CVE Board Meeting summary - 27 May 2020

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

CVE Board Meeting summary - 27 May 2020

Jo E Bazar

CVE Board Meeting – 27 May 2020

Members of CVE Board in Attendance

Beverly Alvarez, Lenovo Group Ltd.

Tod Beardsley, Rapid7 (CNA Coordination Working Group Liaison)

Chris Coffin, The MITRE Corporation (MITRE At-Large)

Jay Gazlay, Cybersecurity and Infrastructure Security Agency (CISA)

Kent Landfield, McAfee

Scott Lawler, LP3

Tom Millar, Cybersecurity and Infrastructure Security Agency (CISA)

Kathleen Noble, Intel Corporation

Shannon Sabens, Trend Micro/Zero Day Initiative (ZDI)

Takayuki Uchiyama, Panasonic Corporation

David Waltermire, National Institute of Standards and Technology (NIST)

Ken Williams, Broadcom Inc.

Members of MITRE CVE Team in Attendance

Jo Bazar

Christine Deal

Jonathan Evans

Chris Levendis

Lew Loren

 

2:00 – 2:15: Introductions, action items from the last meeting 

2:15 – 3:00: Working Groups

  • Outreach and Communications Working Group (OCWG): Shannon Sabens
  • CNA Coordination Working Group (CNACWG): Tod Beardsley
  • Quality Working Group (QWG): Jonathan Evans/Dave Waltermire
  • Automation Working Group (AWG): Lew Loren
  • Strategic Planning Working Group (SPWG): Kent Landfield

 

3:00 – 3:30: Root CNA Update

  • MITRE: Jo Bazar
  • JPCERT: Jonathan Evans
  • Root CNA Prospects: Jonathan Evans/Jo Bazar

 

3:30– 3:50: Other discussions items

  • Physical Attack Discussion
  • DWF Postmortem discussion, lessons learned and opportunities going forward
  • Sponsor Liaison Board position
  • Publishing RBP Metrics 

3:50– 3:55: Open Discussion  

3:55 – 4:00: Action items, wrap-up

Review of Action Items from Board Meeting held on 13 May 2020


#


Action Item


Responsible Party


Status


Comments

02.19.01

Identify the industries for active and pipeline CNAs so get a complete picture of the CNA profile.  

OCWG

In Process

5/27 Update: The group reviewed the active and pipeline CNAs and have begun to assign industries.

02.19.04

Develop strategy for expanding and growing the CNA program into existing and new industries (e.g., Energy, Automotive, Healthcare tech, etc.).

SPWG

Not Started

Assigned 2/19/2020.

4.1.04

Develop Non-responsiveness Policy to address CNA1 that continues to be unresponsive.

Jo Bazar (MITRE)

Pending

5/13 Update: Pending feedback from CNACWG. CNACWG will provide a recommended response time for CNAs  to respond to MITRE requests.

 

4.1.07

Formalize Council of Roots responsibilities in anticipation of new Roots joining the program

SPWG

Not Started

Assigned on 4/1/2020.

4.29.02

Updating the CVE Board charter to address exceptions issues CVE board member voting.

Kent L.

In Process

5/27 Update: Draft charter write up sent to CVE Board private list on 4/29 for review and comment. Voting will begin on June 2, 2020.

5.13.01

Initiate vote for Jay Gazlay nomination to the CVE Board.

Chris L. (MITRE)

Completed

5/27 Update: Jay Gazlay voted onto CVE Board effective May 20, 2020. 

 

5.13.02

Take the lead for developing a proposal about approach for automated vulnerability identification workshop that includes an initial target participant list, and report back to next CVE Board Meeting on May 27, 2020.    

Kent L. (McAfee)

Not Started

Assigned on 5/13/2020.

5.13.03

Add future discussion items from May 13, 2020 CVE Board meeting to future agenda (Open source project discussion and sponsor liaison)

Chris L. (MITRE)

Completed

5/27 Update: Agenda items added to 5/27/2020 meeting agenda

 

 

Working Group Updates

  • Outreach and Communications Working Group (OCWG): Shannon Sabens 
    • OCWG meeting held on May 15, 2020:

§  The group reviewed the active and pipeline CNA list and assigned industries.

§  The podcast planning is underway; the group agreed to use Skype or MS Teams and a tentative date is scheduled for June 11.

§  Jonathan will provide an updated list of vendors based on the CVE IDs requested from MITRE.

