☐Beverly Alvarez, AMD
☐Ken Armstrong, EWA-Canada, An Intertek Company
☒Tod Beardsley, Rapid7
☒Chris Coffin, The MITRE Corporation (MITRE At-Large)
☐Jessica Colvin JPMorgan Chase
☐Mark Cox, Red Hat, Inc.
☒William Cox, Synopsys, Inc.
☒Patrick Emsweller, Cisco Systems, Inc.
☐Tim Keanini, Cisco Systems, Inc.
☒Kent Landfield, McAfee
☒Scott Lawler, LP3
☒Pascal Meunier, CERIAS/Purdue University
☐Ken Munro, Pen Test Partners LLP
☒Kathleen Noble, Intel Corporation
☒Lisa Olson, Microsoft
☒Shannon Sabens, CrowdStrike
☒Takayuki Uchiyama, Panasonic Corporation
☒David Waltermire, National Institute of Standards and Technology (NIST)
☒James “Ken” Williams, Broadcom Inc.
Members of MITRE CVE Team in Attendance
02:05-02:35: Open discussion items
02:35-03:55: Review of Action items (see attached excel file)
See attached Excel spreadsheet for open action items from prior meetings (CVE Board Meeting 12May21– Agenda and Action items)
§ CVE Program Information Leak – Kris Britton (MITRE)
o Kris Britton explained that on the morning of April 20, 2021, the MITRE Top-Level Root (TL-Root) became aware of an incident that compromised CVE Program information at various levels of sensitivity.
§ Bottom Line Up Front: A CNAs API secret for the ID Reservation (IDR) Service was exposed to the public for 19 hours. Upon discovering this, the Secretariat initiated the incident response plan that was agreed to by the Automation Working Group (AWG) approximately five weeks ago. Consistent with that plan, the Secretariat took immediate action to address the risk by resetting the CNAs API secret. Upon further review of the logs, no nefarious activity was discovered. Other programmatic information was leaked, but none of it appears significant.
o The Board discussed marking CVE Summit materials, presentations, and notes TLP and agreed this approach should be best practice for the CVE Summits moving forward. Tod B. has the action to announce using TLP for CVE Summit presenters and attendees.
o The Board agreed the CVE Program needs to have better discipline for the use of TLP with CVE Program materials. For the most part, items should be marked as TLP, Amber.
§ CVE Board Nomination - Chandan B Nandakumaraiah
o David W. submitted Chandan B.N. as a CVE Board member nominee on April 16, 2021. Below is Chandan’s nomination statement.
§ With over 20 years of experience working in product security, Chandan is an insightful, strong technical leader with an eye towards vulnerability issues that affect end user organizations. He has a long history of contributing to the CVE program, demonstrating a commitment to improving CVE, and working as both a producer and consumer of CVE information. I have worked with him as co-chair of the quality working group for the last few months. He demonstrates extensive knowledge of the vulnerability coordination and management, is well organized, a good communicator, and able to develop consensus around complex topics. He is interested in automation within the CVE program and improving the user experience of our stakeholders. To this end he developed Vulnogram, a tool used by some CNAs, which provides a graphical web-based interface for producing and updating CVE records. Chandan will be an active contributor to the CVE board, helping in this new capacity to evolve CVE in a positive, user centric way, and will remain an active contributor to the CVE program. He is the type of engaged participant in the CVE program we need more of.
o The Board agreed to press forward with the CVE Board nomination of Chandan B.N. The next steps are to schedule a 30–45-minute interview with Chandan.
o The Secretariat has the action to reach out to Chandan for his availability on May 12th at 9:00AM EDT.
§ CVE Program Professional Code of Conduct – Kent Landfield
o The Board agreed that one code of conduct for the entire CVE program appropriate.
o The Board agreed move forward with integrating the Professional Code of Conduct and publish on the CVE Website. In addition, the Professional Code of Conduct will be included in the CNA onboarding PowerPoint and all the WG charters will point to the CVE Program-wide Code of Conduct.
o Secretariat will review, edit, and post on the new CVE website.
§ CVE Allow-List – Katie Noble
o Katie explained that NVD overwrites vendor CVSS scores, and vendors suggested having both scores available for viewing. David W. explained that both scores are listed on the NVD. If both vendor and NVD CVSS scores agree, NVD will list only the vendor’s CVSS score; however, if they do not agree, then both CVSS scores are listed.
See attached Excel spreadsheet (CVE Board Meeting 28April21– Agenda and Action items)
§ The CVE Board meeting recording archives are in transition to a new platform. Once the new platform is ready, the Board recordings will be readily available to CVE Board Members. Until then, to obtain a recording of a CVE Board Meeting, please reach out to CVE Program Secretariat ([hidden email]).
CVE_Board_Meeting 28 April 2021 FINAL.pdf (289K) Download Attachment
|Free forum by Nabble||Edit this page|