CVE Board Meeting summary - 26June2019

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

CVE Board Meeting summary - 26June2019

Coffin, Chris

Andy Balinsky, Cisco Systems, Inc.

Tod Beardsley, Rapid7

Patrick Emsweller, Cisco Systems, Inc.

Kent Landfield, McAfee

Art Manion, CERT/CC (Software Engineering Institute, Carnegie Mellon University)

Scott Moore, IBM

Lisa Olson, Microsoft

Takayuki Uchiyama, Panasonic Corporation

David Waltermire, National Institute of Standards and Technology (NIST)

Ken Williams, Broadcom Inc.

Members of MITRE CVE Team in Attendance

Jo Bazar

Chris Coffin

Christine Deal

Jonathan Evans

Chris Levendis

Lew Loren

Joe Sain

 

Agenda

2:00 – 2:15: Introductions, action items from the last meeting 

2:15 – 2:30: Working Groups

  • CNA Coordination Working Group (CNACWG) - Tod Beardsley
  • Quality Working Group (QWG): Dave Waltermire/Chris Coffin
  • Automation Working Group (AWG)– Lew Loren
  • Strategic Planning Working Group (SPWG)– Kent Landfield/Chris Coffin

 

2:30 – 2:45: Root CNA Update

  • MITRE – Jonathan Evans
  • JPCERT – Taki Uchiyama

2:45 – 3:55: Vendor-confirmed SaaS-based vulnerability

3:00 – 3:55: Open Discussion  

3:55 – 4:00: Action items, wrap-up

Review of Action Items from Board Meeting held on 12 June 2019


#


Action Item


Responsible Party


Status


Comments

1.23.1

Assemble additional operational guidance for program participation by CNAs (e.g., webinars, instructional videos).

MITRE (Evans/Sain)

In Process

MITRE assembled a list of guidance priorities and other areas of the program; the top five priorities are listed below:

  1. How to submit entries to MITRE using the web form 
  2. CVE ID assignment rule (Counting) 
  3. Becoming a CNA
  4. CVE Program (includes Root structure)
  5. How to request the MITRE CNA populate a CVE entry

 

4/3 Update: Jonathan has started assigning some of the individual modules to members of the CNA coordination team and content team. In addition, the CCWG is also reviewing and updating the existing online guidance.

6/12 Update: In process. Some of the draft scripts completed for the online individual modules and the existing online guidance are also being reviewed and updated.

2.6.9

Organize an event at Blackhat USA (August 2019) to celebrate 20 years of CVE.

MITRE (Joe S./Levendis)

In Process

6/12 Update: Contract is signed with Blackhat; waiting on confirmation of event date 8/7 or 8/8 before we can proceed with approvals. Once approved by BH, we can move forward with the event planning with Excalibur. The group agreed and the majority voted for August 7th.

6/13 Update: Approval form sent to BAH, pending approval.

6/26 Update: Approval received from BAH; space is available at the Excalibur. Excalibur is drafting up the contract. 

3.20.11

Review alternatives for public facing CVE Board discussion group archives (currently Nabble).

MITRE (Joe S.)

Completed

5/29 Update: Reviewing alternatives over the next week. Plans are to test functionality of top contenders over the next two weeks.

6/26 Update: Nabble has transitioned from fee for service to free. We do not need to seek an alternative platform at this time.

4.17.3

Break out future discussion items in the following categories: Ongoing, Future, and OBE. Report back to CVE Board and add for future discussions items.

MITRE (CVE Team)

In Process

5/1 Update: MITRE CVE Team met to review the discussion items and the future discussion items will be categorized into appropriate functional areas. 

5/29 Update: MITRE team meeting this week to finalize document.

6/11 Update: Future discussion items were revised in 5/29 meeting minutes, for review and comment by the CVE Board.

6/26 Update: Discussed in the 6/24 SPWG call and decided to ask the Board to walk through the items in the CVE Board meeting on July 10.

4.17.5

Research solution for storing, archiving, and central repository for CVE Board and WG meeting minutes, as well as tracking action items.

