CVE Board Meeting – 30 October 2019

William Cox, Synopsys, Inc.

Patrick Emsweller, Cisco Systems, Inc.

Kent Landfield, McAfee

Beverly Miller Alvarez, Lenovo Group Ltd.

Lisa Olson, Microsoft

Shannon Sabens, Trend Micro

Kathleen Trimble, U.S. Department of Homeland Security (DHS)

Takayuki Uchiyama, Panasonic Corporation

David Waltermire, National Institute of Standards and Technology (NIST)

Members of MITRE CVE Team in Attendance

Jo Bazar

Chris Coffin

Christine Deal

Jonathan Evans

Chris Levendis

Lew Loren

 

2:00 – 2:15: Introductions, action items from the last meeting 

2:15 – 2:30: Working Groups

• Outreach and Communications Working Group (OCWG): Shannon Sabens
• CNA Coordination Working Group (CNACWG): Tod Beardsley
• Quality Working Group (QWG): Chris Coffin
• Automation Working Group (AWG): Lew Loren
• Strategic Planning Working Group (SPWG): Kent Landfield/Chris Coffin

 

2:30 – 2:45: Root CNA Update

• MITRE: Jo Bazar
• JPCERT: Jonathan Evans/Chris Coffin

 

2:45 – 3:00: CNA Summit – Beverly Miller Alvarez

3:00 – 3:15: CNA RBP Issues – Chris Coffin

3:15 – 3:30: CNA Rules Revision Status – Jonathan Evans

3:30 – 3:45: Transition Board Archives Long-Term Storage to AWS – Lew Loren

3:45 – 3:55: Open Discussion  

3:55 – 4:00: Action items, wrap-up

#	Action Item	Responsible Party	Status	Comments
1.23.1	Assemble additional operational guidance for program participation by CNAs (e.g., webinars, instructional videos).	MITRE (Evans)	In Process	MITRE assembled a list of guidance priorities and other areas of the program; the top five priorities are listed below: How to submit entries to MITRE using the web form (CNA Submission process) CVE ID assignment rule (Counting) – DRAFT sent for inputs to CNACWG and OCWG Becoming a CNA – DRAFT will be sent by COB 11/1/19. CVE Program (includes Root structure)  How to request MITRE CNA populate a CVE entry (CNA Process) How to create a CVE Entry (CNA Entry creation)   10/30 Update: A timeline was prepared and will be shared at the next board meeting. “Becoming a CNA” will be sent by COB 11/1/19, and the CVE Board members will have two weeks to provide feedback.
4.17.5	Research solution for storing, archiving, and central repository for CVE Board and WG meeting minutes, recordings, as well as tracking action items.	MITRE (Lew L.)	In Process	6/12 Update: CNA SharePoint site is up (MITRE partners account is required), Handshake account is used for current meeting recordings and we are moving the archive of recordings to Amazon glacier for cold storage.    8/21 Update: Next step is to move the recordings to the Amazon glacier for cold storage.    10/2 Update: Script is being developed so the current meeting recordings can be uploaded to Amazon Glacier. 10/30 Update: The developers are setting up online storage in Glacier; download will be available after 90 days and will take a few days.
6.26.2	Update Charter to reflect new interview process of board nominations and that CVE Board member can send nominations directly to the private board list.	MITRE (Chris C.)/Kent L.	In Process	10/2 Update: Kent explained a draft is in process; once completed, Chris C. will provide his input and send to the CVE Board for review and feedback. The CVE Board should expect to receive a draft in the next few weeks.  10/30 Update: Kent and Chris have a meeting scheduled this week to finish the drafts of the documents.
6.26.3	Update Charter to reflect new Board nomination interview process. When a new Board member is nominated, a 30-minute interview is conducted during the next Board call.	MITRE (Chris C.)/Kent L.	In Process	10/2 Update: Kent explained a draft is in process; once completed, Chris C. will provide his input and send to the CVE Board for review and feedback. The CVE Board should expect to receive a draft in the next few weeks.  10/30 Update: Kent and Chris have a meeting scheduled this week to finish the drafts of the documents.
7.24.01	Develop a strategy for handling public but low-quality vulnerabilities, especially cases where the vendor or maintainer has not acknowledged the vulnerability.	MITRE (Chris C./Jonathan E.)	In Process	9/4 Update: Outline drafted by Jonathan and is being reviewed by the CVE team.
7.24.02	Draft language clarifying CVE charter around organizational voting. (When do we merge votes based on organizational affiliation)	MITRE (Chris C.)/Kent L.	In Process	10/2 Update: Kent explained a draft is in process; once completed, Chris C. will provide his input and send to the CVE Board for review and feedback. The CVE Board should expect to receive a draft in the next few weeks.  10/30 Update: Kent and Chris have a meeting scheduled this week to finish the drafts of the documents.
8.21.01	Take the lead for contest open to the community to create new CVE logo.	OCWG	In Process	9/4 Update: OCWG discussed at last meeting and is seeking additional guidance from the CVE Board. 10/16 Update: Shannon provided a list of requirements/questions for the CVE Board to consider.
10.16.01	Follow up with MITRE legal about CVE logo language and design usage and required approvals.	MITRE (Chris L.)	Not Started	Assigned October 16, 2019
10.16.02	MITRE communicate RBP backlog strategy to CVE Board.	MITRE (Chris L.)	Not Started	Assigned October 16, 2019
10.16.04	SPWG down select CVE domain names and present options to CVE Board for final selection and approval.	MITRE (Chris C.)	In Process	10/30 Update: CVE Domain names were sent to CVE Board members for consideration on 10/24/2019. SPWG working on down-selecting CVE domain names.
10.16.05	Send CNA Press template to CVE Board.	MITRE (Jo Bazar)	In Process	10/30 Update: Press release sent to CVE Board for input due NLT 10/28/2019. Re-send to Kent for review.

