CVE Board Meeting – 24 June 2020
Members
of CVE Board in Attendance
Tod
Beardsley, Rapid7
Chris
Coffin, The
MITRE Corporation (MITRE
At-Large)
Patrick
Emsweller, Cisco
Systems, Inc.
Jay
Gazlay, Cybersecurity
and Infrastructure Security Agency (CISA)
Kent
Landfield, McAfee
Scott
Lawler, LP3
Tom
Millar, Cybersecurity
and Infrastructure Security Agency (CISA)
Scott
Moore, IBM
Kathleen
Noble, Intel
Corporation
Lisa
Olson, Microsoft
Shannon
Sabens, Trend
Micro/Zero Day Initiative (ZDI)
Takayuki
Uchiyama, Panasonic
Corporation
David
Waltermire, National
Institute of Standards and Technology (NIST)
Members
of MITRE CVE Team in Attendance
Jo
Bazar
Christine
Deal
Jonathan
Evans
Chris
Levendis
Lew
Loren
2:00
– 2:15: Introductions, action items from the last meeting
2:15
– 3:00: Working Groups
-
Outreach
and Communications Working Group (OCWG): Shannon
Sabens
-
CNA
Coordination Working Group (CNACWG):
Tod Beardsley
-
Quality
Working Group (QWG):
Jonathan Evans/Dave Waltermire
-
Automation
Working Group (AWG): Lew Loren
-
Strategic
Planning Working Group
(SPWG): Kent Landfield
3:00
– 3:30: Root CNA Update
-
MITRE:
Jo Bazar
-
JPCERT:
Jonathan Evans
-
Root
CNA Prospects: Jonathan
Evans/Jo Bazar
3:30–
3:50: Other discussions items
-
EOL
Vote
-
Coffin
Exception
-
Terms
and Definitions impact on the Board Charter
3:50–
3:55: Open Discussion
3:55
– 4:00: Action items, wrap-up
Review
of Action Items from Board Meeting held on 10 June 2020
#
|
Action Item
|
Responsible Party
|
Status
|
Comments
|
02.19.04
|
Develop
strategy for expanding and growing the CNA program into existing and new industries (e.g., Energy, Automotive, Healthcare tech, etc.).
|
SPWG
|
Not
Started
|
Assigned
2/19/2020.
|
4.1.04
|
Develop
Non-responsiveness Policy to address CNA1 that continues to be unresponsive.
|
Jo
Bazar (MITRE)
|
Pending
|
5/13
Update: Pending feedback from CNACWG. CNACWG will provide a recommended response time for CNAs to respond to MITRE requests.
|
4.1.07
|
Formalize
Council of Roots responsibilities in anticipation of new Roots joining the program
|
SPWG
|
In
progress
|
Assigned
on 4/1/2020.
|
5.13.02
|
Take
the lead for developing a proposal about approach for automated vulnerability identification workshop that includes an initial target participant list, and report back to next CVE Board Meeting.
|
Kent
L.
|
In
progress
|
6/10
Update: Recommend shifting report back date to June 24, 2020.
|
6.10.01
|
Contact
RCNA1 to see if they are comfortable sharing their draft Dispute/Escalation policy with the SPWG (and receiving feedback)
|
Jo
Bazar (MITRE)
|
In
Progress
|
6/24
Update: Dispute policy still in draft.
|
-
Outreach and Communications Working Group (OCWG): Shannon
Sabens
§
Thu is presenting the CVE Website mockup on June 26 for OCWG feedback.
§
Podcast on relationship and differences between NIST NVD and CVE has been delayed; however, podcast topRCNA1 have been reprioritized to have the CNA Success stories
podcast be first.
§
ZDI Blog posted on CVE website and ZDI website on June 22.
§
The next OCWG meeting is on June 26.
-
CNA Coordination Working Group (CNACWG): Tod Beardsley
-
CNACWG meetings (June
17 and 18)
§
Euro and Asia meetings are taking off, with each meeting having at least two attendees.
§
Draft agenda for virtual CVE Global summit sent on June 24 to the CVE Board for review and feedback.
§
CNA Rules changes: Trivial rules changes do not need a vote; changes that impact the normal workflow of a CNA require a vote, with six month lead time for implementation.
§
The next CNACWG meetings are July 1 and 2. US and Euro meetings will be held on July 1 and Asia meeting will be held on July 2.
§
Quality Working Group (QWG): Dave Waltermire/Jonathan Evans
§
Finalizing the operations bounds around tagging a CVE
–
There are 3 tag types: Container tags, reference tags and tags that appear in descriptions.
–
QWG will host a tag proposal meeting and serve as a gatekeeper; recommendations will be presented to the CVE board.
§
The next QWG meeting is June 25.
-
Automation Working Group (AWG) – Lew Loren
-
AWG meetings (June 16 and 23)
-
The
ID Reservation (IDR) System Schedule (Formerly known as ID Allocation) follows;
-
June 26
-
External System Request (ESR) architecture diagram
-
OpenAPI YAML file for IDR
-
July 10
-
ID Library endpoints, User Registry endpoints, algorithm changes (last year allocation)
-
Deployed to playground and ESR submitted pen test not required
-
Request code review from community
-
July 17
-
External System Request (ESR) response [production quality, test URL, consider adding a comment to the JSON that marks it as test, not yet live]
-
Host a test/staging environment on AWS so people can test on IDR with dummy data to augment current automated tests, we will put out a call for participants
-
Potentially with a load testing schedule
-
Begin schedule planning for the other services
-
July 31
-
IDR goes “live” and is available to the community for production use
-
CPS uses IDR instead of generating its own IDs [verifying impact to the CPS code later this week, this will not impact CNA ability to develop their IDR
interface code but could cause this date to change]
§
AWG charter is in the process of being finalized.
