CVE Board Meeting – 8 January 2020

Patrick Emsweller, Cisco Systems, Inc.

Kent Landfield, McAfee

Scott Lawler, LP3

Scott Moore, IBM

Lisa Olson, Microsoft

Shannon Sabens, Trend Micro

Kathleen Noble, Intel

Takayuki Uchiyama, Panasonic Corporation

David Waltermire, National Institute of Standards and Technology (NIST)

Ken Williams, Broadcom Inc.

 

Members of MITRE CVE Team in Attendance

Jo Bazar

Chris Coffin

Jonathan Evans

Lew Loren

 

 

2:00 – 2:15: Introductions, action items from the last meeting 

2:15 – 2:30: Working Groups

• Outreach and Communications Working Group (OCWG): Shannon Sabens
• CNA Coordination Working Group (CNACWG): Tod Beardsley
• Quality Working Group (QWG): Chris Coffin/Dave Waltermire
• Automation Working Group (AWG): Lew Loren
• Strategic Planning Working Group (SPWG): Kent Landfield

 

2:30 – 2:45: Root CNA Update

• MITRE: Jo Bazar
• JPCERT: Jonathan Evans/Chris Coffin

 

2:45 – 3:00: CVE Global Summit – Beverly Alvarez

3:00 – 3:15: CNA Rules Revision Status – Jonathan Evans

3:15 – 3:30: Researcher CNA Requirements – Chris Coffin

3:30 – 3:55: Open Discussion  

3:55 – 4:00: Action items, wrap-up

#	Action Item	Responsible Party	Status	Comments
1.23.1	Assemble additional operational guidance for program participation by CNAs (e.g., webinars, instructional videos).	MITRE (Evans)	In Process	MITRE assembled a list of guidance priorities and other areas of the program; the top five priorities are listed below: How to submit entries to MITRE using the web form (CNA Submission process) CVE ID assignment rule (Counting) – DRAFT sent for inputs to CNACWG and OCWG Becoming a CNA – DRAFT sent for inputs to CNACWG and OCWG CVE Program (includes Root structure)  How to request MITRE CNA populate a CVE entry (CNA Process) How to create a CVE Entry (CNA Entry creation)   1/8 Update: Draft videos are uploaded to YouTube and CNACWG and OCWG will provide feedback NLT January 17.
4.17.5	Research solution for storing, archiving, and central repository for CVE Board and WG meeting minutes, recordings, as well as tracking action items.	MITRE (Lew L.)	Completed	10/30 Update: The developers are setting up online storage in Glacier; download will be available after 90 days and will take a few days. 1/8 Update: S3Bucket has been approved for storing audio recordings; it has better performance at no additional costs compared to Glacier.
7.24.01	Develop a strategy for handling public but low-quality vulnerabilities, especially cases where the vendor or maintainer has not acknowledged the vulnerability.	MITRE (Chris C./Jonathan E.)	In Process	9/4 Update: Outline drafted by Jonathan and is being reviewed by the CVE team.
8.21.01	Take the lead for contest open to the community to create new CVE logo.	OCWG	In Process	9/4 Update: OCWG discussed at last meeting and is seeking additional guidance from the CVE Board. 10/16 Update: Shannon provided a list of requirements/questions for the CVE Board to consider.
10.16.01	Follow up with MITRE legal about CVE logo language and design usage and required approvals.	MITRE (Chris L.)	Completed	12/11 Update: MITRE legal team is drafting language to provide to OCWG. 1/8 Update: MITRE legal provided legal language for CVE logo contest.
10.16.02	MITRE communicate RBP backlog strategy to CVE Board.	MITRE (Chris L.)	Completed	11/13 Update: To date, 331 (19%) CVE Entries have been populated from the MITRE backlog (was 1,700), with 1,369 remaining. Based on the current run rate, the remaining MITRE backlog can be worked off by the end of January.  The CVE Entries are taking longer due to counting issues, and CNAs unable to help us identify which CVE ID goes with which vulnerabilities.
10.30.02	Update RBP threshold policy to include consequences for CNA’s with backlogs over the specific threshold.	MITRE (Jonathan E./Jo B.)	In Process	11/13 Update: RBP policy drafted and being reviewed by CVE team. Policy document will be sent to the CVE Board for review and comment.
12.11.01	Send Eventbrite registration form for CVE Global Summit.	Jo Bazar (MITRE)	Completed	1/8 Update: Eventbrite invites sent at noon on 1/6/2020.