 

• Outreach and Communications Working Group (OCWG): Shannon Sabens
• No meeting since last Board meeting. Shannon explained that there is a CNA target list in place, the list of conferences has been created, draft introduction letter to potential CNAs underway, and the CNA press release document is with the CVE Board for review and feedback.
• Shannon asked the CVE Board for feedback regarding the CVE Logo contest.
• The group agreed that the OCWG should make recommendations for the CVE Logo contest and present to the CVE Board for review and comment. 
• Beverly suggested unveiling the new CVE logo at the in-person CNA Summit; once we understand what is required for MITRE/DHS approvals, we can develop a plan/timeline.

§  CNA Coordination Working Group (CNACWG): Tod Beardsley/Chris Coffin

• Tod was re-elected as CNACWG chair for another year.
• Gave feedback on Jonathan's assignment rules video (tldr, split it into two).
• Started work on revamping the dispute process (Figuring a rough but feature-complete draft for debate by December 1, 2019).
• Started thinking about summit agenda: we will carve out essentially a day for MITRE-related topics (with input from the Board), and then a day of CNA topics.

• Quality Working Group (QWG): Dave Waltermire/Chris Coffin
• QWG meeting was held on October 17, 2019:
• Discussion about including product and version information as a should, and not a must. If the version was not going to be included, then the version should be included in the reference.
• EOL tagging will be a discussion for the next meeting.
• Automation Working Group (AWG) – Lew Loren