  • CNA Coordination Working Group (CNACWG): Tod Beardsley
  • CNACWG meeting held on May 20, 2020:

§  Successful non-US meetings were held with European and Asian participants (Taki attended, and JP-CERT is interested in attending future meetings)

§  The virtual summit is scheduled for Monday, October 19, 2020, from 1:00 p.m. to 5:00 p.m. ET.

§  Matt B/Joe W. provided an overview of the CVE Entry states for the feedback for the Entry Submission and Upload Service.

§   Quality Working Group (QWG): Dave Waltermire/Jonathan Evans

    • QWG meeting held on May 14, 2020: 

§  Efforts are wrapping up on EOL tagging

§  Focused on general design document around container tagging for EOL and service tags

§  Starting to talk through how new tags will get added: How will the proposals be processed and approved and assigned to the right working group (e.g., CNA specific tags)?

§  Also discussing different types of tagging around reference types

§  Feedback is due back by the next QWG, May 28.

§  Dave explained that we need a place to host the list, valid tag names, valid reference types, etc.  

  • Automation Working Group (AWG) – Lew Loren 

      AWG meeting held on May 19 and 26, 2020: 

    • Continuing to meet with SPWG to solicit feedback for AWG services
    • ID allocation: Code has been implemented and soliciting feedback from SPWG.
    • Authentication and User Registry: Cognito deployed and configured in the development environment, User Registry is in development. Soliciting feedback from SPWG.
    • Entry Submission and Upload Service (ESUS): Gathered requirements in meetings with SPWG participants, added automated tests, and identified a more concise set of CVE ID states.
    • Upconverter has slipped by 10 days; an email will follow.
    • Requirements for CVE Website underway.
  • Strategic Planning (SPWG) – Kent Landfield  
    • SPWG meeting held on May 20, 2020:

§  The group reviewed and commented on the EOL process document.

§  The document was sent to the CNA list for feedback on May 21.

§  Next step is to tech edit the document and then send to CVE Board for approval and program acceptance.

CNA Updates

  • MITRE –Jo Bazar
  • Requests to become a CNA

§  Received six CNA requests since the last CVE Board meeting (held on 5/13/20):

  • On-Boarding

§  Two onboarding sessions since the last CVE Board meeting.

§  One CNA onboarding sessions scheduled in June.

  • CNA Announcements and News

§  Four CNA announcements since last CVE Board meeting:   GitLab, OpenVPN Inc., NortonLifeLock and Sierrawireless

§  There are now 127 CNAs participating in the program in 21 countries

§  103 in total CNA pipeline: 15 in Q3’19; 16 in Q4’19; 23 in Q1’20 and 17 in Q2’20

      • One pending CNA announcement.

      CNAs missing disclosure policies and/or advisory locations (as required based on CNA rules 3.0)

§  We have emailed CNAs that are missing disclosures policies and/or advisory locations.  We have emailed 19 CNAs and we have received the requested information from 8 CNAs; 11 are outstanding.

§  JPCERT - Jonathan Evans

      CNA Status Updates 5/26/20:

      • Number of new CNAs: 0 
      • Number of prospective CNAs we are working with: 2 
    • CNA guidance material:

§  The initial translation is finished and we are now reviewing the slides internally. This is taking a bit long, as the amount of our coordination work has increased more than we expected. Therefore, although things are still moving forward, not everything (including our PR team review) will be finished by the end of May as we planned.

 

  • Root CNA Prospects – Jonathan Evans/Jo Bazar
    • RCNA1 Root update:
      • Jonathan and Jo met with RCNA1 on May 27, 2020.
      • The group reviewed the project timeline, updated the completion percentages, and added status updates.
      • The RCNA1 team will join the CNA Onboarding session on June 17th to get an idea of how MITRE conducts CNA onboarding sessions.

 

Open Discussion

Physical Attack Discussion

  • The group discussed if CVE IDs should be assigned to vulnerabilities that require physical attacks (e.g., opening the case or “evil maid” attacks)?
    • Reports of these attacks are expected to increase.
    • The program needs to be consistent in how it handles these issues.
    • Some products attempt to protect against these attacks (e.g., hard drive encryption) and we want to support them.
    • Focusing on the security model of the product helps ensure consistency in assignment.
  • The Dispute process needs to be completed and documented (action item from CVE Global Summit to develop dispute process to be posted on CVE site). 
  • The group agreed and recommended a CNA rules change:
    • If the vulnerability is created by a physical attack that violates a security model, we will assign a CVE ID. If it does not violate that security model, then we would not assign a CVE ID.    
    • Jo will begin documenting the proposed next CNA rules changes for V4.0 and make available on the SharePoint site.

