CVE Board Meeting summary - 3MAR2021

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

CVE Board Meeting summary - 3MAR2021

CVE Program Secretariat

Members of CVE Board in Attendance

Beverly Alvarez, AMD

Ken Armstrong, EWA-Canada, An Intertek Company

Tod Beardsley, Rapid7 

Chris Coffin, The MITRE Corporation (MITRE At-Large)

Jessica Colvin JPMorgan Chase

Mark Cox, Red Hat, Inc.

William Cox, Synopsys, Inc.

Patrick Emsweller, Cisco Systems, Inc.

Jay Gazlay, Cybersecurity and Infrastructure Security Agency (CISA)

Tim Keanini, Cisco Systems, Inc.

Kent Landfield, McAfee

Scott Lawler, LP3

Art Manion, CERT/CC (Software Engineering Institute, Carnegie Mellon University)

Pascal Meunier, CERIAS/Purdue University

Ken Munro, Pen Test Partners LLP

Tom Millar, Cybersecurity and Infrastructure Security Agency (CISA)

Kathleen Noble, Intel Corporation

Lisa Olson, Microsoft

Shannon Sabens, CrowdStrike

Takayuki Uchiyama, Panasonic Corporation

David Waltermire, National Institute of Standards and Technology (NIST)

Ken Williams, Broadcom Inc.

 

Members of MITRE CVE Team in Attendance

Jo Bazar

Kris Britton

Christine Deal

Jonathan Evans

Chris Levendis

02:00-02:05:     Introductions and Roll Call

02:05-03:35:     Open discussion items 

03:35-03:55:     Review of Action items (see attached excel file)

03:55-04:00:     Wrap-up

New Actions items from today’s Board Meeting

 

#

Action Item

Responsible Party

Due

Status

Comments

03.03.01

Secretariat to follow up with CVE Board members, to check in on how the alternating CVE board meeting times are working (9-11-am ET 2-4pm ET)

Jo B. (MITRE/Secretariat)

 

9/3/2021 

Not Started

Assigned on 3/3/2021

03.03.02

Secretariat will initiate a vote for proposed solution to allow CNAs (Products Owners and Product Maintainers) to assign for insecure default configurations.

Chris L (MITRE/Secretariat)

 

Not Started

Assigned on 3/3/2021

03.03.03

OCWG will form a sub-group to address the requirements and content for the website, Bob Roberge will be the Chair.

OCWG

 

Not Started

Assigned on 3/3/2021

See attached Excel spreadsheet for open actions items from prior meetings (CVE Board Meeting 17Mar21– Agenda and Action items)

Discussion Items

§    Docker Container issue (continued) - Jonathan Evans (MITRE)

    • The group continued their discussion about the docker container issue that was brought to MITRE’s attention by Jerry Gamblin, who documented his complaints in a blog: https://jerrygamblin.com/2020/12/17/cve-stuffing/
      1. Description of issue: Insecure defaults configuration for the admin password. The issue occurs because the base docker image was configured incorrect, and is used by other people, creating their own docker image.
    • Jonathan compiled a list of examples of CVE IDs that have been assigned to insecure defaults by CNAs; 22 different CNAs were represented in the example set.
    • The Board agreed that there are three options:
      1. CVE Program assigns for insecure defaults (rules clarification may be needed)
      2. CVE Program does NOT assign for insecure defaults (a rule change would be needed in the next revision)
      3. Allow CNAs (products owners and/or product maintainers) to assign for insecure default Configurations.
        • Implementation notes and additional guidance will need to be provided, which will include a few CVE assignment examples 
          • Education will need to be provided to CNA-LR, Security Researchers, Bug Bounties and Coordination Centers. 
        • Secretariat will initiate a VOTE for proposed solution, option #3.
  • CVE Board Meeting Alternating Meeting Times Results
    • The Board agreed that based on the survey results, the current meeting times, alternating between 9:00-11:00 a.m. and 2:00—4:00 p.m., every other Wednesday is working for the group. In six months, the Secretariat will follow up with the Board to see if the alternating schedules are still working.
  • CVE Website Testing – David Waltermire (NIST)
    • Testing of the new CVE website will need to occur soon before the website is rolled out. David expressed concern about the functional and content owners of the new CVE Website. Currently, the website is in development stage, and the development team is meeting weekly. Once deployed, the group agreed that the AWG will be responsible for the functionality, and the OCWG responsible for the content on the website. The Secretariat is responsible for operations and maintenance of the current CVE website.
    • The group agreed, that the OCWG will maintain the content working closely with the Secretariat.
    • The group agreed a sub-working group would be responsible for testing and reviewing of content of the new CVE website. Once the new website is deployed, revisions and any new development efforts, the OCWG will review and provide their stamp of approval. 
      1. The OCWG will form a sub-group to address the requirements and content for the new website, Bob Roberge will be the Chair.
  • CVE Summit – Tod Beardsley (Rapid7)
    • The CVE Summit will be on May 13 and May 14. The Call for Papers (CFP) has been extended to March 23. So far, only a few topics have been provided. The meeting time for both days are still being determined by the CNACWG. Tod will provide an update on the logistics, agreements, questions, ideas, and a readout of the topics gathered from the CFP thus far.

Board Decisions

N/A

Next CVE Board Meetings 

Open Discussion Items (to be discussed at future meetings)

See attached Excel spreadsheet (CVE Board Meeting 17Mar21– Agenda and Action items)

CVE Board Recordings

§  The CVE Board meeting recording archives are in transition to a new platform. Once the new platform is ready, the Board recordings will be readily available to CVE Board Members. Until then, to obtain a recording of a CVE Board Meeting, please reach out to Jo Bazar ([hidden email]).  

 

 

 


CVE_Board_Meeting 3 March 2021 FINAL.pdf (400K) Download Attachment