MITRE (CVE Team)

In Process

5/15 Update: Jonathan sent the SharePoint site to the working groups for rules revision collaboration and for use for other working group materials. A handshake account is required to access the site.

6/12 Update: CNA SharePoint site is up (MITRE partners account is required), Handshake account is used for current meeting recordings and we are moving the archive of recordings to Amazon glacier for cold storage.   

4.17.7

Follow up with Kurt S. about the survey results; obtain for future use in QWG.

MITRE (Chris C.)

In Process

5/15 Update: Kurt sent an email on 5/13 suggesting that the survey be closed and published as there have not been any new results since 5/2.

6/26 Update: Google docs report has been available since 5/14 and it has an image of the survey results. Sent an email to Kurt to get those results in a more accessible format.

5.1.02

Send Cloud survey to CNA List so they can provide input.

Kurt S.

In Process

5/15 Update: Waiting on survey to close on item 4.17.1.

5.15.1

Create the invitation list for CVE celebration

ALL

In Process

6/26 Update:  The group started the draft list of invitees; list includes past/present CVE Board members and contributors. Send draft list to CVE Board for review/comment.

6.12.1

Send short names for CNA to review and provide input.

CNA Coordinators

In Process

Assigned June 12, 2019.

6/26 Update: List sent to CVE Board for review June 26, 2019.

6.12.2

Finalize “Trifold” or “Flyer” before CVE 20-year Milestone event in Las Vegas, on August 7th.

CVE Board (select)

/MITRE

In Process

6.12 Update: Draft flyer sent to Beverly M., Kent L., Tod B., Shannon S., Andrea T. and Taki U. for review and feedback with a due date of June 28, 2019.

6.12.3

Develop Objectives/Goals for Marketing WG, send to CVE Board for review and feedback. Next step is to send to CNA List for CMWG volunteers and participation. 

MITRE (Jo Bazar)

In Process

6.26 Update: Draft sent to CVE Private Board for review and feedback; due to Jo Bazar by July 9, 2019.

 

Working Group Updates

  • CNA Coordination Working Group (CNACWG): Tod Beardsley/Chris Coffin
    • Met on Wednesday, June 19, 2019. Tod asked about the Rules revisions on their list, “Update problems with assignments (reject, split, and merge processes) to include CNA violations”
      • Jonathan explained if two different CNAs assigned two CVE IDs to the same vulnerability, and one was the vendor of the product and the other is the Researcher, the current Rules state the CVE ID that should be used is the one most referenced, instead of selecting the CVE ID that was authorized to assign the CVE ID (i.e., the vendor). 
    • Tod proposed allowing existing CNAs to work with Open Source projects with the goal of helping them participate in the CNA program. This would give the project an experienced CNA who is willing to take on another project. Since many Open Source projects are strapped for funding, this would allow them to participate with minimal investment.
      • The Board agreed that this is a good idea and said that a broader discussion of Open Source is needed (e.g., how it is supported today, how we would like to see it supported, and how governance would be handled).
      • Rapid7 is willing to pilot the program following a Board discussion on Open Source support.
      • This issue will be further discussed at the next CNACWG meeting on July 3, 2019.
    • Tod asked the Board about EOL products and assigning CVE IDs: Should the program force CNAs to assign CVEs to EOL products, or should they be assigned by an upstream CNA? The Board proposed the following sequence of events:
      • Tod will summarize the EOL issues/options and send them to the SPWG.
      • The SPWG will develop recommendations.
      • The recommendations will then be sent to the CNA list for review and edit.
      • The CVE Board will then make a decision on the recommendations.
  • Quality Working Group (QWG): Dave Waltermire/Chris Coffin
    • The QWG met on Thursday, June 13, 2019. Next interview is scheduled for July 15, 2019, with Art Manion and Madison Oliver at CERT/CC. 
    • New CNA Rules Revision items introduced. Chris C. introduced new minimum data requirements for the CVE descriptions and whether a reference was required. David W. explained that the CVE Entry should contain certain optional data elements if references are not provided. Dave and Chris are writing recommendations to address these revisions and the CVE tagging that has been discussed previously.
  • Automation Working Group (AWG) – Lew Loren 
    • The AWG met on Monday, June 24, 2019. Progress continues on the three existing services: CVE ID Allocation, CVE User Registry, and Credentialing, Authentication, and Authorization Services. 
      • CVE ID Allocation: Functional code has been developed, as has a solid set of requirements.
      • CVE User Registry: Some code is in place, and the AWG is soliciting requirements on what CNAs should be able to do when delegating to sub-CNAs.
      • Credentialing, Authentication, and Authorization Services: This is the least mature service; most of the code has been stubbed out. At this point, the service can hand out tokens and pass them around.
      • All code is available on GitHub. A Docker container containing the three services in an executable form is available to be downloaded and tested.
    • Upload Service (replace GitHub): Chandan provided a version of Vulnogram that includes a Creative Common Zero license. The AWG is reviewing the code to see what can be reused when developing the upload service.