DWF Postmortem discussion: Lessons learned and opportunities going forward

  • Many companies use open source products. INTEL has experienced an influx in CVE IDs requests and no one wants to deal with it. DWF provided coverage for open source products, but today we do not have a representative from a CNA perspective. 
  • Katie would like to set up a meeting to discuss and do a lessons learned on DWF.
  • David expressed that we need a little time to think about it and discuss at the next meeting or schedule a meeting specific for this topic.
  • Katie will take the action to schedule a meeting to discuss.   

Publishing RBP Metrics

  • We already have people coming to us, telling us about RBPs. If we make this metric public facing, then community members will be motivated to report them to us. The only number to be reported will be the total number RBPs, not the actual IDs with the details.
  • Chris Coffin asked what is the harm in reporting RBPs to the public?
    • CNA expressed concern in the CNA Summit that the information would be embarrassing to them.
  • Chris L. explained the two benefits from publishing the metrics 1) to get more community help and 2) to tell a story about the reduction in RBPs

Action Items from Board Meeting held on 27 May 2020


#


Action Item


Responsible Party


Status


Comments

5.27.01

Provide an updated list based on the CVE IDs requested to the OCWG.

Jonathan E. (MITRE)

Not Started

Assigned on 5/27/2020

5.27.02

Schedule a meeting to discuss DWF Postmortem, lessons learned, and opportunities moving forward.

Katie N. (Intel)

Not Started

Assigned on 5/27/2020

5.27.03

Start list of suggestions for next CNA Rules update.

Jo B. (MITRE)

Not Started

Assigned on 5/27/2020

 

Board Decisions

None

Next CVE Board Meeting 

Wednesday, June 10, 2020 at 2:00PM EDT

Future discussion Items

  • Sponsor Liaison Board position
  • Publishing RBP Metrics 
    • The next time we discuss this topic, we have two questions;
      1. Should we do it  
      2. When/how should we do it

 

 


CVE_Board_Meeting_27 May 2020 FINAL.pdf (550K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

[EXT] RE: CVE Board Meeting summary - 27 May 2020

Noble, Kathleen

Hi All,

I wanted to resurface the Physical Attack Discussion. I think we agreed to update the counting rules to reflect the conversation below. Intel is planning to update our Bug Bounty Scope guidance to clarify the physical attack scope.

I wondered what the next steps are for the CVE program?

 

Best,

Katie

Katie Noble

Director, Intel PSIRT and Bug Bounty

503-207-8783

[hidden email]

Keybase: katienoble

 

From: Jo E Bazar <[hidden email]>
Sent: Tuesday, June 2, 2020 11:58 AM
To: CVE Editorial Board Discussion <[hidden email]>
Subject: CVE Board Meeting summary - 27 May 2020

 

CVE Board Meeting – 27 May 2020

Members of CVE Board in Attendance

Beverly Alvarez, Lenovo Group Ltd.

Tod Beardsley, Rapid7 (CNA Coordination Working Group Liaison)

Chris Coffin, The MITRE Corporation (MITRE At-Large)

Jay Gazlay, Cybersecurity and Infrastructure Security Agency (CISA)

Kent Landfield, McAfee

Scott Lawler, LP3

Tom Millar, Cybersecurity and Infrastructure Security Agency (CISA)

Kathleen Noble, Intel Corporation

Shannon Sabens, Trend Micro/Zero Day Initiative (ZDI)

Takayuki Uchiyama, Panasonic Corporation

David Waltermire, National Institute of Standards and Technology (NIST)

Ken Williams, Broadcom Inc.

Members of MITRE CVE Team in Attendance

Jo Bazar

Christine Deal

Jonathan Evans

Chris Levendis

Lew Loren

 

2:00 – 2:15: Introductions, action items from the last meeting 

2:15 – 3:00: Working Groups

  • Outreach and Communications Working Group (OCWG): Shannon Sabens
  • CNA Coordination Working Group (CNACWG): Tod Beardsley
  • Quality Working Group (QWG): Jonathan Evans/Dave Waltermire
  • Automation Working Group (AWG): Lew Loren
  • Strategic Planning Working Group (SPWG): Kent Landfield

 

3:00 – 3:30: Root CNA Update

  • MITRE: Jo Bazar
  • JPCERT: Jonathan Evans
  • Root CNA Prospects: Jonathan Evans/Jo Bazar

 

3:30– 3:50: Other discussions items

  • Physical Attack Discussion
  • DWF Postmortem discussion, lessons learned and opportunities going forward
  • Sponsor Liaison Board position
  • Publishing RBP Metrics 

3:50– 3:55: Open Discussion  

3:55 – 4:00: Action items, wrap-up

Review of Action Items from Board Meeting held on 13 May 2020


#


Action Item


Responsible Party


Status


Comments

02.19.01

Identify the industries for active and pipeline CNAs so get a complete picture of the CNA profile.  

