CVE Board Meeting summary - 24July2019

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

CVE Board Meeting summary - 24July2019

Bazar, Jo E.

CVE Board Meeting – 24 July 2019

Mark Cox, Red Hat, Inc.

William Cox, Synopsys, Inc.

Patrick Emsweller, Cisco Systems, Inc.

Art Manion, CERT/CC (Software Engineering Institute, Carnegie Mellon University)

Beverly Miller Alvarez, Lenovo Group Ltd.

Scott Moore, IBM

Shannon Sabens, Trend Micro

Kathleen Trimble, U.S. Department of Homeland Security (DHS)

Takayuki Uchiyama, Panasonic Corporation

David Waltermire, National Institute of Standards and Technology (NIST)

 

Members of MITRE CVE Team in Attendance

Jo Bazar

Chris Coffin

Christine Deal

Jonathan Evans

Chris Levendis

 

2:00 – 2:15: Introductions, action items from the last meeting 

2:15 – 2:30: Working Groups

  • CNA Coordination Working Group (CNACWG): Tod Beardsley
  • Quality Working Group (QWG): Chris Coffin
  • Automation Working Group (AWG): Lew Loren
  • Strategic Planning Working Group (SPWG): Kent Landfield/Chris Coffin

 

2:30 – 2:45: Root CNA Update

  • MITRE: Jonathan Evans
  • JPCERT: Jonathan Evans/Chris Coffin

 

2:45 – 3:55: Open Discussion  

3:55 – 4:00: Action items, wrap-up


#


Action Item


Responsible Party


Status


Comments

1.23.1

Assemble additional operational guidance for program participation by CNAs (e.g., webinars, instructional videos).

MITRE (Evans/Sain)

In Process

MITRE assembled a list of guidance priorities and other areas of the program; the top five priorities are listed below:

  1. How to submit entries to MITRE using the web form 
  2. CVE ID assignment rule (Counting) 
  3. Becoming a CNA
  4. CVE Program (includes Root structure)
  5. How to request the MITRE CNA populate a CVE entry

 

4/3 Update: Jonathan has started assigning some of the individual modules to members of the CNA coordination team and content team. In addition, the CCWG is also reviewing and updating the existing online guidance.

6/12 Update: In process. Some of the draft scripts completed for the online individual modules and the existing online guidance are also being reviewed and updated.

4.17.3

Break out future discussion items in the following categories: Ongoing, Future, and OBE. Report back to CVE Board and add for future discussions items.

MITRE (CVE Team)

Completed

6/26 Update: Discussed in the 6/24 SPWG call and decided to ask the Board to walk through the items in the CVE Board meeting on July 10.

7/10 Update: Agenda item set for today to start discussion. 

7/24 Update: Future discussion items have been assigned to WG. Next steps are to send to recommended working groups.

7/25 Update: Sent Future discussion items to WG.

4.17.5

Research solution for storing, archiving, and central repository for CVE Board and WG meeting minutes, as well as tracking action items.

MITRE (CVE Team)

In Process

6/12 Update: CNA SharePoint site is up (MITRE partners account is required), Handshake account is used for current meeting recordings and we are moving the archive of recordings to Amazon glacier for cold storage.   

6.12.2

Finalize “Trifold” or “Flyer” before CVE 20-year Milestone event in Las Vegas, on August 7th.

CVE Board (select)

/MITRE

In Process

6.12 Update: Draft flyer sent to Beverly M., Kent L., Tod B., Shannon S., Andrea T. and Taki U. for review and feedback with a due date of June 28, 2019.

7/24 Update: OCWG established and Flyer will be transferred to OCWG for completion. Flyer was sent to co-chairs on July 24, 2019.

6.12.3

Develop Objectives/Goals for CVE Outreach and Communications WG, send to CVE Board for review and feedback. Next step is to send to CNA List for OCWG volunteers and participation. 

MITRE (Jo Bazar)

Completed

6.26 Update: Draft sent to CVE Private Board for review and feedback; due to Jo Bazar by July 9, 2019.

7/10 Update: Next step is to send to CNA List for OCWG volunteers and participation, NLT that COB 7/11/2019. 

7/25 Update:  Kick-off meeting scheduled for August 2, 2019.

6.26.1

Send invite (Eventbrite) to CNA list, CVE Board members and other invitees for BlackHat 20-year event on August 7, 2019.

MITRE

In Process

7/10: Invites will be sent in 3 phases.

Round 1: Invites sent on 7/3 with RSVP by 7/12 to current Board, current and former MITRE CVE team members, former Board members.  COMPLETED

Round 2: Invites to be sent on 7/16 with RSVP by 7/23 to current CNAs (limit 2 per organization), current WG Members (if not part of Board or working groups).  COMPLETED

Round 3 (TENTATIVE): Invites to be sent on 7/26 with RSVP by 7/31 to candidate CNAs.

