CVE Board Meeting – 30 October 2019
William Cox,
Synopsys,
Inc.
Patrick Emsweller,
Cisco Systems,
Inc.
Kent Landfield,
McAfee
Beverly Miller Alvarez,
Lenovo Group
Ltd.
Lisa Olson,
Microsoft
Shannon Sabens,
Trend
Micro
Kathleen Trimble,
U.S. Department
of Homeland Security (DHS)
Takayuki Uchiyama,
Panasonic
Corporation
David Waltermire,
National
Institute of Standards and Technology (NIST)
Members of MITRE CVE Team in Attendance
Jo Bazar
Chris Coffin
Christine Deal
Jonathan Evans
Chris Levendis
Lew Loren 2:00
– 2:15: Introductions, action items from the last meeting
2:15
– 2:30: Working Groups
2:30
– 2:45: Root CNA Update
2:45
– 3:00: CNA Summit – Beverly
Miller Alvarez
3:00
– 3:15: CNA RBP Issues –
Chris Coffin
3:15
– 3:30: CNA Rules Revision Status – Jonathan
Evans
3:30
– 3:45: Transition
Board Archives Long-Term Storage to AWS –
Lew Loren 3:45
– 3:55: Open Discussion 3:55
– 4:00: Action items, wrap-up
Working Group Updates
§
CNA Coordination Working Group (CNACWG): Tod Beardsley/Chris Coffin
CNA Updates
CNA Summit 2020 – Beverly
Miller Alvarez
§
CNA Summit 2020 will be hosted by Lenovo. The Summit will be at Lenovo in Morrisville, NC, and will be held on Monday, March 2nd and Tuesday, March 3rd
§
A meeting room has been scheduled; room will be set up with round tables for 96, the meeting will be recorded, and budget has been approved for food for both days.
Beverly and Jo are working together to draft the calendar invitation that will include hotel suggestions.
CNA RBP Issues – Chris
Coffin
–
The group had a good discussion about a path forward and provided recommendations:
§
Dave suggested having them work off their RBP backlog and distribute new CVE ID’s in increments, while setting meaningful milestones.
§
Kent suggested giving them 25% of their CVE IDs and would like to see what progress they are making, working off their RBPs. Kent explained we should reach out
and see how we can help.
–
The group agreed to provide smaller blocks (2 months of IDs) to CNA1 to help incentivize them to work off their RBPs.
CNA Rules Revision
Timeline – Jonathan Evans
–
Jonathan will send the draft CNA Rules Revision to the CVE Board and CNACWG for review and comment. The link to the document is below:
https://partners.mitre.org/sites/CVE_CNA/Shared%20Documents/1.%20CNA%20Rules%20Revision%20Proposals/CNA%20Rules%20v3.0.docx?Web=1
CNA Rules revision timeline:
§
Now – 10/30/19 – On Track – Jonathan will send
–
MITRE integrates the proposed changes into a single unified document
–
Unified draft CNA Rules 3.0 document sent out for review and comments by the Board and CNAs
–
All comments must be received by 11/15
§
11/16/19 – 12/1/19
–
MITRE integrates feedback received by the Board and CNAs
§
12/2/19 – 12/16/19
–
MITRE submits the final CNA Rules 3.0 document for a vote by the Board on 12/2/19
–
Board has two weeks to vote
§
12/16/19 – 12/31/19
–
CNA Rules 3.0 document sent for final technical edit
–
No substantive change will be made during the edit
§
1/2/2020
–
CNA Rules 3.0 is posted and in effect
Action Items from Board
Meeting held on 30 October 2019
Board Decisions
Future Discussion Topics 1.
Communication
a.
Outreach
OCWG
for most of this section (noted otherwise).
i. Localization –
should start in the QWG for guidance, then to the AWG for implementation.
ii. Upstream producers –
1.
CNA Recruitment
iii. Downstream users –
iv. Related Projects
1.
Vulnerability Description
a.
VDO
b.
CSAF
2.
Severity
a.
CVSS
3.
Product identification and management
a.
SBOM
b.
Metrics –
CVE Board
i. Community metrics (Public metrics)
ii. CNA specific metrics
iii. Program performance (Report card)
c.
Knowledge capture/transfer -
CVE Board
i. Record Working Group meetings
1.
Where to store the recordings?
ii. Issue tracking
iii. Storage of WG materials –
SharePoint site (CVE CNA site) 2.
Strategy
a.
Program Structure
SPWG
b.
Roles, responsibilities, and requirements
SPWG
i. Disclosure Policies
ii. Scope
1.
Non-vendor CNAs
a.
Add new non-vendor CNAs is on hold until the Board can come to an agreement on the requirements for this type of CNA
2.
Root CNA shopping
3.
Assigning CVE IDs to vulnerabilities in a non-CNA vendor’s product
c.
Coverage
– CVE Board
i. What’s in, What’s out
ii. End of life
iii. Software as a service
iv. Hardware
v. Open source software
i. Operationalizing Root CNAs -
SPWG
ii. For new CNAs -
CNACWG
iii. How to supply refreshers
CVE Board/CNACWG
i. CNA Process – Front Door or Back Door: How should CNAs communicate with each other, and
how would that information be managed?
ii. Requirement
iii. Scope statement best practices
iv. Rules Violations
i. Prevent duplicates
i. Formats
ii. Information requirements
4.
Split problem type in to vuln. type, root cause, or impact
5.
