CVE Board Meeting – 8 January 2020
Patrick Emsweller,
Cisco Systems, Inc.
Kent Landfield,
McAfee
Scott Lawler,
LP3
Scott Moore,
IBM
Lisa Olson,
Microsoft
Shannon Sabens,
Trend
Micro
Kathleen Noble,
Intel
Takayuki Uchiyama,
Panasonic
Corporation
David Waltermire,
National
Institute of Standards and Technology (NIST)
Ken Williams,
Broadcom
Inc.
Members of MITRE CVE Team in Attendance
Jo Bazar
Chris Coffin
Jonathan Evans
Lew Loren
2:00
– 2:15: Introductions, action items from the last meeting
2:15
– 2:30: Working Groups
2:30
– 2:45: Root CNA Update
2:45
– 3:00: CVE Global Summit – Beverly
Alvarez
3:00
– 3:15: CNA Rules Revision Status – Jonathan
Evans
3:15
– 3:30: Researcher CNA Requirements
– Chris Coffin 3:30
– 3:55: Open Discussion 3:55
– 4:00: Action items, wrap-up
Working Group Updates
§
CNA Coordination Working Group (CNACWG): Tod Beardsley
CNA Updates
CVE Global Summit 2020
– Beverly Alvarez/Jo Bazar
§
CNA Rules v3.0 revisions will be sent to the CVE Board for vote by early next week. Jonathan will send the CNA Rules v3.0 for vote the week of
January 13th.
CVE Researcher
requirements – Chris Coffin
§
The group had a healthy discussion about Researcher CNA Requirements. CVE Board members are concerned about how to manage Researchers that are
solely interested in padding their resume with CVE IDs. The group agreed in general that security research organizations are generally acceptable as CNAs, but that individual security researchers are not. The group doesn’t want to completely rule out individual
researcher CNAs and agreed that they would be accepted into the CNA Program on a case by case basis.
Open Discussion Items
§
Chris asked the group for ideas for discussion at the CVE Global Summit.
§
Kent suggested the working groups have more time and that 30 minutes was enough time. Perhaps 45 minutes to 1 hour would be ideal.
§
Kent suggested a fun idea, by having a session that asks conference participants “what’s going right” and “what’s going wrong”, allowing participants 45 seconds
and using a blow horn or noise maker when time is up. Katie explained they did something similar at another conference and will provide the rules of engagement to the group.
§
Chris suggested that we have an open discussion regarding Internationalization of the CVE Program. What steps should be taken and what needs to be accomplished
to move forward.
Action Items from Board
Meeting held on 8 January 2020
Board Decisions
Future Discussion Topics 1.
Communication
a.
Outreach
OCWG
for most of this section (noted otherwise).
i. Localization –
should start in the QWG for guidance, then to the AWG for implementation.
ii. Upstream producers –
1.
CNA Recruitment
iii. Downstream users –
iv. Related Projects
1.
Vulnerability Description
a.
VDO
b.
CSAF
2.
Severity
a.
CVSS
3.
Product identification and management
a.
SBOM
b.
Metrics –
CVE Board
i. Community metrics (Public metrics)
ii. CNA specific metrics
iii. Program performance (Report card)
c.
Knowledge capture/transfer -
CVE Board
i. Record Working Group meetings
1.
Where to store the recordings?
ii. Issue tracking
iii. Storage of WG materials –
SharePoint site (CVE CNA site) 2.
Strategy
a.
Program Structure
SPWG
b.
Roles, responsibilities, and requirements
SPWG
i. Disclosure Policies
ii. Scope
1.
Non-vendor CNAs
a.
Add new non-vendor CNAs is on hold until the Board can come to an agreement on the requirements for this type of CNA
2.
Root CNA shopping
3.
Assigning CVE IDs to vulnerabilities in a non-CNA vendor’s product
c.
Coverage
– CVE Board
i. What’s in, What’s out
ii. End of life
iii. Software as a service
iv. Hardware
v. Open source software
i. Operationalizing Root CNAs -
SPWG
ii. For new CNAs -
CNACWG
iii. How to supply refreshers
CVE Board/CNACWG
i. CNA Process – Front Door or Back Door: How should CNAs communicate with each other,
and how would that information be managed?
ii. Requirement
iii. Scope statement best practices
iv. Rules Violations
i. Prevent duplicates
i. Formats
ii. Information requirements
4.
Split problem types in to vuln. type, root cause, or impact
5.
Don’t require references
iii. Should the description match the separate metadata fields
4.
CVE List -
QWG
a.
Formats (all different formats) –
CVE Board
i. How can the download formats be updated
or retired?
b.
CVE Tagging
i. Helps filtering
ii. How to identify the categories we need
iii. Should the tagging be attached to the product or the vulnerability?
iv. Could we leverage a product listing the CVE User Registry?
v. Can it be automated?
vi. EOL tagging
|
Free forum by Nabble | Edit this page |