Andy Balinsky, Cisco Systems, Inc.
Mark Cox, Red Hat, Inc.
William Cox, Synopsys, Inc.
Beverly Miller, Lenovo Group Ltd.
Scott Moore, IBM
Lisa Olson, Microsoft
Kurt Seifried, Cloud Security Alliance
Kathleen Trimble, U.S. Department of Homeland Security (DHS)
Members of MITRE CVE Team in Attendance
Introductions, action items from the last meeting
Open Discussion – Board
Action items, wrap-up
o Status: In process. CNA Virtual Summit will be held in the February 2019 to address pressing issues prior to the Face-to-face CNA Summit in April/May/June 2019.
4) CNA Scope Issues
The Board discussed that CNA documentation around roles and responsibilities are needed, current documentation is not clear, CNA assign CVE within their scope. Scope may or may not cover CVE for their customers.
o CNA Rules - The rules state CNAs must be responsive but does not provide a specific timeframe. The rules state if a CNA plans to assign a CVE for a vulnerability another vendor’s product, to the assigning CNA should contact the vendor. The vendor would then make a determination.
o New Approach to CNAs and Roots - A given Root has a scope. A portion of the scope gets delegated to a CNA (i.e., product or area of research). If a portion of the scope is not delegated to a CNA, that scope stays with the Root. It is the Root’s responsibility to do the CVE assignment as the CNA of last resort.
o Action Item – CNA Rules need to be updated to reflect this new approach.
5) Eliminate duplication CVE assignment discussion
o The Board discussed that specifying CNA scope will help eliminate duplicate CVE assignments. Art explained that having open communication with other CNAs when making CVE assignments is critical; keeping this communication at the CNA level (not at Root/Primary level) will help with duplication.
o Recommendation 1: Process recommendation needs to be added to CNA training.
o Recommendation 2: CNA rules need to be updated to minimize duplicate assignments.
o Jonathan explained that duplication of CVE assignments occurs the most with DWF.
6) Researcher CNAs
o The Board discussed researcher CNAs that have with ambiguous scopes. These CNAs have issued thousands of CVEs.
o Recommendation 1: Avoid adding any new researcher CNAs until there are specific qualifications and guidelines for what qualifies as a researcher CNA. This includes defined scope rules yet to be discussed.
o Recommendation 2: Make the scope naturally programmatic for researcher CNAs.
o Recommendation 3: Change the process for researcher CNAs. Who is responsible for coordinating the assignment of the IDs? Who issues the CVE ID and who populates the information? There should be an easier way for companies to request an CVE ID.
o Recommendation 4: Better define roles and responsibilities for researcher CNAs.
o Recommendation 5: Need to address the researcher CNA ambiguous scope issue before onboarding additional researcher CNAs.
o Recommendation 6: Explore the possibility of researchers participating in the CNA program without becoming CNAs.
o Recommendation 7: Need a testing/certification program for CNAs to make sure they can adequately perform their role, especially researchers.
o The Board agreed to explore better solutions regarding the researcher CNA ambiguous scope issue.
7) Operationalize Root CNAs effectively
o Further discussion is needed regarding how we can operationalize Root CNAs more effectively.
o Additional discussion regarding MITRE’s role in operationalizing roots is needed.
8) Product Type Tagging/Categorization
o As the production numbers for CVEs go up, there will be an increasing need to view a subset of the overall CVE master list
o Define a list of common product areas/domains to be used for categorizing CVE entries (e.g.., Medical devices, automotive, industrial, etc.)
o The tags/categories should be attached to the products and not to the CVE entries directly.
o Product listings in CVE User Registry would be a potential location.
CVE_Board_Meeting_9 January 2019_final.pdf (375K) Download Attachment
|Free forum by Nabble||Edit this page|