§  Strategic Planning (SPWG) – Kent Landfield/Chris Coffin 

    • Met on Monday, June 24, 2019. The Root CNA Roles and Responsibilities prose document is underway, and a draft will be reviewed at the next SPWG meeting on July 8, 2019. The group talked about the Future Topics and discussed the approach for outlining the topics and next steps.
    • Discussed the need to put together the invite list for the 20-year CVE event.
    • Reminder: Please use the SharePoint site for storing WG documents. https://partners.mitre.org/sites/CVE_CNA/SitePages/Home.aspx

CNA Updates

  • MITRE – Jonathan Evans
    • The CNA team was at FIRST conference, in Edinburgh. We have a few good leads for potential CNAs. CPE was a discussion at FIRST; there is a rumor that NVD will no longer support CPE. David Waltermire (NIST) explained that NIST has been issuing 90% of the CPEs and that this is not sustainable.  Over the longer term, NIST plans to transition to SWID tags.
    • floragunn GmbH was announced as CNA on June 26, 2019.
    • The onboarding videos are in process and being worked.
    • Jonathan is working on the CNA reports; draft reports sent to the CNA list for feedback.
  • JPCERT - Takayuki Uchiyama
    • No Updates.

 

Open Discussion Items

Vendor-confirmed SaaS-based vulnerability

  • The Board was briefed on a current CVE ID request for a SaaS-related issue without providing specifics or the vendor affected.
    • The vulnerability was acknowledged by the vendor and a mitigation was provided.
    • The mitigation required customer action.
    • The vendor is NOT a CNA.
  • The Board discussed how to handle the situation where a SaaS vulnerability has been acknowledged by the vendor, but they are not a CNA and will not request a CVE ID. Can the upstream CNA assign a CVE ID for the vulnerability?
  • With the current information provided, the Board believes that a CVE ID should be assigned.
    1. MITRE will follow up with the vendor to understand more of the details.
      • Do they plan on announcing this issue to customers or have they already?
      • Do they intend to request a CVE ID?  
    2. MITRE will also follow up with the researcher to get more information on the issue.
  • Lisa O. expressed that this violates the rules. Chris L. explained that we have had situations like this before, and a Board vote may be required.
  • Once the CVE team has more details from the vendor and researcher, they will provide those to the Board and the Board will determine how to proceed.

Board Nominations Process

  • The group discussed if interviewing board nominees should be added to the nomination process. Dave W. expressed the process should be consistent, whatever the process is. The group decided that an interview should automatically be scheduled and will begin with the next nomination. The charter will be updated to reflect this process change.

CVE IDs for Fuzzing Results

  • The group discussed how to respond to thread on the oss-security mailing list about the results of OSS-Fuzz results not receiving CVE IDs: https://www.openwall.com/lists/oss-security/2019/06/15/2.
    • The Quality Working Group will reach out to the initial poster and possibly some of the other participants for feedback.