§
The next AWG meetings are June 30 and July 7.
-
Strategic Planning (SPWG) – Kent Landfield
-
SPWG meetings (June15 and 22)
§
EOL document sent for review and comment, feedback due NLT July 1
-
SPWG approves moving forward on the EOL document.
§
CVE domain acquisition process is underway; MITRE extended offer for CVE.org.
§
Suggestion was made for another mailing list that includes all CVE Board members and CNAs, ADPS, etc., to make getting feedback from the community easier.
§
CVE Definition list is underway. Dave and Katie have taken the lead with reviewing and editing the document.
§
SPWG charter was approved and was posted to the CVE website on June 15.
§
The next SPWG meetings are June 29 and July 6.
§
Received five CNA requests since the last CVE Board meeting (held on June 10).
–
On-Boarding
§
Four onboarding sessions since the last CVE Board meeting:
§
One CNA onboarding sessions
scheduled in June.
-
CNA Announcements and News
§
One CNA announcement since last CVE Board meeting: openEuler
§
There are now 129 CNAs participating in the program in 21 countries
§
110 in total CNA pipeline: 15 in Q3’19; 16 in Q4’19; 23 in Q1’20 and 20 in Q2’20
-
No CNA pending announcements.
–
CNAs missing disclosure policies and/or advisory locations (as required based on CNA rules 3.0)
§
We have emailed the 20 CNAs with missing disclosures policies and/or advisory locations; we have received the requested information from 13 CNAs, and 7 remain
outstanding.
§
JPCERT - Jonathan Evans
–
CNA Status Updates June 24:
-
Number of new CNAs: 0
-
Number of prospective CNAs we are working with: 2
-
Regarding the CNA on-boarding slides translation:
-
The PR review is finished, and we are now arranging and fixing small parts. We are planning on finishing everything (notes translation-process) by the
end of this week. The translation process is complete.
-
We have placed the pptx files in MITRE’s SharePoint folder in the OCWG section: 11. CNA Slides > CNA On-Boarding
-
The next step would be the voice-overs and we are planning on starting the process after the first release of the translated slides.
-
Root CNA Prospects – Jonathan Evans/Jo Bazar
-
RCNA1 Root update:
-
June 24 meeting was rescheduled to July 1.
-
CNA Response Timeframes – Tod Beardsley
-
CNACWG recommends that CNAs respond to requests within 6 weeks total, with 3 attempts made and
2 weeks to respond.
-
Conduct Postmortem – Chris Levendis
-
Suggests conducting postmortem discussions around the EOL document process and CNA rules changes
process to document lessons learned and how we can do it better. The group agreed and Katie will be taking the lead to get these meetings scheduled.
-
Recommendation to form a CNA Rules changes working group.
-
EOL postmortem will be first meeting to be scheduled, on/around July 15, 2020
§
Recommendation for Council of Working Chairs - Chris Levendis
-
The suggestion was made to have a separate meeting that would be include the WG Chairs to tee-up
decisions to recommend to the CVE Board.
-
MITRE will schedule the first meeting to discuss, how often and the duration of this new working
group, as well as determine the goals and objectives, process for working groups updates, and process for bringing issues to the CVE Board for a decision.
-
Pending Board Votes will occur in the following order:
-
Coffin Exception: Board vote needed for the Coffin exception
-
EOL Document Vote: The EOL document needs to be sent to the Board with a recommendation to approve
the documented process as the official EOL process for the CVE Program.
-
Terms and Definitions impact on the Board Charter: CVE Moderator will be replaced with Secretariat,
which more accurately aligns with the to-be program structure.
-
CVE Board Membership
-
Recommendation was made to relook at the CVE Board charter regarding what defines activity as
a CVE Board member. There have been observations that some CVE Board members have been inactive for some time, not voting, calling into the meetings, etc.
-
MITRE will send a message to all the CVE Board members if they want to continue being on the CVE
Board.
-
CVE Board membership will be added to the agenda for the next board meeting.
Action Items from Board Meeting held on
24 June 2020
#
|
Action Item
|
Responsible Party
|
Status
|
Comments
|
6.24.01
|
Set up meeting with MITRE IT folks about email issues, that includes impacted CVE board members (Kent, Dave, Katie)
|
Christine D. (MITRE)
|
Not Started
|
Assigned on 6/24/2020.
|
6.24.02
|
Schedule a meeting to discuss EOL and CNA Rules Postmortem, lessons learned, and opportunities moving forward.
|
Katie Noble (Intel)
|
Not Started
|
Assigned on 6/24/2020.
|
6.24.03
|
Set up meeting to discuss WG council of Chairs with working group chairs.
|
Jo B. (MITRE)
|
Not Started
|
Assigned on 6/24/2020.
|
6.24.04
|
Send message to all the CVE Board members so see if they want to continue being on the CVE Board.
|
Chris L. (MITRE)
|
Not Started
|
Assigned on 6/24/2020.
|
None
Wednesday, July 8, 2020 at 2:00PM EDT
Agenda Items for next CVE Board Meeting
Other discussions items:
-
Pending Board Votes will occur in the following order:
-
Coffin Exception
-
EOL Document Vote
-
Terms and Definitions impact on the Board Charter