• AWG meeting was held on October 28, 2019:
1. Working on finalizing the JSON schema; Chandan created a proposal on how we could integrate multiple CVSS scores depending on version. Chris Turner has a couple of recommendations and changes. We hope to finalize the schema in the next AWG meeting.
1. Dave expressed concerns about the CVSS metrics information from different sources. Dave has larger strategic concerns about where the conversation is going. This led to an in-depth discussion about keeping AWG members informed for the activities, decisions, and progress when members are unable to attend the meetings.
2. The group agreed that meeting notes that include problem statements and recommendations would be emailed to the AWG members after every AWG meeting. This will allow AWG members who are unable to attend to weigh in on recommendations being proposed and decisions being made.
2. In the Tuesday Meeting with Schmitty, we are working to identify a Tech Stature for authentication, authorization and user registry. The plan is to have a date for when we can have a Tech Stature identified and we want to present it at the November 18th SPWG meeting. We are also hoping to come up with an estimated timeline for implementation.
3. We had a request for contributions to the open source code by external contributors.
1. The Board decided that minimum requirements for contributing should be full name, GitHub name, and reason for wanting to contribute
4. Next meeting SPWG/AWG meeting is scheduled for November 18th.
1. Strategic Planning (SPWG) – Kent Landfield/Chris Coffin
• SPWG meeting was held on October 28, 2019 
1. Reviewed the requirements for Root CNA and CNA-LR; these roles still need to be clarified. Missing roles also include sub-root and top-level root.
2. The group agreed that CONOPS needs to be developed to help define these roles and responsibilities, Kent has started the draft that provides a high-level structure and roles and responsibilities.
3. Domains selected by the SPWG, listed in priority: CVE.org, CVE list.org, and cveprogram.org.

• MITRE –Jo Bazar

• Received two CNA requests since the last CVE Board meeting.
• Conducted one on-boarding session since the last boarding meeting.

• CNA announcements and news this week:

• No CNA announcements since last board meeting.
• There are now 104 CNAs participating in the program 
• 62 in CNA pipeline, with 42 entering the pipeline this calendar year.  7 = Q1; 8= Q2; 22= Q3, 5 = Q4 so far.
• Two pending CNA Announcements.
• JPCERT - Jonathan Evans/Chris Coffin
• No updates

 

§  CNA Summit 2020 will be hosted by Lenovo. The Summit will be at Lenovo in Morrisville, NC, and will be held on Monday, March 2nd and Tuesday, March 3^rd

• NetApp will be hosting the FIRST-TC in Raleigh, NC, on Wednesday, March 4 and Thursday, March 5

§  A meeting room has been scheduled; room will be set up with round tables for 96, the meeting will be recorded, and budget has been approved for food for both days. Beverly and Jo are working together to draft the calendar invitation that will include hotel suggestions.

 

–      Chris Coffin explained that CNA1 has 336 RBPs, representing 35% of their total RBPs. Earlier this year, CNA1 promised to work their RBP off by the end of the year (400 new CVE IDs were provided for 2019), but they have not yet made any progress.  

–      The group had a good discussion about a path forward and provided recommendations:

§  Dave suggested having them work off their RBP backlog and distribute new CVE ID’s in increments, while setting meaningful milestones. 

§  Kent suggested giving them 25% of their CVE IDs and would like to see what progress they are making, working off their RBPs. Kent explained we should reach out and see how we can help.  

–      The group agreed to provide smaller blocks (2 months of IDs) to CNA1 to help incentivize them to work off their RBPs.  

 

–      Jonathan will send the draft CNA Rules Revision to the CVE Board and CNACWG for review and comment. The link to the document is below: https://partners.mitre.org/sites/CVE_CNA/Shared%20Documents/1.%20CNA%20Rules%20Revision%20Proposals/CNA%20Rules%20v3.0.docx?Web=1

• The group agreed to set up a meeting to schedule out of band meetings to resolve Rule Revision changes, and everyone agreed to hold a vote, so we stay on track to the timeline listed below. 

CNA Rules revision timeline: 

§  Now – 10/30/19 – On Track – Jonathan will send

–      MITRE integrates the proposed changes into a single unified document

§  10/30/19 - 11/15/19

–      Unified draft CNA Rules 3.0 document sent out for review and comments by the Board and CNAs

–      All comments must be received by 11/15

§  11/16/19 – 12/1/19

–      MITRE integrates feedback received by the Board and CNAs

§  12/2/19 – 12/16/19

–      MITRE submits the final CNA Rules 3.0 document for a vote by the Board on 12/2/19

–      Board has two weeks to vote

§  12/16/19 – 12/31/19

–      CNA Rules 3.0 document sent for final technical edit

–      No substantive change will be made during the edit

§   1/2/2020

–      CNA Rules 3.0 is posted and in effect

 