 

 

Agenda Items for Upcoming Meetings

  • Future discussion items
  • Up and coming conferences and key meetings

Action Items from Board Meeting held on 26 June 2019

#

Action Item

Responsible Party

Status

Comments

6.26.1

Send invite (e.g., Eventbrite) to CNA list, CVE Board members and other invitees for BlackHat 20-year event on August 7, 2019.

MITRE

Not Started

Assigned 6/26/2019

6.26.2

Update Charter to reflect new interview process of board nominations and that CVE Board member can send nominations directly to the private board list. 

 

MITRE (Chris C.)

Not Started

Assigned 6/26/2019

6.26.3

Update Charter to reflect new Board nomination interview process. When a new Board member is nominated, a 30-minute interview is conducted during the next Board call.

MITRE (Chris C.)

Not Started

Assigned 6/26/2019

6.26.4

Draft invite list for CVE Board for review and comment.  

MITRE (Jo B.)

In Process

6/26: Draft list sent to CVE team for review and comment.

 

Board Decisions

  • The board agreed to conduct interviews as part of the process for nominating new CVE Board members.

Future Discussion Topics

1.     Communication

a.     Outreach

                                               i.     Localization

                                             ii.     Upstream producers

1.     CNA Recruitment

                                           iii.     Downstream users

                                            iv.     Related Projects

1.     Vulnerability Description

a.     VDO
b.     CSAF

2.     Severity

a.     CVSS

3.     Product identification and management

a.     SBOM
        1. CWE
          1. hardware

b.     Metrics

                                               i.     Community metrics (Public metrics)

                                             ii.     CNA specific metrics 

                                           iii.     Program performance (Report card)

c.     Knowledge capture/transfer

                                               i.     Record Working Group meetings

1.     Where to store the recordings?

                                             ii.     Issue tracking

                                           iii.     Storage of WG materials

2.     Strategy

a.     Program Structure

b.     Roles, responsibilities, and requirements

                                               i.     Disclosure Policies

                                             ii.     Scope

1.     Non-vendor CNAs

a.     Add new non-vendor CNAs is on hold until the Board can come to an agreement on the requirements for this type of CNA

2.     Root CNA shopping

3.     Assigning CVE IDs to vulnerabilities in a non-CNA vendor’s product
        1. CNA scope to the cooperative sub-CNAs

c.     Coverage

                                               i.     What’s in, What’s out

                                             ii.     End of life

                                           iii.     Software as a service

                                            iv.     Hardware

        1. Define (not a wrench)
    1. Goals
  1. Operations
    1. Guidance

                                               i.     Operationalizing Root CNAs

        1. What is MITRE’s role
        2. How to best operationalize Root CNAs

                                             ii.     For new CNAs

        1. What is needed?
        2. What are the best formats?
        3. How to minimize one-on-one guidance

                                           iii.     How to supply refreshers

    1. CNA Management

                                               i.     CNA Process – Front Door or Back Door: How should CNAs communicate with each other, and how would that information be managed?

                                             ii.     Requirement

        1. Responsiveness
        2. Time to populate
        3. RBP start time

                                           iii.     Scope statement best practices

                                            iv.     Rules Violations

        1. Assignment correction processes (e.g. reject, split, merge) should account for violations
    1. Assignments

                                               i.     Prevent duplicates

        1. How can CNA scopes help?
    1. Submissions

                                               i.     Formats

                                             ii.     Information requirements

        1. Add impact
        2. Add publication data
        3. Add vulnerability type

4.     Split problem type in to vuln. type, root cause, or impact

5.     Don’t require references

                                           iii.     Should the description match the separate metadata fields

4.     CVE List

a.     Formats (all different formats)

                                               i.     How can the download formats be updated?

b.     CVE Tagging

                                               i.     Helps filtering

                                             ii.     How to identify the categories we need

                                           iii.     Should the tagging be attached to the product or the vulnerability?

                                            iv.     Could we leverage a product listing the CVE User Registry?

                                             v.     Can it be automated?

                                            vi.     EOL tagging

    1. Prose description, do we need it?