6.26.2

Update Charter to reflect new interview process of board nominations and that CVE Board member can send nominations directly to the private board list. 

MITRE (Chris C.)

Not Started

Assigned 6/26/2019

6.26.3

Update Charter to reflect new Board nomination interview process. When a new Board member is nominated, a 30-minute interview is conducted during the next Board call.

MITRE (Chris C.)

Not Started

Assigned 6/26/2019

7.10.01

Send short names to CNA list for their review and input.

MITRE

(Jo Bazar)

Completed

7/24 Update: Sent CNA company short name list to CNAs on 7/24; changes due back NLT August 5, 2019.

 

Working Group Updates

  • CNA Coordination Working Group (CNACWG): Tod Beardsley/Chris Coffin
    • The CNACWG met on Wednesday, July 17, 2019. Tod was unable to attend in person, and below are Tod’s updates:  
      • Had a great briefing of what the SPWG does and is doing from Kent. Thanks!
      • Updated the CNACWG charter to explicitly mention Chatham House Rule for discussions. The new version is attached here, and available publicly here
      • Asia-friendly time zone meeting was kicked off, but no takers yet. Maybe next week! To get the meeting notices, feel free to join the group.
      • Continuing to work on rules updates well ahead of the October deadline.
  • Quality Working Group (QWG): Dave Waltermire/Chris Coffin
    • The QWG met on Monday, July 15, 2019. Interview held with Art Manion and Madison Quinn Oliver from CERT/CC.
    • Chris Coffin will send the meeting notes and recording out by the end of this week.
  • Automation Working Group (AWG) – Lew Loren 
    • The AWG meeting scheduled for July 22, 2019, was cancelled; the next meeting is scheduled for August 5, 2019. 

§  Strategic Planning (SPWG) – Kent Landfield/Chris Coffin 

    1. Met on Monday, July 22, 2019.  The group discussed EOL and agreed that the next steps are to develop and document the process (include process flow) for assigning CVE IDs for EOL, how it will be incorporated (i.e., CNA rules and onboarding), and what this means to the CVE Program and the CNAs. Once drafted, send to CNACWG for review and comment. Finally, send to the CVE Board for a vote.

CNA Updates

  • MITRE – Jonathan Evans
    • Onboarding session with CNA1 was held this week; it went well.
    • We have been contacted by 3 CNA prospects.
    • CNA2 reached out this week and they are working on the processes and infrastructure to support its CNA program.
  • JPCERT - Jonathan Evans/Chris Coffin
    •   No Updates.

 

Open Discussion Items

  • CVE-2019-13615 Discussion
    • Timeline:
      • June 25, 2019: Researcher posted VideoLAN VLC vulnerability on the VLC public big tracker.
      • June 26, 2019: Researcher requested a CVE ID. 
      • MITRE waited 3 weeks to see if additional information would be provided by VideoLAN or the researcher.
      • July 16, 2019: Assigned and populated the CVE ID.
      • VideoLAN responded/reached out to MITRE on July 24th. Based on their email, they appear to be confused about 1) CVE’s role with the CVSS scoring and 2) How the CNA program functions. 

 

    • Next steps:
  1. First steps are to work with both the researcher and VLC to update the description as necessary to ensure it’s as accurate as possible. If necessary, the CVE entry will be marked as DISPUTED.
  2. Second step is to use this as an opportunity for VideoLAN to become a CNA.

 

    • The group agreed that a policy should be developed for these kinds of cases going forward (e.g., vulnerability is public, not all of the details are available or of very low quality and waiting will likely result in better information becoming available). The policy should state timelines as appropriate. The recommendation was for the MITRE team to develop a couple of options and then the CVE Board would vote on the options:
      • Option 1: Arbitrary but non-flexible timeframe
      • Option 2: Apply human judgement, apply flexible timeframe and document criteria
      • Option 3: Populate asap, without regard for quality (speed vs. quality).

 

  • Mark Cox (Red Hat) – Advised the Board that the acquisition of Red Hat by IBM is complete. This led to a discussion around the CVE Board member voting. Chris L. explained that being a member of the CVE Board is an individual participation not the affiliated organization. However, when votes are held, there is one vote for each affiliated organization. The MITRE team will draft some language on this topic as there may need to be exceptions to how we define an organization in the charter. Should the Red Hat and IBM Board members be merged as one vote during future Board votes?
  • Takayuki Uchiyama (Panasonic) – Considering putting together a paper and talk for an upcoming conference, APCERT Conference. Expressed interest in joining the Outreach and communications Working group (OCWG) and that he would like promotional materials for the conferences as well as to coordinate on any papers or talks.
    • APCERT Conference 2019 website URL: https://www.apcert2019.sg/
    • The conference is from 9/29 – 10/2 and the call for papers is 8/31/2019.

