CVE Board Meeting summary - 29 April 2020

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

CVE Board Meeting summary - 29 April 2020

Jo E Bazar

CVE Board Meeting – 29 April 2020

Members of CVE Board in Attendance

Tod Beardsley, Rapid7

Chris Coffin (MITRE at Large)

Patrick Emsweller, Cisco Systems, Inc.

Kent Landfield, McAfee

Scott Moore, IBM

Lisa Olson, Microsoft

Shannon Sabens, Trend Micro

Kathleen Noble, Intel

David Waltermire, National Institute of Standards and Technology (NIST)

Ken Williams, Broadcom Inc.

Members of MITRE CVE Team in Attendance

Jo Bazar

Christine Deal

Jonathan Evans

Chris Levendis

Lew Loren

 

2:00 – 2:15: Introductions, action items from the last meeting 

2:15 – 3:00: Working Groups

  • Outreach and Communications Working Group (OCWG): Shannon Sabens
  • CNA Coordination Working Group (CNACWG): Tod Beardsley
  • Quality Working Group (QWG): Jonathan Evans/Dave Waltermire
  • Automation Working Group (AWG): Lew Loren
  • Strategic Planning Working Group (SPWG): Kent Landfield

 

3:00 – 3:30: Root CNA Update

  • MITRE: Jo Bazar
  • JPCERT: Jonathan Evans
  • Root CNA Prospects – Jonathan Evans/Jo Bazar

 

3:30 – 3:35: MITRE Voting

3:35 - 3:40: Schedule interview for nomination

3:40 - 3:50: CNA Report Card Q1’20

3:50 – 3:55: Open Discussion  

3:55 – 4:00: Action items, wrap-up


#


Action Item


Responsible Party


Status


Comments

02.19.01

Identify the industries for active and pipeline CNAs so get a complete picture of the CNA profile.  

OCWG

In Process

Assigned 2/19/2020.

02.19.04

Develop strategy for expanding and growing the CNA program into existing and new industries (e.g., Energy, Automotive, Healthcare tech, etc.).

SPWG

Not Started

Assigned 2/19/2020.

3.18.02

QWG develop a definition for the EOL tagging for presentation to the CVE Board. Once defined, the next step is to document the entire process. 

Lisa Olson/Jonathan E. (MITRE)

Completed

4/15 Update: Draft document developed; will be reviewed in QWG.

4/29 Update: Draft is done and has been handed off to the QWG/SPWG.

3.18.04

Develop write up to send to the CNAs via the CNA mailing list to get their feedback on JSON 5.0 90-day transition. 

Lew L. (MITRE)

Completed

4/29 Update: AWG meeting held on 4/13 where the transition schedule was presented and meeting notes were sent to the various email lists (AWG, SPWG, QWG and CNA).

4.1.04

Develop Non-responsiveness Policy to address CNA1 that continues to be unresponsive.

Jo Bazar (MITRE)

Not Started

Assigned on 4/1/2020

4.1.07

Formalize Council of Roots responsibilities in anticipation of new Roots joining the program

SPWG

Not Started

Assigned on 4/1/2020

4.15.01

Follow up with JP/CERT having a representative or providing updates about JP/CERT.

Jonathan E. (MITRE)

Completed

4/29 Update: Email sent to JPCERT on 4/27 and JPCERT agreed to provide updates moving forward.

4.15.03

Follow up with RCNA1 about participating in the AWG so they can be involved with the design of the APIs.

Jonathan E./Jo B. (MITRE)

In Process

4/29 Update: Spoke with RCNA1 and they will be joining the AWG.

4.15.04

Send EOL tagging draft document to Kent so he can incorporate into EOL document.

Jonathan E. (MITRE)

Completed

4.15.05

Send CVE Board Charter 3.1 for review and vote.

Jo B. (MITRE)

Completed

4/29 Update: CVE Board charter approved on April 23, 2020.

 

Working Group Updates

  • Outreach and Communications Working Group (OCWG): Shannon Sabens 
    • OCWG meeting held on April 17, 2020:

§  Planning underway for virtual outreach opportunities during COVID-19.