OCWG

In Process

5/27 Update: The group reviewed the active and pipeline CNAs and have begun to assign industries.

02.19.04

Develop strategy for expanding and growing the CNA program into existing and new industries (e.g., Energy, Automotive, Healthcare tech, etc.).

SPWG

Not Started

Assigned 2/19/2020.

4.1.04

Develop Non-responsiveness Policy to address CNA1 that continues to be unresponsive.

Jo Bazar (MITRE)

Pending

5/13 Update: Pending feedback from CNACWG. CNACWG will provide a recommended response time for CNAs  to respond to MITRE requests.

 

4.1.07

Formalize Council of Roots responsibilities in anticipation of new Roots joining the program

SPWG

Not Started

Assigned on 4/1/2020.

4.29.02

Updating the CVE Board charter to address exceptions issues CVE board member voting.

Kent L.

In Process

5/27 Update: Draft charter write up sent to CVE Board private list on 4/29 for review and comment. Voting will begin on June 2, 2020.

5.13.01

Initiate vote for Jay Gazlay nomination to the CVE Board.

Chris L. (MITRE)

Completed

5/27 Update: Jay Gazlay voted onto CVE Board effective May 20, 2020. 

 

5.13.02

Take the lead for developing a proposal about approach for automated vulnerability identification workshop that includes an initial target participant list, and report back to next CVE Board Meeting on May 27, 2020.    

Kent L. (McAfee)

Not Started

Assigned on 5/13/2020.

5.13.03

Add future discussion items from May 13, 2020 CVE Board meeting to future agenda (Open source project discussion and sponsor liaison)

Chris L. (MITRE)

Completed

5/27 Update: Agenda items added to 5/27/2020 meeting agenda

 

 

Working Group Updates

  • Outreach and Communications Working Group (OCWG): Shannon Sabens 
    • OCWG meeting held on May 15, 2020:

§  The group reviewed the active and pipeline CNA list and assigned industries.

§  The podcast planning is underway; the group agreed to use Skype or MS Teams and a tentative date is scheduled for June 11.

§  Jonathan will provide an updated list of vendors based on the CVE IDs requested from MITRE.

  • CNA Coordination Working Group (CNACWG): Tod Beardsley
  • CNACWG meeting held on May 20, 2020:

§  Successful non-US meetings were held with European and Asian participants (Taki attended, and JP-CERT is interested in attending future meetings)

§  The virtual summit is scheduled for Monday, October 19, 2020, from 1:00 p.m. to 5:00 p.m. ET.

§  Matt B/Joe W. provided an overview of the CVE Entry states for the feedback for the Entry Submission and Upload Service.

§             Quality Working Group (QWG): Dave Waltermire/Jonathan Evans

    • QWG meeting held on May 14, 2020: 

§  Efforts are wrapping up on EOL tagging

§  Focused on general design document around container tagging for EOL and service tags

§  Starting to talk through how new tags will get added: How will the proposals be processed and approved and assigned to the right working group (e.g., CNA specific tags)?

§  Also discussing different types of tagging around reference types

§  Feedback is due back by the next QWG, May 28.

§  Dave explained that we need a place to host the list, valid tag names, valid reference types, etc.  

  • Automation Working Group (AWG) – Lew Loren 

     AWG meeting held on May 19 and 26, 2020: 

    • Continuing to meet with SPWG to solicit feedback for AWG services
    • ID allocation: Code has been implemented and soliciting feedback from SPWG.
    • Authentication and User Registry: Cognito deployed and configured in the development environment, User Registry is in development. Soliciting feedback from SPWG.
    • Entry Submission and Upload Service (ESUS): Gathered requirements in meetings with SPWG participants, added automated tests, and identified a more concise set of CVE ID states.
    • Upconverter has slipped by 10 days; an email will follow.
    • Requirements for CVE Website underway.
  • Strategic Planning (SPWG) – Kent Landfield  
    • SPWG meeting held on May 20, 2020:

§  The group reviewed and commented on the EOL process document.

§  The document was sent to the CNA list for feedback on May 21.

§  Next step is to tech edit the document and then send to CVE Board for approval and program acceptance.