#	Action Item	Responsible Party	Status	Comments
10.30.01	Send CNA Summit 2020 HOLD_THE_DATE calendar invite to CNA list (placeholder with hotel information.	MITRE (Beverly A./Jo B.)	Not Started	Assigned 10/30/2019
10.30.02	Update RBP threshold policy to include consequences for CNA’s with backlogs over the specific threshold.	MITRE (Jonathan E./Jo B.)	Not Started	Assigned 10/30/2019
10.30.03	Help Shannon with her Skype connection during Board calls	MITRE (Jo B.)	Not Started	Assigned 10/30/2019

 

• None

1.     Communication 

a.      Outreach OCWG for most of this section (noted otherwise).

                                                  i.     Localization – should start in the QWG for guidance, then to the AWG for implementation.

                                                ii.     Upstream producers –  

1.     CNA Recruitment 

                                              iii.     Downstream users –   

                                               iv.     Related Projects

1.     Vulnerability Description

a.      VDO

b.     CSAF

2.     Severity

a.      CVSS

3.     Product identification and management

a.      SBOM

4. CWE
1. hardware

b.     Metrics – CVE Board

                                                  i.     Community metrics (Public metrics)

                                                ii.     CNA specific metrics 

                                              iii.     Program performance (Report card)

c.      Knowledge capture/transfer - CVE Board

                                                  i.     Record Working Group meetings

1.     Where to store the recordings?

                                                ii.     Issue tracking

                                              iii.     Storage of WG materials – SharePoint site (CVE CNA site)

2.     Strategy 

a.      Program Structure SPWG

b.     Roles, responsibilities, and requirements SPWG

                                                  i.     Disclosure Policies

                                                ii.     Scope

1.     Non-vendor CNAs

a.      Add new non-vendor CNAs is on hold until the Board can come to an agreement on the requirements for this type of CNA

2.     Root CNA shopping

3.     Assigning CVE IDs to vulnerabilities in a non-CNA vendor’s product

4. CNA scope to the cooperative sub-CNAs

c.      Coverage – CVE Board

                                                  i.     What’s in, What’s out

                                                ii.     End of life

                                              iii.     Software as a service

                                               iv.     Hardware

1. Define (not a wrench)

                                                v.     Open source software

4. Goals - CVE Board
2. Operations
1. Guidance

                                                  i.     Operationalizing Root CNAs - SPWG

1. What is MITRE’s role
2. How to best operationalize Root CNAs

                                                ii.     For new CNAs - CNACWG

1. What is needed?
2. What are the best formats?
3. How to minimize one-on-one guidance

                                              iii.     How to supply refreshers CVE Board/CNACWG

2. CNA Management - CNACWG

                                                  i.     CNA Process – Front Door or Back Door: How should CNAs communicate with each other, and how would that information be managed?

                                                ii.     Requirement

1. Responsiveness
2. Time to populate
3. RBP start time

                                              iii.     Scope statement best practices

                                               iv.     Rules Violations

1. Assignment correction processes (e.g. reject, split, merge) should account for violations
2. Assignments – CVE Board

                                                  i.     Prevent duplicates

1. How can CNA scopes help?
3. Submissions QWG and CVE Board, AWG handle format implementation

                                                  i.     Formats

                                                ii.     Information requirements

1. Add impact
2. Add publication data
3. Add vulnerability type

4.     Split problem type in to vuln. type, root cause, or impact

5.     Don’t require references

                                              iii.     Should the description match the separate metadata fields

4.     CVE List - QWG

a.      Formats (all different formats) – CVE Board

                                                  i.     How can the download formats be updated or retired?

b.     CVE Tagging

                                                  i.     Helps filtering

                                                ii.     How to identify the categories we need

                                              iii.     Should the tagging be attached to the product or the vulnerability?

                                               iv.     Could we leverage a product listing the CVE User Registry?

                                                v.     Can it be automated?

                                               vi.     EOL tagging

3. Prose description, do we need it?

 

 

 

 

 

FYI..you can call me Beverly Alvarez.

