CVE Board Meeting summary - 28APR2021

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

CVE Board Meeting summary - 28APR2021

CVE Program Secretariat

Members of CVE Board in Attendance

Beverly Alvarez, AMD

Ken Armstrong, EWA-Canada, An Intertek Company

Tod Beardsley, Rapid7 

Chris Coffin, The MITRE Corporation (MITRE At-Large)

Jessica Colvin JPMorgan Chase

Mark Cox, Red Hat, Inc.

William Cox, Synopsys, Inc.

Patrick Emsweller, Cisco Systems, Inc.

Jay Gazlay, Cybersecurity and Infrastructure Security Agency (CISA)

Tim Keanini, Cisco Systems, Inc.

Kent Landfield, McAfee

Scott Lawler, LP3

Art Manion, CERT/CC (Software Engineering Institute, Carnegie Mellon University)

Pascal Meunier, CERIAS/Purdue University

Ken Munro, Pen Test Partners LLP

Tom Millar, Cybersecurity and Infrastructure Security Agency (CISA)

Kathleen Noble, Intel Corporation

Lisa Olson, Microsoft

Shannon Sabens, CrowdStrike

Takayuki Uchiyama, Panasonic Corporation

David Waltermire, National Institute of Standards and Technology (NIST)

James “Ken” Williams, Broadcom Inc.

 

Members of MITRE CVE Team in Attendance

Jo Bazar

Kris Britton

Christine Deal

Jonathan Evans

Chris Levendis

02:00-02:05:     Introductions and Roll Call

02:05-02:35:     Open discussion items 

02:35-03:55:     Review of Action items (see attached excel file)

03:55-04:00:     Wrap-up

New Actions items from today’s Board Meeting

See attached Excel spreadsheet for open action items from prior meetings (CVE Board Meeting 12May21– Agenda and Action items)

#

Action Item

Responsible Party

Due

Status

Comments

4.28.01

Post CVE Program Professional Code of Conduct document and publish to CVE website.

Jo B. (MITRE/Secretariat)

 

Not Started

Assigned on 4/28/2021

4.28.02

Finalize Quality Working Group Charter and publish to CVE website and GitHub.

David W.

 

Not Started

Assigned on 4/28/2021

4.28.03

Update WG Slip-sheet to include traffic light protocol (TLP) information and an explanation.

Jo B. (MITRE/Secretariat)

 

Not Started

Assigned on 4/28/2021

 

Discussion Items

§   CVE Program Information Leak – Kris Britton (MITRE)

o   Kris Britton explained that on the morning of April 20, 2021, the MITRE Top-Level Root (TL-Root) became aware of an incident that compromised CVE Program information at various levels of sensitivity.

§  Bottom Line Up Front: A CNAs API secret for the ID Reservation (IDR) Service was exposed to the public for 19 hours. Upon discovering this, the Secretariat initiated the incident response plan that was agreed to by the Automation Working Group (AWG) approximately five weeks ago. Consistent with that plan, the Secretariat took immediate action to address the risk by resetting the CNAs API secret.  Upon further review of the logs, no nefarious activity was discovered. Other programmatic information was leaked, but none of it appears significant.

o   The Board discussed marking CVE Summit materials, presentations, and notes TLP and agreed this approach should be best practice for the CVE Summits moving forward. Tod B. has the action to announce using TLP for CVE Summit presenters and attendees. 

o   The Board agreed the CVE Program needs to have better discipline for the use of TLP with CVE Program materials. For the most part, items should be marked as TLP, Amber.

§  CVE Board Nomination - Chandan B Nandakumaraiah

o   David W. submitted Chandan B.N. as a CVE Board member nominee on April 16, 2021. Below is Chandan’s nomination statement.

§  With over 20 years of experience working in product security, Chandan is an insightful, strong technical leader with an eye towards vulnerability issues that affect end user organizations. He has a long history of contributing to the CVE program, demonstrating a commitment to improving CVE, and working as both a producer and consumer of CVE information. I have worked with him as co-chair of the quality working group for the last few months. He demonstrates extensive knowledge of the vulnerability coordination and management, is well organized, a good communicator, and able to develop consensus around complex topics. He is interested in automation within the CVE program and improving the user experience of our stakeholders. To this end he developed Vulnogram, a tool used by some CNAs, which provides a graphical web-based interface for producing and updating CVE records. Chandan will be an active contributor to the CVE board, helping in this new capacity to evolve CVE in a positive, user centric way, and will remain an active contributor to the CVE program. He is the type of engaged participant in the CVE program we need more of.

o   The Board agreed to press forward with the CVE Board nomination of Chandan B.N. The next steps are to schedule a 30–45-minute interview with Chandan.

o   The Secretariat has the action to reach out to Chandan for his availability on May 12th at 9:00AM EDT.

§  CVE Program Professional Code of Conduct – Kent Landfield

o   The Board agreed that one code of conduct for the entire CVE program appropriate.

o   The Board agreed move forward with integrating the Professional Code of Conduct and publish on the CVE Website. In addition, the Professional Code of Conduct will be included in the CNA onboarding PowerPoint and all the WG charters will point to the CVE Program-wide Code of Conduct.

o   Secretariat will review, edit, and post on the new CVE website.

§  CVE Allow-List – Katie Noble

o   Katie explained that NVD overwrites vendor CVSS scores, and vendors suggested having both scores available for viewing. David W. explained that both scores are listed on the NVD. If both vendor and NVD CVSS scores agree, NVD will list only the vendor’s CVSS score; however, if they do not agree, then both CVSS scores are listed.

Board Decisions

Next CVE Board Meetings 

Open Discussion Items (to be discussed at future meetings)

See attached Excel spreadsheet (CVE Board Meeting 28April21– Agenda and Action items)

CVE Board Recordings

§  The CVE Board meeting recording archives are in transition to a new platform. Once the new platform is ready, the Board recordings will be readily available to CVE Board Members. Until then, to obtain a recording of a CVE Board Meeting, please reach out to CVE Program Secretariat ([hidden email]).  

 

 

 

 


CVE_Board_Meeting 28 April 2021 FINAL.pdf (289K) Download Attachment