      1. Live Interview:
        • Topic: What is the difference between NIST MITRE NVD (interview style), 100-level.
        • Podcast with Tod Beardsley and David Waltermire, possibly panel interview.
          • Tod and David agreed to participate.
          • Chris mentioned we need to be careful to not speak for the government.
          • Katie Noble volunteered to participate in a panel interview as well.
          • Interview will be recorded and made available on the CVE Website and YouTube channel.
        • Target date for podcast is end of May 2020
      1. Webinars: 
        • Topic: How to become a CNA.
          • Hosted by Shannon Sabens and Jo Bazar.
  • CNA Coordination Working Group (CNACWG): Tod Beardsley
  • CNACWG meeting held on April 22, 2020:
    • Documenting procedure for transferring CVE IDs from one CNA to another for when products move between CNAs.
      • Draft will be presented to AWG and CVE Board, NLT May 6
      • There will be five to six use cases included in the document
    • CNACWG Europe and Asia meeting invites sent.
    • Sam Huckins no longer able to help with CNACWG, but Enrique Gonzales will be assuming his responsibilities.
    • October virtual summit needs to be scheduled and planning needs to begin soon. The group agreed Wednesday, October 14 would be a good date for the virtual summit.

o     Quality Working Group (QWG): Dave Waltermire/Jonathan Evans

    • QWG meeting held on April 16, 2020: 
      • Discussed how to support unofficial JSON fields that are being used in some of the CVE records; we would like to come up with formal extension mechanisms, developing use case examples to help with building requirements.
      • Also discussed CWE usage with CNAs; NVD uses slice 1003, and we want to get a better understanding of how CNAs are making use of CWE and have a larger conversation with the CWE team. David would like to have CWE representation at a future QWG meeting.
      • At the AWG meeting scheduled for April 30, we will discuss NVD reference types and end of life tagging; Chris Turner will be giving an overview.
  • Automation Working Group (AWG) – Lew Loren 

      AWG meeting held on April 28, 2020: 

§  AWG meetings moved to every Tuesday at 4:00pm ET so the SPWG meeting can occur first on Monday for post sprint reviews and pre-sprint discussions.

§  Ongoing efforts to develop the AWG services:

      • The Authentication and User Registry (A&UR) Service update: We have Cognito stood up in a sandbox environment with a dedicated developer assigned to this effort.
      • Entry Submission and Upload Service (ESUS) update: We just wrapped up out first dry-run sprint and the next sprint is starting.
      • JSON work continues; Joe is working on the upconverter from 5.0 to 4.0 and down converter from 5.0 to 4.0.
      • ID Allocation continues, and the development effort is very lightweight. The challenge is getting permission to host publicly; the remaining development is fairly light.  

§  Posting on GitHub: All the pre-sprint analysis, post sprint analysis, and other AWG artifacts will be available for AWG members to review and reference.

§  CVE Web form updates reflect 40% of CVE information coming to the program. We need a clear plan for existing CNAs so they can migrate their functionality and encourage them to use JSON format, instead of CVE webform.

  • Strategic Planning (SPWG) – Kent Landfield  
    • SPWG meeting held on April 20 and 27, 2020:
      • Kent encourages everyone to use the mailing list for working through tasking and to discuss issues in-between the meetings.
      • Working on an End-of-Life (EOL) process implementation details
        • We were able to start the adjudication of comments sent on the EOL draft. There are five options being discussed.
      • Discussion about CVE Reference Handling:
        • How do we handle issues with invalid URL references on initial CVE Entry submission?
        • This request was generated because MITRE turned off the capability that they had for validating reference URLs.
        • SPWG recommends approving the CVE Entry submission but notify the CNA when the validation fails.
      • Kent is working on User Registry documentation and will send to AWG once completed.
      • CVE definitions list underway.

 

CNA Updates

  • MITRE –Jo Bazar
  • Requests to become a CNA

§  Received two CNA requests since the last CVE Board meeting (held on 4/15/20).

  • On-Boarding

§  Three onboarding sessions since the last CVE Board meeting.

§  One CNA onboarding sessions scheduled.

  • CNA Announcements and News

§  Two CNA announcements since last CVE Board meeting: CERT@VDE and Silver Peak

§  There are now 120 CNAs participating in the program in 21 countries

§  96 in total CNA pipeline: 16 in Q3’19; 17 in Q4’19; 24 in Q1’20 and 7 in Q2’20

§  Six pending CNA announcements.