I kept the Miller in there for a short time to help folks find me! 

 

 

 

CVE Board Meeting – 30 October 2019

 

William Cox, Synopsys, Inc.

Patrick Emsweller, Cisco Systems, Inc.

Kent Landfield, McAfee

Beverly Miller Alvarez, Lenovo Group Ltd.

Lisa Olson, Microsoft

Shannon Sabens, Trend Micro

Kathleen Trimble, U.S. Department of Homeland Security (DHS)

Takayuki Uchiyama, Panasonic Corporation

David Waltermire, National Institute of Standards and Technology (NIST)

Members of MITRE CVE Team in Attendance

Jo Bazar

Chris Coffin

Christine Deal

Jonathan Evans

Chris Levendis

Lew Loren

 

2:00 – 2:15: Introductions, action items from the last meeting 

2:15 – 2:30: Working Groups

• Outreach and Communications Working Group (OCWG): Shannon Sabens
• CNA Coordination Working Group (CNACWG): Tod Beardsley
• Quality Working Group (QWG): Chris Coffin
• Automation Working Group (AWG): Lew Loren
• Strategic Planning Working Group (SPWG): Kent Landfield/Chris Coffin

 

2:30 – 2:45: Root CNA Update

• MITRE: Jo Bazar
• JPCERT: Jonathan Evans/Chris Coffin

 

2:45 – 3:00: CNA Summit – Beverly Miller Alvarez

3:00 – 3:15: CNA RBP Issues – Chris Coffin

3:15 – 3:30: CNA Rules Revision Status – Jonathan Evans

3:30 – 3:45: Transition Board Archives Long-Term Storage to AWS – Lew Loren

3:45 – 3:55: Open Discussion  

3:55 – 4:00: Action items, wrap-up

#	Action Item	Responsible Party	Status	Comments
1.23.1	Assemble additional operational guidance for program participation by CNAs (e.g., webinars, instructional videos).	MITRE (Evans)	In Process	MITRE assembled a list of guidance priorities and other areas of the program; the top five priorities are listed below: How to submit entries to MITRE using the web form (CNA Submission process) CVE ID assignment rule (Counting) – DRAFT sent for inputs to CNACWG and OCWG Becoming a CNA – DRAFT will be sent by COB 11/1/19. CVE Program (includes Root structure)  How to request MITRE CNA populate a CVE entry (CNA Process) How to create a CVE Entry (CNA Entry creation)   10/30 Update: A timeline was prepared and will be shared at the next board meeting. “Becoming a CNA” will be sent by COB 11/1/19, and the CVE Board members will have two weeks to provide feedback.
4.17.5	Research solution for storing, archiving, and central repository for CVE Board and WG meeting minutes, recordings, as well as tracking action items.	MITRE (Lew L.)	In Process	6/12 Update: CNA SharePoint site is up (MITRE partners account is required), Handshake account is used for current meeting recordings and we are moving the archive of recordings to Amazon glacier for cold storage.    8/21 Update: Next step is to move the recordings to the Amazon glacier for cold storage.    10/2 Update: Script is being developed so the current meeting recordings can be uploaded to Amazon Glacier. 10/30 Update: The developers are setting up online storage in Glacier; download will be available after 90 days and will take a few days.
6.26.2	Update Charter to reflect new interview process of board nominations and that CVE Board member can send nominations directly to the private board list.	MITRE (Chris C.)/Kent L.	In Process	10/2 Update: Kent explained a draft is in process; once completed, Chris C. will provide his input and send to the CVE Board for review and feedback. The CVE Board should expect to receive a draft in the next few weeks.  10/30 Update: Kent and Chris have a meeting scheduled this week to finish the drafts of the documents.
6.26.3	Update Charter to reflect new Board nomination interview process. When a new Board member is nominated, a 30-minute interview is conducted during the next Board call.	MITRE (Chris C.)/Kent L.	In Process	10/2 Update: Kent explained a draft is in process; once completed, Chris C. will provide his input and send to the CVE Board for review and feedback. The CVE Board should expect to receive a draft in the next few weeks.  10/30 Update: Kent and Chris have a meeting scheduled this week to finish the drafts of the documents.
7.24.01	Develop a strategy for handling public but low-quality vulnerabilities, especially cases where the vendor or maintainer has not acknowledged the vulnerability.	MITRE (Chris C./Jonathan E.)	In Process	9/4 Update: Outline drafted by Jonathan and is being reviewed by the CVE team.
7.24.02	Draft language clarifying CVE charter around organizational voting. (When do we merge votes based on organizational affiliation)	MITRE (Chris C.)/Kent L.	In Process	10/2 Update: Kent explained a draft is in process; once completed, Chris C. will provide his input and send to the CVE Board for review and feedback. The CVE Board should expect to receive a draft in the next few weeks.  10/30 Update: Kent and Chris have a meeting scheduled this week to finish the drafts of the documents.
8.21.01	Take the lead for contest open to the community to create new CVE logo.	OCWG	In Process	9/4 Update: OCWG discussed at last meeting and is seeking additional guidance from the CVE Board. 10/16 Update: Shannon provided a list of requirements/questions for the CVE Board to consider.
10.16.01	Follow up with MITRE legal about CVE logo language and design usage and required approvals.	MITRE (Chris L.)	Not Started	Assigned October 16, 2019
10.16.02	MITRE communicate RBP backlog strategy to CVE Board.	MITRE (Chris L.)	Not Started	Assigned October 16, 2019
10.16.04	SPWG down select CVE domain names and present options to CVE Board for final selection and approval.	MITRE (Chris C.)	In Process	10/30 Update: CVE Domain names were sent to CVE Board members for consideration on 10/24/2019. SPWG working on down-selecting CVE domain names.
10.16.05	Send CNA Press template to CVE Board.	MITRE (Jo Bazar)	In Process	10/30 Update: Press release sent to CVE Board for input due NLT 10/28/2019. Re-send to Kent for review.

