comments
6.24.01	Set up meeting with MITRE IT folks about email issues, that includes impacted CVE board members (Kent, Dave, Katie)	Christine D. (MITRE)	Not Started	Assigned on 6/24/2020.
6.24.02	Schedule a meeting to discuss EOL and CNA Rules Postmortem, lessons learned, and opportunities moving forward.	Katie Noble (Intel)	Not Started	Assigned on 6/24/2020.
6.24.03	Set up meeting to discuss WG council of Chairs with working group chairs.	Jo B. (MITRE)	Not Started	Assigned on 6/24/2020.
6.24.04	Send message to all the CVE Board members so see if they want to continue being on the CVE Board.	Chris L. (MITRE)	Not Started	Assigned on 6/24/2020.

 

None

Wednesday, July 8, 2020 at 2:00PM EDT

Other discussions items:

• CVE Board Membership

• Pending Board Votes will occur in the following order:
• Coffin Exception 
• EOL Document Vote 
• Terms and Definitions impact on the Board Charter