CVE Board Teleconference Summary - 11 August 2016

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

CVE Board Teleconference Summary - 11 August 2016

Common Vulnerabilities & Exposures

CVE Board Meeting

11 August 2016, 2:00 p.m. EDT

 

The CVE Board met via teleconference on 11 August 2016. The meeting included updates on the CVE Counting Rules document, Charter revisions, and the Terms of Use (TOU).

 

In attendance:

Dan Adinolfi, MITRE

Jon Baker, MITRE

Andy Balinsky, Cisco

Harold Booth, NIST

Steve Boyle, MITRE

Chris Coffin, MITRE

Mark Cox, Red Hat

Christine Deal, MITRE

Jonathan Evans, MITRE

Kent Landfield, Intel

Scott Lawler, LP3

Art Manion, CERT

Meghan Manley, MITRE

Pascal Meunier, CERIAS/Purdue University

Joe Sain, MITRE

Anthony Singleton, MITRE

George Theall, MITRE

Donna Trammell, MITRE

Dave Waltermire, NIST

Ken Williams, CA Technologies

 

The meeting began with a brief update on the CVE Counting Rules document. No feedback was received from the Board during the review period (via the email list). Concerns were raised that the wording as it is now gives CNAs significant latitude when deciding whether or not an issue should be considered a vulnerability for CVE purposes. Specifically, a CNA can determine suitability for CVE based on their own security policies, which could differ from common practice. The result of this being that a legitimate vulnerability could be considered acceptable (i.e., not a vulnerability) based on a lax definition of security policy by the affected vendor.

Since the Primary CNA (MITRE) will remain the CNA of last resort, if the community feels that there are problems with a CNA’s assignment and assignment practices, the matter can be escalated up to the Primary CNA for adjudication.

MITRE gave an update on the new CVE Board Charter citing the recent Board voting results, there was a good response rate to the vote (only five Board members did not respond). The voting results were:

·         Who makes the decision to award Emeritus status?

o   0 votes: The Board Moderator

o   2 votes: The Board, through a Board vote

o   10 votes: The Board Moderator, but the Board can overrule the decision with a Board vote

o   During voting, additional language was proposed as follows:
The Board Moderator is responsible for determining the initial recognition status of a departing member. The Moderator will inform the Board of the status. If there is disagreement on the Board with the recognition status being proposed, the Board can call for a vote to determine whether the departing member is to be listed as Emeritus or as a Contributing Member.

·         How much time should be provided to Board members to vote on a given issue?

o   0 votes: One week

o   5 votes: Two weeks

o   8 votes: Time frames in which to cast a vote may vary as circumstances require, but must be at least one-week long. Two weeks is the recommended time frame for most votes, but is not required.

·         Do you support adding the statements below to the Charter?

Board members have a responsibility to participate by voting. Members will lose voting privileges if they do not vote in at least one of the three previous (consecutive) Board votes. Votes to abstain count toward participation and toward a quorum. Members may regain voting privileges by asking to have their voting privileges reinstated through the private mailing list or during a Board meeting. If Members have not voted in the past year, they can be removed from the Board by Board vote, following the procedures for forced removal.

o   13 votes: Yes

o   0 votes: No

o   During voting, additional/alternate language was proposed as follows:
Board members have a responsibility to participate by voting. Members will lose voting privileges if they do not vote in at least one of the three previous (consecutive) Board votes. Votes to abstain count toward participation and toward a quorum. Members may regain voting privileges by asking to have their voting privileges reinstated through the private mailing list or during a Board meeting. If Members have not voted in the past year, they can be removed from the Board by a Board vote, following the procedures for forced removal. If there are multiple Board Members from a single organization then the above applies to the organizational Members, not the individual Members. In other words, a vote submitted by an organizational member counts as a single vote with credit for voting recognized for all Board Members for that organization.

MITRE will send the revised Charter and voting results to the Board on 8/12 and requested feedback by 8/19. A clean copy of the Charter will then be disseminated on 8/19, giving the Board a week to review. By the next Board meeting (8/25), the Board can decide if the Charter is ready for a final vote of approval.

MITRE announced that the Terms of Use (TOU) have been approved. The new TOU would go into effect as soon as they were posted to the CVE website.

The new TOU would allow DWF (or anyone else) to send the descriptions of CVE assignments directly into the CVE list, but this may be delayed due to some technical issues that are being actively worked between MITRE and DWF. Also, the minimum set of content that must be included in a CVE entry will be publicly documented very soon, as will technical methods for sending description content directly to the CVE list.

To satisfy the request that Board voting participation be monitored by the Board, MITRE offered that the current Charter voting results are being tracked in a spreadsheet and that information, along with future voting, will be tracked and shared with the Board.

With staff changes within MITRE occurring occasionally, MITRE will introduce new staff members as they join the CVE team and ensure everyone on the call (including MITRE staff) will be listed on the minutes.

The Black Hat and DEF CON conferences gave MITRE an opportunity to perform significant outreach and give some additional public exposure for the CVE program. Part of this included increasing awareness of the growing CNA program, and new contacts and new potential CNAs were identified.

The Board stated the need for an outreach plan. The plan would include details that would allow the Board to be in alignment with MITRE when in the public and attempting to recruit new CNAs and grow awareness of the program. The Board will stand up an outreach working group to address this need. The goals of this working group would include developing content and presentations that could be used by members of the Board when performing outreach tasks. Also, MITRE will keep the Board apprised of progress made in recruiting CNAs and collaborate with the Board on developing a strategy for targeting potential CNA candidates.

Action items:

1.      CNA counting document (counting decision tree)—Expecting feedback by COB 8/22

2.      Charter—clean copy out 8/12, along with voting results. Feedback from Board by 8/19; send clean copy out on 8/19 and decide on 8/25 if Charter is ready to be voted on

3.      Add MITRE staff in attendance to minutes.

 

The next Board meeting will be held on August 25.

 


CVE_Board_Summary_20160811.pdf (68K) Download Attachment