 

• Outreach and Communications Working Group (OCWG): Shannon Sabens
• OCWG meeting was held on December 20, 2019:
• Press Release template for CNAs to use for new CNA announcements:  
• The OCWG agreed that instead of providing a press release template,  the CNA Coordinate will ask to review incoming CNA press releases. This will help the OCWG understand where the CNA may need help with CVE program messaging. In addition, the OCWG suggested that the CVE Board provide a “quote” for the incoming CNA press release.
• Shannon asked the CVE Board, “is anyone interested in providing a quote?” 
• The group discussed the process for obtaining the quotes and agreed to send the draft press releases to the private CVE Board list to obtain a quote from the CVE Board.
• CVE Logo contest - https://99designs.com/how-it-works
• Shannon explained that 99designs participants are only the graphic design community. In the past, when Tod and David used this platform, the contest was open to other communities. One of the requirements for this contest is to have the CVE community participate in the logo design. 
• David suggested that the CVE community be a part of the logo selection process instead of the design process. Katie agreed that getting the CVE community involved one way or another is good for the CVE Program.

§  CNA Coordination Working Group (CNACWG): Tod Beardsley

• CNACWG meeting held on December 18, 2019:
• Call for Papers (CFP) has been extended through January 14, 2020, and at the next CNACWG, Tod will press for content ideas for the CVE Global Summit program schedule.
• A draft CVE Global Summit program schedule will be ready to present at the next Board meeting on January 22, 2020.

• Quality Working Group (QWG): Dave Waltermire/Chris Coffin
• Last QWG meeting was held on December 5, 2019:
• Use case interview was conducted with Patrick Emsweller from CISCO. 
• Chris Coffin will send notes regarding the Patrick Emsweller interview.
• Automation Working Group (AWG) – Lew Loren 
• AWG meeting was held on January 6, 2020:
• In the Monday meeting, continuing toward finalize JSON schema; last minute changes received recommending container changes. 
• In the Tuesday meeting, Matt Bianchi focused on the Upload and Submission service, which will provide the replacement for the GitHub service we are currently using:
• The group agreed on Cognito for the integrated access management, implementing the User and Registration services.
• Strategic Planning (SPWG) – Kent Landfield
• SPWG meeting was held December 2, 2019.
• The group discussed requirements for Researcher CNAs and agreed to further discuss at the next CVE Board meeting. 

• MITRE –Jo Bazar

• Requests to become a CNA
• Received five CNA requests since the last CVE Board meeting.
• On-Boarding
• Conducted five on-boarding session since the last boarding meeting.
• Three CNA on-boarding sessions scheduled.

• CNA Announcements and News

• One CNA announcements since last Board meeting: Opera Software.
• There are now 110 CNAs participating in the program, in 21 countries.
• 70 in CNA pipeline, Q2; 16= Q3, 23 = Q4 and 1 = Q1’20 so far.
• Three pending CNA Announcements.
• JPCERT - Jonathan Evans/Chris Coffin
• No updates

 

• The CVE Global Summit invites have been sent via Eventbrite; responses are due no later than February 3, 2020. Attendees planning to attend in person, are required to register. As of today, 15 people have registered to attend in person.

 

§  CNA Rules v3.0 revisions will be sent to the CVE Board for vote by early next week. Jonathan will send the CNA Rules v3.0 for vote the week of January 13^th.

 

§  The group had a healthy discussion about Researcher CNA Requirements. CVE Board members are concerned about how to manage Researchers that are solely interested in padding their resume with CVE IDs. The group agreed in general that security research organizations are generally acceptable as CNAs, but that individual security researchers are not. The group doesn’t want to completely rule out individual researcher CNAs and agreed that they would be accepted into the CNA Program on a case by case basis. 

§  Chris asked the group for ideas for discussion at the CVE Global Summit.

§  Kent suggested the working groups have more time and that 30 minutes was enough time. Perhaps 45 minutes to 1 hour would be ideal. 

§  Kent suggested a fun idea, by having a session that asks conference participants “what’s going right” and “what’s going wrong”, allowing participants 45 seconds and using a blow horn or noise maker when time is up. Katie explained they did something similar at another conference and will provide the rules of engagement to the group.

