Beverly Alvarez, Lenovo Group Ltd.
Tod Beardsley, Rapid7 (CNA Coordination Working Group Liaison)
Chris Coffin, The MITRE Corporation (MITRE At-Large)
Kent Landfield, McAfee
Scott Lawler, LP3
Kathleen Noble, Intel Corporation
Shannon Sabens, Trend Micro/Zero Day Initiative (ZDI)
Takayuki Uchiyama, Panasonic Corporation
David Waltermire, National Institute of Standards and Technology (NIST)
Ken Williams, Broadcom Inc.
Members of MITRE CVE Team in Attendance
2:15 – 3:00: Working Groups
3:00 – 3:30: Root CNA Update
3:50– 3:55: Open Discussion
3:55 – 4:00: Action items, wrap-up
§ The group reviewed the active and pipeline CNA list and assigned industries.
§ The podcast planning is underway; the group agreed to use Skype or MS Teams and a tentative date is scheduled for June 11.
§ Jonathan will provide an updated list of vendors based on the CVE IDs requested from MITRE.
§ Successful non-US meetings were held with European and Asian participants (Taki attended, and JP-CERT is interested in attending future meetings)
§ The virtual summit is scheduled for Monday, October 19, 2020, from 1:00 p.m. to 5:00 p.m. ET.
§ Matt B/Joe W. provided an overview of the CVE Entry states for the feedback for the Entry Submission and Upload Service.
§ Quality Working Group (QWG): Dave Waltermire/Jonathan Evans
§ Efforts are wrapping up on EOL tagging
§ Focused on general design document around container tagging for EOL and service tags
§ Starting to talk through how new tags will get added: How will the proposals be processed and approved and assigned to the right working group (e.g., CNA specific tags)?
§ Also discussing different types of tagging around reference types
§ Feedback is due back by the next QWG, May 28.
§ Dave explained that we need a place to host the list, valid tag names, valid reference types, etc.
– AWG meeting held on May 19 and 26, 2020:
§ The group reviewed and commented on the EOL process document.
§ The document was sent to the CNA list for feedback on May 21.
§ Next step is to tech edit the document and then send to CVE Board for approval and program acceptance.
§ Received six CNA requests since the last CVE Board meeting (held on 5/13/20):
§ Two onboarding sessions since the last CVE Board meeting.
§ One CNA onboarding sessions scheduled in June.
§ Four CNA announcements since last CVE Board meeting: GitLab, OpenVPN Inc., NortonLifeLock and Sierrawireless
§ There are now 127 CNAs participating in the program in 21 countries
§ 103 in total CNA pipeline: 15 in Q3’19; 16 in Q4’19; 23 in Q1’20 and 17 in Q2’20
– CNAs missing disclosure policies and/or advisory locations (as required based on CNA rules 3.0)
§ We have emailed CNAs that are missing disclosures policies and/or advisory locations. We have emailed 19 CNAs and we have received the requested information from 8 CNAs; 11 are outstanding.
§ JPCERT - Jonathan Evans
– CNA Status Updates 5/26/20:
§ The initial translation is finished and we are now reviewing the slides internally. This is taking a bit long, as the amount of our coordination work has increased more than we expected. Therefore, although things are still moving forward, not everything (including our PR team review) will be finished by the end of May as we planned.
DWF Postmortem discussion: Lessons learned and opportunities going forward
Publishing RBP Metrics
Wednesday, June 10, 2020 at 2:00PM EDT
CVE_Board_Meeting_27 May 2020 FINAL.pdf (550K) Download Attachment
|Free forum by Nabble||Edit this page|