 

Action Items from Board Meeting held on 24 July 2019

#

Action Item

Responsible Party

Status

Comments

7.24.01

Develop a strategy for handling public but low quality vulnerabilities, especially cases where the vendor or maintainer has not acknowledged the vulnerability.

MITRE

(Chris C./Jonathan E.)

Not Started

Assigned July 24, 2019

7.24.02

Draft language clarifying CVE charter around organizational voting. (When do we merge votes based on organizational affiliation)

MITRE (Chris C./Chris L.)

Not Started

Assigned July 24, 2019

7.24.03

Send future discussion items to appropriate working groups.

MITRE (Jo Bazar)

Completed

7/25 Update: Sent to WGs on July 25, 2019.

 

Board Decisions

  • None

 Future Discussion Topics

1.     Communication 

a.      Outreach OCWG for most of this section (noted otherwise).

                                                  i.     Localization – should start in the QWG for guidance, then to the AWG for implementation.

                                                ii.     Upstream producers –  

1.     CNA Recruitment 

                                              iii.     Downstream users –   

                                               iv.     Related Projects

1.     Vulnerability Description

a.      VDO
b.     CSAF

2.     Severity

a.      CVSS

3.     Product identification and management

a.      SBOM
        1. CWE
          1. hardware

b.     Metrics – CVE Board

                                                  i.     Community metrics (Public metrics)

                                                ii.     CNA specific metrics 

                                              iii.     Program performance (Report card)

c.      Knowledge capture/transfer - CVE Board

                                                  i.     Record Working Group meetings

1.     Where to store the recordings?

                                                ii.     Issue tracking

                                              iii.     Storage of WG materials – SharePoint site (CVE CNA site)

2.     Strategy 

a.      Program Structure SPWG

b.     Roles, responsibilities, and requirements SPWG

                                                  i.     Disclosure Policies

                                                ii.     Scope

1.     Non-vendor CNAs

a.      Add new non-vendor CNAs is on hold until the Board can come to an agreement on the requirements for this type of CNA

2.     Root CNA shopping

3.     Assigning CVE IDs to vulnerabilities in a non-CNA vendor’s product
        1. CNA scope to the cooperative sub-CNAs

c.      Coverage CVE Board

                                                  i.     What’s in, What’s out

                                                ii.     End of life

                                              iii.     Software as a service

                                               iv.     Hardware

        1. Define (not a wrench)

                                                v.     Open source software

    1. Goals - CVE Board
  1. Operations
    1. Guidance

                                                  i.     Operationalizing Root CNAs - SPWG

        1. What is MITRE’s role
        2. How to best operationalize Root CNAs

                                                ii.     For new CNAs - CNACWG

        1. What is needed?
        2. What are the best formats?
        3. How to minimize one-on-one guidance

                                              iii.     How to supply refreshers CVE Board/CNACWG

    1. CNA Management - CNACWG

                                                  i.     CNA Process – Front Door or Back Door: How should CNAs communicate with each other, and how would that information be managed?

                                                ii.     Requirement

        1. Responsiveness
        2. Time to populate
        3. RBP start time

                                              iii.     Scope statement best practices

                                               iv.     Rules Violations

        1. Assignment correction processes (e.g. reject, split, merge) should account for violations
    1. Assignments – CVE Board

                                                  i.     Prevent duplicates

        1. How can CNA scopes help?
    1. Submissions QWG and CVE Board, AWG handle format implementation

                                                  i.     Formats

                                                ii.     Information requirements

        1. Add impact
        2. Add publication data
        3. Add vulnerability type

4.     Split problem type in to vuln. type, root cause, or impact

5.     Don’t require references

                                              iii.     Should the description match the separate metadata fields

4.     CVE List - QWG

a.      Formats (all different formats) – CVE Board

                                                  i.     How can the download formats be updated or retired?

b.     CVE Tagging

                                                  i.     Helps filtering

                                                ii.     How to identify the categories we need

                                              iii.     Should the tagging be attached to the product or the vulnerability?

                                               iv.     Could we leverage a product listing the CVE User Registry?

                                                v.     Can it be automated?

                                               vi.     EOL tagging

    1. Prose description, do we need it?

 

 

 

 

 


CVE_Board_Meeting_24 July 2019_FINAL.pdf (463K) Download Attachment