 

• Outreach and Communications Working Group (OCWG): Shannon Sabens
• No meeting since last Board meeting. Shannon explained that there is a CNA target list in place, the list of conferences has been created, draft introduction letter to potential CNAs underway, and the CNA press release document is with the CVE Board for review and feedback.
• Shannon asked the CVE Board for feedback regarding the CVE Logo contest.
• The group agreed that the OCWG should make recommendations for the CVE Logo contest and present to the CVE Board for review and comment. 
• Beverly suggested unveiling the new CVE logo at the in-person CNA Summit; once we understand what is required for MITRE/DHS approvals, we can develop a plan/timeline.

§  CNA Coordination Working Group (CNACWG): Tod Beardsley/Chris Coffin

• Tod was re-elected as CNACWG chair for another year.
• Gave feedback on Jonathan's assignment rules video (tldr, split it into two).
• Started work on revamping the dispute process (Figuring a rough but feature-complete draft for debate by December 1, 2019).
• Started thinking about summit agenda: we will carve out essentially a day for MITRE-related topics (with input from the Board), and then a day of CNA topics.

• Quality Working Group (QWG): Dave Waltermire/Chris Coffin
• QWG meeting was held on October 17, 2019:
• Discussion about including product and version information as a should, and not a must. If the version was not going to be included, then the version should be included in the reference.
• EOL tagging will be a discussion for the next meeting.
• Automation Working Group (AWG) – Lew Loren