§  Chris suggested that we have an open discussion regarding Internationalization of the CVE Program. What steps should be taken and what needs to be accomplished to move forward.

 

#	Action Item	Responsible Party	Status	Comments
01.08.01	Send INCIBE press release to CVE Private Board to obtain quote for press release	Jo Bazar (MITRE)	Not Started	Assigned 01/08/2020
01.08.02	Send CNA Rules v3.0 to CVE Board for Vote.	Jonathan Evans (MITRE)	Not Started	Assigned 01/08/2020
01.08.03	Follow up with 99 designs if the CVE Community can participate in the logo selection.	Shannon Sabens	Not Started	Assigned 01/08/2020
01.08.04	Draft Researcher CNA Requirements for CVE Board to review and vote	Chris Coffin (MITRE)	Not Started	Assigned 01/08/2020
01.08.05	Send QWG notes from Patrick E. interview.	Chris Coffin (MITRE)	Not Started	Assigned 01/08/2020

 

• None

1.      Communication 

a.       Outreach OCWG for most of this section (noted otherwise).

                                                              i.      Localization – should start in the QWG for guidance, then to the AWG for implementation.

                                                            ii.      Upstream producers –  

1.      CNA Recruitment 

                                                          iii.      Downstream users –   

                                                          iv.      Related Projects

1.      Vulnerability Description

a.       VDO

b.      CSAF

2.      Severity

a.       CVSS

3.      Product identification and management

a.       SBOM

4. CWE
1. hardware

b.      Metrics – CVE Board

                                                              i.      Community metrics (Public metrics)

                                                            ii.      CNA specific metrics 

                                                          iii.      Program performance (Report card)

c.       Knowledge capture/transfer - CVE Board

                                                              i.      Record Working Group meetings

1.      Where to store the recordings?

                                                            ii.      Issue tracking

                                                          iii.      Storage of WG materials – SharePoint site (CVE CNA site)

2.      Strategy 

a.       Program Structure SPWG

b.      Roles, responsibilities, and requirements SPWG

                                                              i.      Disclosure Policies

                                                            ii.      Scope

1.      Non-vendor CNAs

a.       Add new non-vendor CNAs is on hold until the Board can come to an agreement on the requirements for this type of CNA

2.      Root CNA shopping

3.      Assigning CVE IDs to vulnerabilities in a non-CNA vendor’s product

4. CNA scope to the cooperative sub-CNAs

c.       Coverage – CVE Board

                                                              i.      What’s in, What’s out

                                                            ii.      End of life

                                                          iii.      Software as a service

                                                          iv.      Hardware

1. Define (not a wrench)

                                                            v.      Open source software

4. Goals - CVE Board
2. Operations
1. Guidance

                                                              i.      Operationalizing Root CNAs - SPWG

1. What is MITRE’s role
2. How to best operationalize Root CNAs

                                                            ii.      For new CNAs - CNACWG

1. What is needed?
2. What are the best formats?
3. How to minimize one-on-one guidance

                                                          iii.      How to supply refreshers CVE Board/CNACWG

2. CNA Management - CNACWG

                                                              i.      CNA Process – Front Door or Back Door: How should CNAs communicate with each other, and how would that information be managed?

                                                            ii.      Requirement

1. Responsiveness
2. Time to populate
3. RBP start time

                                                          iii.      Scope statement best practices

                                                          iv.      Rules Violations

1. Assignment correction processes (e.g. reject, split, merge) should account for violations
2. Assignments – CVE Board

                                                              i.      Prevent duplicates

1. How can CNA scopes help?
3. Submissions QWG and CVE Board, AWG handle format implementation

                                                              i.      Formats

                                                            ii.      Information requirements

1. Add impact
2. Add publication data
3. Add vulnerability type

4.      Split problem types in to vuln. type, root cause, or impact

5.      Don’t require references

                                                          iii.      Should the description match the separate metadata fields

4.      CVE List - QWG

a.       Formats (all different formats) – CVE Board

                                                              i.      How can the download formats be updated or retired?

b.      CVE Tagging

                                                              i.      Helps filtering

                                                            ii.      How to identify the categories we need

                                                          iii.      Should the tagging be attached to the product or the vulnerability?

                                                          iv.      Could we leverage a product listing the CVE User Registry?

                                                            v.      Can it be automated?

                                                          vi.      EOL tagging

3. Prose description, do we need it?