Beverly Miller,
Lenovo Group Ltd.
Scott Moore,
IBM
Lisa Olson,
Microsoft
Takayuki Uchiyama,
Panasonic Corporation
Ken Williams,
Broadcom Inc.
Members of MITRE CVE Team in Attendance
Jo Bazar
Chris Coffin
Christine Deal
Jonathan Evans
Chris Levendis
Lew Loren
Joe Sain
Agenda 2:00 – 2:15: Introductions, action items from the last
meeting
2:15 – 2:30: Working Groups
2:30 – 2:45: Root CNA Update
2:45 – 3:55: Open Discussion
–
Board 3:55 – 4:00: Action items, wrap-up Review of Action Items from Board Meeting held on 15
May 2019
Working Group Updates
§
Strategic Planning (SPWG) – Kent
Landfield/Chris Coffin
CNA Updates
Open Discussion Items
Agenda Items for Upcoming Meetings
Action Items from Board Meeting held on 29 May 2019
Board Decisions
Future Discussion Topics 1.
Communication
a.
Outreach
i. Localization
ii. Upstream producers
1.
CNA Recruitment
iii. Downstream users
iv. Related Projects
1.
Vulnerability Description
a.
VDO
b.
CSAF
2.
Severity
a.
CVSS
3.
Product identification and management
a.
SBOM
b.
Metrics
i. Community metrics (Public metrics)
ii. CNA specific metrics
iii. Program performance (Report card)
c.
Knowledge capture/transfer
i. Record Working Group meetings
1.
Where to store the recordings?
ii. Issue tracking
iii. Storage of WG materials 2.
Strategy
a.
Program Structure
b.
Roles, responsibilities, and requirements
i. Disclosure Policies
ii. Scope
1.
Non-vendor CNAs
a.
Add new non-vendor CNAs is on hold until the Board can come to an agreement on the requirements for this type of CNA
2.
Root CNA shopping
3.
Assigning CVE IDs to vulnerabilities in a non-CNA vendor’s product
c.
Coverage
i. What’s in, What’s out
ii. End of life
iii. Software as a service
iv. Hardware
i. Operationalizing Root CNAs
ii. For new CNAs
iii. How to supply refreshers
i. CNA Process – Front Door or Back Door: How should CNAs communicate with each other,
and how would that information be managed?
ii. Requirement
iii. Scope statement best practices
iv. Rules Violations
i. Prevent duplicates
i. Formats
ii. Information requirements
4.
Split problem type in to vuln. type, root cause, or impact
5.
Don’t require references
iii. Should the description match the separate metadata fields
4.
CVE List
a.
Formats (all different formats)
i. How can the download formats be updated?
b.
CVE Tagging
i. Helps filtering
ii. How to identify the categories we need
iii. Should the tagging be attached to the product or the vulnerability?
iv. Could we leverage a product listing the CVE User Registry?
v. Can it be automated?
vi. EOL tagging
|
I am struggling to see how the new Future Discussion Topics is more useful. I also do not see the line item listed as the basis for redoing the list but
I do see another. I thought we were just going to break them into categories as Ongoing, future and OBE. I think we lost a great deal in the conversion. I personally liked the prose, not the bullets. Looks more like a wish list than a set of future conversations. Pre-change.
Thank you, Gracias, Grazie, 谢谢, Merci!, Спасибо!, Bedankt,Danke!, ありがとう, धन्यवाद!
--
Kent Landfield
+1.817.637.8026 From:
"Bazar, Jo E." <[hidden email]>
Beverly Miller,
Lenovo Group Ltd.
Scott Moore,
IBM
Lisa Olson,
Microsoft
Takayuki Uchiyama,
Panasonic Corporation
Ken Williams,
Broadcom Inc.
Members of MITRE CVE Team in Attendance
Jo Bazar
Chris Coffin
Christine Deal
Jonathan Evans
Chris Levendis
Lew Loren
Joe Sain
Agenda 2:00 – 2:15: Introductions, action items from the last
meeting
2:15 – 2:30: Working Groups
2:30 – 2:45: Root CNA Update
2:45 – 3:55: Open Discussion
–
Board 3:55 – 4:00: Action items, wrap-up Review of Action Items from Board Meeting held on 15
May 2019
Working Group Updates
§
Strategic Planning (SPWG) – Kent Landfield/Chris Coffin
CNA Updates
Open Discussion Items
Agenda Items for Upcoming Meetings
Action Items from Board Meeting held on 29 May 2019
Board Decisions
Future Discussion Topics 1.
Communication
a.
Outreach
i. Localization
ii. Upstream producers
1.
CNA Recruitment
iii. Downstream users
iv. Related Projects
1.
Vulnerability Description
a.
VDO
b.
CSAF
2.
Severity
a.
CVSS
3.
Product identification and management
a.
SBOM
b.
Metrics
i. Community metrics (Public metrics)
ii. CNA specific metrics
iii. Program performance (Report card)
c.
Knowledge capture/transfer
i. Record Working Group meetings
1.
Where to store the recordings?
ii. Issue tracking
iii. Storage of WG materials 2.
Strategy
a.
Program Structure
b.
Roles, responsibilities, and requirements
i. Disclosure Policies
ii. Scope
1.
Non-vendor CNAs
a.
Add new non-vendor CNAs is on hold until the Board can come to an agreement on the requirements for this type of CNA
2.
Root CNA shopping
3.
Assigning CVE IDs to vulnerabilities in a non-CNA vendor’s product
c.
Coverage
i. What’s in, What’s out
ii. End of life
iii. Software as a service
iv. Hardware
i. Operationalizing Root CNAs
ii. For new CNAs
iii. How to supply refreshers
i. CNA Process – Front Door or Back Door: How should CNAs communicate with each other, and how
would that information be managed?
ii. Requirement
iii. Scope statement best practices
iv. Rules Violations
i. Prevent duplicates
i. Formats
ii. Information requirements
4.
Split problem type in to vuln. type, root cause, or impact
5.
Don’t require references
iii. Should the description match the separate metadata fields
4.
CVE List
a.
Formats (all different formats)
i. How can the download formats be updated?
b.
CVE Tagging
i. Helps filtering
ii. How to identify the categories we need
iii. Should the tagging be attached to the product or the vulnerability?
iv. Could we leverage a product listing the CVE User Registry?
v. Can it be automated?
vi. EOL tagging
|
Free forum by Nabble | Edit this page |