Don’t require references
iii. Should the description match the separate metadata fields
4.
CVE List -
QWG
a.
Formats (all different formats) –
CVE Board
i. How can the download formats be updated
or retired?
b.
CVE Tagging
i. Helps filtering
ii. How to identify the categories we need
iii. Should the tagging be attached to the product or the vulnerability?
iv. Could we leverage a product listing the CVE User Registry?
v. Can it be automated?
vi. EOL tagging
|
FYI..you can call me Beverly Alvarez. I kept the Miller in there for a short time to help folks find me!
***See the latest Security Advisory updates
here***
From: Bazar, Jo E. <[hidden email]>
CVE Board Meeting – 30 October 2019
William Cox,
Synopsys,
Inc.
Patrick Emsweller,
Cisco Systems,
Inc.
Kent Landfield,
McAfee
Beverly Miller Alvarez,
Lenovo Group
Ltd.
Lisa Olson,
Microsoft
Shannon Sabens,
Trend
Micro
Kathleen Trimble,
U.S. Department
of Homeland Security (DHS)
Takayuki Uchiyama,
Panasonic
Corporation
David Waltermire,
National
Institute of Standards and Technology (NIST)
Members of MITRE CVE Team in Attendance
Jo Bazar
Chris Coffin
Christine Deal
Jonathan Evans
Chris Levendis
Lew Loren 2:00
– 2:15: Introductions, action items from the last meeting
2:15
– 2:30: Working Groups
2:30
– 2:45: Root CNA Update
2:45
– 3:00: CNA Summit – Beverly
Miller Alvarez
3:00
– 3:15: CNA RBP Issues –
Chris Coffin
3:15
– 3:30: CNA Rules Revision Status – Jonathan
Evans
3:30
– 3:45: Transition Board Archives Long-Term Storage to AWS –
Lew Loren 3:45
– 3:55: Open Discussion 3:55
– 4:00: Action items, wrap-up
Working Group Updates
§
CNA Coordination Working Group (CNACWG): Tod Beardsley/Chris Coffin
CNA Updates
CNA Summit 2020 – Beverly Miller Alvarez
CNA RBP Issues – Chris Coffin
CNA Rules Revision Timeline – Jonathan
Evans
CNA Rules revision timeline:
§
Now – 10/30/19 – On Track – Jonathan will send
–
MITRE integrates the proposed changes into a single unified document
–
Unified draft CNA Rules 3.0 document sent out for review and comments by the Board and CNAs
–
All comments must be received by 11/15
§
11/16/19 – 12/1/19
–
MITRE integrates feedback received by the Board and CNAs
§
12/2/19 – 12/16/19
–
MITRE submits the final CNA Rules 3.0 document for a vote by the Board on 12/2/19
–
Board has two weeks to vote
§
12/16/19 – 12/31/19
–
CNA Rules 3.0 document sent for final technical edit
–
No substantive change will be made during the edit
§
1/2/2020
–
CNA Rules 3.0 is posted and in effect
Action Items from Board Meeting held on 30 October
2019
Board Decisions
Future Discussion Topics 1.
Communication
a.
Outreach
OCWG
for most of this section (noted otherwise).
i. Localization –
should start in the QWG for guidance, then to the AWG for implementation.
ii. Upstream producers –
1.
CNA Recruitment
iii. Downstream users –
iv. Related Projects
1.
Vulnerability Description
a.
VDO
b.
CSAF
2.
Severity
a.
CVSS
3.
Product identification and management
a.
SBOM
b.
Metrics –
CVE Board
i. Community metrics (Public metrics)
ii. CNA specific metrics
iii. Program performance (Report card)
c.
Knowledge capture/transfer -
CVE Board
i. Record Working Group meetings
1.
Where to store the recordings?
ii. Issue tracking
iii. Storage of WG materials –
SharePoint site (CVE CNA site) 2.
Strategy
a.
Program Structure
SPWG
b.
Roles, responsibilities, and requirements
SPWG
i. Disclosure Policies
ii. Scope
1.
Non-vendor CNAs
a.
Add new non-vendor CNAs is on hold until the Board can come to an agreement on the requirements for this type of CNA
2.
Root CNA shopping
3.
Assigning CVE IDs to vulnerabilities in a non-CNA vendor’s product
c.
Coverage
– CVE Board
i. What’s in, What’s out
ii. End of life
iii. Software as a service
iv. Hardware
v. Open source software
i. Operationalizing Root CNAs -
SPWG
ii. For new CNAs -
CNACWG
iii. How to supply refreshers
CVE Board/CNACWG
i. CNA Process – Front Door or Back Door: How should CNAs communicate with each other, and
how would that information be managed?
ii. Requirement
iii. Scope statement best practices
iv. Rules Violations
i. Prevent duplicates
i. Formats
ii. Information requirements
4.
Split problem type in to vuln. type, root cause, or impact
5.
Don’t require references
iii. Should the description match the separate metadata fields
4.
CVE List -
QWG
a.
Formats (all different formats) –
CVE Board
i. How can the download formats be updated
or retired?
b.
CVE Tagging
i. Helps filtering
ii. How to identify the categories we need
iii. Should the tagging be attached to the product or the vulnerability?
iv. Could we leverage a product listing the CVE User Registry?
v. Can it be automated?
vi. EOL tagging
|
Free forum by Nabble | Edit this page |