• AWG meeting was held on October 28, 2019:
1. Working on finalizing the JSON schema; Chandan created a proposal on how we could integrate multiple CVSS scores depending on version. Chris Turner has a couple of recommendations and changes. We hope to finalize the schema in the next AWG meeting.
1. Dave expressed concerns about the CVSS metrics information from different sources. Dave has larger strategic concerns about where the conversation is going. This led to an in-depth discussion about keeping AWG members informed for the activities, decisions, and progress when members are unable to attend the meetings.
2. The group agreed that meeting notes that include problem statements and recommendations would be emailed to the AWG members after every AWG meeting. This will allow AWG members who are unable to attend to weigh in on recommendations being proposed and decisions being made.
2. In the Tuesday Meeting with Schmitty, we are working to identify a Tech Stature for authentication, authorization and user registry. The plan is to have a date for when we can have a Tech Stature identified and we want to present it at the November 18th SPWG meeting. We are also hoping to come up with an estimated timeline for implementation.
3. We had a request for contributions to the open source code by external contributors.
1. The Board decided that minimum requirements for contributing should be full name, GitHub name, and reason for wanting to contribute
4. Next meeting SPWG/AWG meeting is scheduled for November 18th.
1. Strategic Planning (SPWG) – Kent Landfield/Chris Coffin
• SPWG meeting was held on October 28, 2019 
1. Reviewed the requirements for Root CNA and CNA-LR; these roles still need to be clarified. Missing roles also include sub-root and top-level root.
2. The group agreed that CONOPS needs to be developed to help define these roles and responsibilities, Kent has started the draft that provides a high-level structure and roles and responsibilities.
3. Domains selected by the SPWG, listed in priority: CVE.org, CVE list.org, and cveprogram.org.

• MITRE –Jo Bazar

• Received two CNA requests since the last CVE Board meeting.
• Conducted one on-boarding session since the last boarding meeting.

• CNA announcements and news this week:

• No CNA announcements since last board meeting.
• There are now 104 CNAs participating in the program 
• 62 in CNA pipeline, with 42 entering the pipeline this calendar year.  7 = Q1; 8= Q2; 22= Q3, 5 = Q4 so far.
• Two pending CNA Announcements.
• JPCERT - Jonathan Evans/Chris Coffin
• No updates

 

• CNA Summit 2020 will be hosted by Lenovo. The Summit will be at Lenovo in Morrisville, NC, and will be held on Monday, March 2nd and Tuesday, March 3^rd
• NetApp will be hosting the FIRST-TC in Raleigh, NC, on Wednesday, March 4 and Thursday, March 5
• A meeting room has been scheduled; room will be set up with round tables for 96, the meeting will be recorded, and budget has been approved for food for both days. Beverly and Jo are working together to draft the calendar invitation that will include hotel suggestions.

 

• Chris Coffin explained that CNA1 has 336 RBPs, representing 35% of their total RBPs. Earlier this year, CNA1 promised to work their RBP off by the end of the year (400 new CVE IDs were provided for 2019), but they have not yet made any progress.  
• The group had a good discussion about a path forward and provided recommendations:
• Dave suggested having them work off their RBP backlog and distribute new CVE ID’s in increments, while setting meaningful milestones. 
• Kent suggested giving them 25% of their CVE IDs and would like to see what progress they are making, working off their RBPs. Kent explained we should reach out and see how we can help.  
• The group agreed to provide smaller blocks (2 months of IDs) to CNA1 to help incentivize them to work off their RBPs.  

 

• Jonathan will send the draft CNA Rules Revision to the CVE Board and CNACWG for review and comment. The link to the document is below: https://partners.mitre.org/sites/CVE_CNA/Shared%20Documents/1.%20CNA%20Rules%20Revision%20Proposals/CNA%20Rules%20v3.0.docx?Web=1
• The group agreed to set up a meeting to schedule out of band meetings to resolve Rule Revision changes, and everyone agreed to hold a vote, so we stay on track to the timeline listed below. 

CNA Rules revision timeline: 

§     Now – 10/30/19 – On Track – Jonathan will send

–      MITRE integrates the proposed changes into a single unified document

§     10/30/19 - 11/15/19

–      Unified draft CNA Rules 3.0 document sent out for review and comments by the Board and CNAs

–      All comments must be received by 11/15

§     11/16/19 – 12/1/19

–      MITRE integrates feedback received by the Board and CNAs

§     12/2/19 – 12/16/19

–      MITRE submits the final CNA Rules 3.0 document for a vote by the Board on 12/2/19

–      Board has two weeks to vote

§     12/16/19 – 12/31/19

–      CNA Rules 3.0 document sent for final technical edit

–      No substantive change will be made during the edit

§     1/2/2020

–      CNA Rules 3.0 is posted and in effect

 