CNA Updates

  • MITRE –Jo Bazar
  • Requests to become a CNA
      • Received six CNA requests since the last CVE Board meeting (held on 5/13/20):
  • On-Boarding
      • Two onboarding sessions since the last CVE Board meeting.
      • One CNA onboarding sessions scheduled in June.
  • CNA Announcements and News
      • Four CNA announcements since last CVE Board meeting:   GitLab, OpenVPN Inc., NortonLifeLock and Sierrawireless
      • There are now 127 CNAs participating in the program in 21 countries
      • 103 in total CNA pipeline: 15 in Q3’19; 16 in Q4’19; 23 in Q1’20 and 17 in Q2’20
      • One pending CNA announcement.
    • CNAs missing disclosure policies and/or advisory locations (as required based on CNA rules 3.0)
      • We have emailed CNAs that are missing disclosures policies and/or advisory locations.  We have emailed 19 CNAs and we have received the requested information from 8 CNAs; 11 are outstanding.
  • JPCERT - Jonathan Evans
    • CNA Status Updates 5/26/20:
      • Number of new CNAs: 0 
      • Number of prospective CNAs we are working with: 2 
    • CNA guidance material:

§  The initial translation is finished and we are now reviewing the slides internally. This is taking a bit long, as the amount of our coordination work has increased more than we expected. Therefore, although things are still moving forward, not everything (including our PR team review) will be finished by the end of May as we planned.

 

  • Root CNA Prospects – Jonathan Evans/Jo Bazar
    • RCNA1 Root update:
      • Jonathan and Jo met with RCNA1 on May 27, 2020.
      • The group reviewed the project timeline, updated the completion percentages, and added status updates.
      • The RCNA1 team will join the CNA Onboarding session on June 17th to get an idea of how MITRE conducts CNA onboarding sessions.

 

Open Discussion

Physical Attack Discussion

  • The group discussed if CVE IDs should be assigned to vulnerabilities that require physical attacks (e.g., opening the case or “evil maid” attacks)?
    • Reports of these attacks are expected to increase.
    • The program needs to be consistent in how it handles these issues.
    • Some products attempt to protect against these attacks (e.g., hard drive encryption) and we want to support them.
    • Focusing on the security model of the product helps ensure consistency in assignment.
  • The Dispute process needs to be completed and documented (action item from CVE Global Summit to develop dispute process to be posted on CVE site). 
  • The group agreed and recommended a CNA rules change:
    • If the vulnerability is created by a physical attack that violates a security model, we will assign a CVE ID. If it does not violate that security model, then we would not assign a CVE ID.    
    • Jo will begin documenting the proposed next CNA rules changes for V4.0 and make available on the SharePoint site.

DWF Postmortem discussion: Lessons learned and opportunities going forward

  • Many companies use open source products. INTEL has experienced an influx in CVE IDs requests and no one wants to deal with it. DWF provided coverage for open source products, but today we do not have a representative from a CNA perspective. 
  • Katie would like to set up a meeting to discuss and do a lessons learned on DWF.
  • David expressed that we need a little time to think about it and discuss at the next meeting or schedule a meeting specific for this topic.
  • Katie will take the action to schedule a meeting to discuss.   

Publishing RBP Metrics

  • We already have people coming to us, telling us about RBPs. If we make this metric public facing, then community members will be motivated to report them to us. The only number to be reported will be the total number RBPs, not the actual IDs with the details.
  • Chris Coffin asked what is the harm in reporting RBPs to the public?
    • CNA expressed concern in the CNA Summit that the information would be embarrassing to them.
  • Chris L. explained the two benefits from publishing the metrics 1) to get more community help and 2) to tell a story about the reduction in RBPs

Action Items from Board Meeting held on 27 May 2020


#


Action Item


Responsible Party


Status


Comments

5.27.01

Provide an updated list based on the CVE IDs requested to the OCWG.

Jonathan E. (MITRE)

Not Started

Assigned on 5/27/2020

5.27.02

Schedule a meeting to discuss DWF Postmortem, lessons learned, and opportunities moving forward.

Katie N. (Intel)

Not Started

Assigned on 5/27/2020

5.27.03

Start list of suggestions for next CNA Rules update.

Jo B. (MITRE)

Not Started

Assigned on 5/27/2020

 

Board Decisions

None

Next CVE Board Meeting 

Wednesday, June 10, 2020 at 2:00PM EDT

Future discussion Items

  • Sponsor Liaison Board position
  • Publishing RBP Metrics 
    • The next time we discuss this topic, we have two questions;
      1. Should we do it  
      2. When/how should we do it