      CNA missing disclosure policies and/or advisory locations underway

§  We have emailed CNAs that are missing disclosures policies and/or advisory locations. We have received 8 responses so far and around 18 are missing one of the two requirements.

§  JPCERT - Jonathan Evans

o   CNA Status Updates:

      • Number of new CNAs: 0 
      • Number of prospective CNAs we are working with: 2 
      • Currently, the progress in overall vulnerability coordination activities with many of the vendors here in Japan is slow because of the COVID-19 outbreak.
      • One vendor is on their internal coordination process, but due to COVID-19, this may take a while.
    • CNA guidance material:
      • Just started working on it.
      • Translating Jo's voice parts, which are written in the note sections of the slides, into Japanese.
      • We have national holidays here in early May, so we are assuming that the translation of seven slide files will finish around mid-May.

 

  • Root CNA Prospects – Jonathan Evans/Jo Bazar
    • RCNA1 Root update:
      • Jonathan, Chris and Jo met with RCNA1 on April 29, 2020.
      • RCNA1 has drafted documentation on the following:
        • Scope
        • How to reserve a CVE ID
        • How to Submit CVE Entries
        • Escalation process
        • RBP and Inactive policies 
      • The group reviewed the documentation and provided feedback and suggestions.
      • RCNA1 is interested in participating in the AWG and will follow up with MITRE on who will be attending.

 

Open Discussion Items

MITRE Voting – Chris Levendis

  • Chris Levendis explained that Chris Coffin is now participating as an independent member and would like MITRE to have two votes. David explained votes are based on organizations, so organization only get one vote. Kent explained that the Charter does not allow for exceptions and that organizations need to coordinate their votes. Lew explained that Chris Coffin cannot represent the CVE Program, whereas Chris Levendis is representing CVE Program.
  • Katie explained that CVE Board membership is individual, yet the voting is based on the organization.
  • Kent suggested removing Chris Coffin affiliations to be independent, removing MITRE at large.
  • David explained that it is cleaner if one individual speaks for each organization.
  • The group agreed that the CVE Board charter needs to be updated to account for exceptions issues. Kent will take the action to update the CVE Board charter. 

Schedule interview for nomination

§  Jay Gazlay was nominated on Monday, April 27, 2020. Chris Levendis suggested the interview be at the next CVE Board meeting on May 13, 2020.

    • The interview will be first item on agenda, the interview will be 30 minutes and a 30-minute post interview discussion will follow.
    • There will be little time for the working groups; therefore, the CVE Board has requested that the Working Group chairs send their status updates to the Private Board list before the May 13th meeting, so Board members can review ahead of time and can ask questions if needed. 

 

CNA Report Card Q1’20

  • Jo Bazar walked through the summary slides of the Q1’20 results, providing a brief overview of the results and conclusions for quarter one.

 

Open Source Fuzzing – David Waltermire

  • David brought up that members of OSS-Fuzz team at Google talked to him about whether the CVE program would be interested in having them be a CNA. David would like to discuss fuzzing tools further. 
  • This topic was also discussed at the June 29, 2019, CVE Board meeting due to a post on the oss-security mailing list: https://www.openwall.com/lists/oss-security/2019/06/15/2. The QWG followed up with the reporter, but no further progress has been made.
  • David suggested hosting workshops on various topics, such as fuzzing.

 

Action Items from Board Meeting held on 29 April 2020


#


Action Item


Responsible Party


Status


Comments

4.29.01

Add the following items to May 13th CVE Board agenda;

1. Interview with Jay G. (30 mins)

2. Post interview discussion (30 mins)

3. Fuzzing topic 

Jo B. (MITRE)

Not Started

Assigned on 4/15/2020

4.29.02

Updating the CVE Board charter to address exceptions issues CVE board member voting.

Kent L.

Not Started

Assigned on 4/15/2020

4.29.03

Set up 2-day test meeting so Board members can test MS Teams functionality. 

Christine D. (MITRE)

Not Started

Assigned on 4/15/2020

 

Board Decisions

None

Next CVE Board Meeting 

Wednesday, May 13, 2020 at 2:00PM EDT

 


CVE_Board_Meeting_29 April 2020 FINAL.pdf (528K) Download Attachment