CVE Board Meeting summary - 3FEB2021

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

CVE Board Meeting summary - 3FEB2021

Jo E Bazar

Members of CVE Board in Attendance

Beverly Alvarez, AMD

Ken Armstrong, EWA-Canada, An Intertek Company

Tod Beardsley, Rapid7 

Chris Coffin, The MITRE Corporation (MITRE At-Large)

Jessica Colvin JPMorgan Chase

Mark Cox, Red Hat, Inc.

William Cox, Synopsys, Inc.

Patrick Emsweller, Cisco Systems, Inc.

Jay Gazlay, Cybersecurity and Infrastructure Security Agency (CISA)

Tim Keanini, Cisco Systems, Inc.

Kent Landfield, McAfee

Scott Lawler, LP3

Art Manion, CERT/CC (Software Engineering Institute, Carnegie Mellon University)

Pascal Meunier, CERIAS/Purdue University

Ken Munro, Pen Test Partners LLP

Tom Millar, Cybersecurity and Infrastructure Security Agency (CISA)

Kathleen Noble, Intel Corporation

Lisa Olson, Microsoft

Shannon Sabens, CrowdStrike

Takayuki Uchiyama, Panasonic Corporation

David Waltermire, National Institute of Standards and Technology (NIST)

Ken Williams, Broadcom Inc.


Members of MITRE CVE Team in Attendance

Jo Bazar

Kris Britton

Christine Deal

Jonathan Evans

Chris Levendis

02:00-02:05:     Introductions and Roll Call

02:05-03:35:      Open discussion items 

03:35-03:55:      Review of Action items (see attached excel file)

03:55-04:00:      Wrap-up

Review of Action Items from last Board Meeting

See attached Excel spreadsheet (CVE Board Meeting 3Feb21 – Agenda and Action items)

Discussion Items

  • CVE Program Branding statement – Shannon Sabens (CrowdStrike)
    • The Board approved the revised long form . The discussion about whether to change Exposures to Enumeration is still ongoing and should not hold up the roll out of the new branding statements.
      • Short Form: The mission of the Common Vulnerabilities and Exposures (CVE®) Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.
      • Long Form: The mission of the Common Vulnerabilities and Exposures (CVE®) Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalog. The vulnerabilities are discovered then assigned and published by organizations from around the world that have partnered with the CVE Program. Partners publish CVE Records to communicate consistent descriptions of vulnerabilities to their customers users, while information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue, and to coordinate their efforts to prioritize and address the vulnerabilities.
  • Switching the Global CVE Summit to May – Chris Levendis (MITRE)
    • The Board agreed that there are no concerns with moving the CVE Summit to May, as long as it does not conflict with RSA, which is scheduled for the week of May 17.
  • 2021 CVE Board Goals
    • Katie Noble (Intel) discussed the blog post to be published about Ken Munro joining the CVE Board and that the blog should include the CVE Board goals for 2021. The Board discussed the 2021 goals and agreed on the following:

       2021 Goals for CVE Board

1.      Recruit CNAs and Root CNAs

2.      Encourage Automation/Implement Infrastructure User Services

3.      Encourage/further researcher relationships

4.      Strategic Communications Elements

    • The Board agreed that a sub-working group (under the OCWG) should be created called the Researcher Working group (RWG) to help with addressing goal 3. Listed below are the members thus far: Katie Noble, Ken Munro, Chris Levendis, Art Manion, Shannon Sabens, and Jo Bazar.
  • CVE IDs for vulnerabilities in Malware – Art Manion (CERT/CC)
    • The Board continued to discuss whether CVE IDs should be assigned for malware. The topic was raised by an article that was published in the community about the CVE Program not assigning for a vulnerability in Malware. The current CNA Rules (v3.0) do not allow for assigning for malware in most cases (reference 7.4.7 CNAs SHOULD NOT assign CVE IDs to vulnerabilities in products that are not publicly available or licensable).
    • The Board agreed that the following questions need to be addressed before a recommendation can be made:
      • Who benefits in assigning for Malware?
      • What is the value proposition for assigning for Malware?
      • To whom is it valuable? How do we know if it is valuable?
      • Do the benefits outweigh the costs? If the results are neutral, then no action should be taken. 
    • Katie N. will take the action to present the issue to the FIRST PSIRT SIG. 
  • CVE IDs for Docker Containers – Pascal Munier (CERIAS/Purdue University)
    • The Board continued to discuss this topic and did not come to a consensus. The next steps will be for the Secretariat to characterize today’s discussion, the issue, and why are were talking about this. The Secretariat will respond to the current thread so the discussion continues on the CVE Board mailing list.
      • Art M. responded on 1/19/21 at 12:18pm, Re: Docker Image Vulnerabilities: example changes to assignment rule

Board Decisions


Next CVE Board Meetings 

Open Discussion Items (to be discussed at future meetings)

See attached Excel spreadsheet (CVE Board Meeting 3Feb21– Agenda and Action items)

CVE Board Recordings

  • The CVE Board meeting recording archives are in transition to a new platform. Once the new platform is ready, the Board recordings will be readily available to CVE Board Members. Until then, to obtain a recording of a CVE Board Meeting, please reach out to Jo Bazar ([hidden email]).  



CVE_Board_Meeting 3 February 2021 FINAL.pdf (360K) Download Attachment