#	Action Item	Responsible Party	Status	Comments
10.30.01	Send CNA Summit 2020 HOLD_THE_DATE calendar invite to CNA list (placeholder with hotel information.	MITRE (Beverly A./Jo B.)	Not Started	Assigned 10/30/2019
10.30.02	Update RBP threshold policy to include consequences for CNA’s with backlogs over the specific threshold.	MITRE (Jonathan E./Jo B.)	Not Started	Assigned 10/30/2019
10.30.03	Help Shannon with her Skype connection during Board calls	MITRE (Jo B.)	Not Started	Assigned 10/30/2019

 

• None

1.     Communication 

a.     Outreach OCWG for most of this section (noted otherwise).

                                               i.     Localization – should start in the QWG for guidance, then to the AWG for implementation.

                                             ii.     Upstream producers –  

1.     CNA Recruitment 

                                           iii.     Downstream users –   

                                            iv.     Related Projects

1.     Vulnerability Description

a.     VDO

b.     CSAF

2.     Severity

a.     CVSS

3.     Product identification and management

a.     SBOM

4. CWE
1. hardware

b.     Metrics – CVE Board

                                               i.     Community metrics (Public metrics)

                                             ii.     CNA specific metrics 

                                           iii.     Program performance (Report card)

c.     Knowledge capture/transfer - CVE Board

                                               i.     Record Working Group meetings

1.     Where to store the recordings?

                                             ii.     Issue tracking

                                           iii.     Storage of WG materials – SharePoint site (CVE CNA site)

2.     Strategy 

a.     Program Structure SPWG

b.     Roles, responsibilities, and requirements SPWG

                                               i.     Disclosure Policies

                                             ii.     Scope

1.     Non-vendor CNAs

a.     Add new non-vendor CNAs is on hold until the Board can come to an agreement on the requirements for this type of CNA

2.     Root CNA shopping

3.     Assigning CVE IDs to vulnerabilities in a non-CNA vendor’s product

4. CNA scope to the cooperative sub-CNAs

c.     Coverage – CVE Board

                                               i.     What’s in, What’s out

                                             ii.     End of life

                                           iii.     Software as a service

                                            iv.     Hardware

1. Define (not a wrench)

                                             v.     Open source software

4. Goals - CVE Board
2. Operations
1. Guidance

                                               i.     Operationalizing Root CNAs - SPWG

1. What is MITRE’s role
2. How to best operationalize Root CNAs

                                             ii.     For new CNAs - CNACWG

1. What is needed?
2. What are the best formats?
3. How to minimize one-on-one guidance

                                           iii.     How to supply refreshers CVE Board/CNACWG

2. CNA Management - CNACWG

                                               i.     CNA Process – Front Door or Back Door: How should CNAs communicate with each other, and how would that information be managed?

                                             ii.     Requirement

1. Responsiveness
2. Time to populate
3. RBP start time

                                           iii.     Scope statement best practices

                                            iv.     Rules Violations

1. Assignment correction processes (e.g. reject, split, merge) should account for violations
2. Assignments – CVE Board

                                               i.     Prevent duplicates

1. How can CNA scopes help?
3. Submissions QWG and CVE Board, AWG handle format implementation

                                               i.     Formats

                                             ii.     Information requirements

1. Add impact
2. Add publication data
3. Add vulnerability type

4.     Split problem type in to vuln. type, root cause, or impact

5.     Don’t require references

                                           iii.     Should the description match the separate metadata fields

4.     CVE List - QWG

a.     Formats (all different formats) – CVE Board

                                               i.     How can the download formats be updated or retired?

b.     CVE Tagging

                                               i.     Helps filtering

                                             ii.     How to identify the categories we need

                                           iii.     Should the tagging be attached to the product or the vulnerability?

                                            iv.     Could we leverage a product listing the CVE User Registry?

                                             v.     Can it be automated?

                                            vi.     EOL tagging

3. Prose description, do we need it?