Kathleen Noble, Intel attended the December 11, 2019 CVE Board meeting. Corrected meeting minutes attached.

 

 

CVE Board Meeting – 11 December 2019

 

Tod Beardsley, Rapid7

Patrick Emsweller, Cisco Systems, Inc.

Scott Lawler, LP3

Beverly Alvarez, Lenovo Group Ltd.

Scott Moore, IBM

Kathleen Noble, Intel

Shannon Sabens, Trend Micro

Takayuki Uchiyama, Panasonic Corporation

Ken Williams, Broadcom Inc.

Members of MITRE CVE Team in Attendance

Jo Bazar

Christine Deal

Jonathan Evans

 

 

2:00 – 2:15: Introductions, action items from the last meeting 

2:15 – 2:30: Working Groups

• Outreach and Communications Working Group (OCWG): Shannon Sabens
• CNA Coordination Working Group (CNACWG): Tod Beardsley
• Quality Working Group (QWG): Chris Coffin
• Automation Working Group (AWG): Lew Loren
• Strategic Planning Working Group (SPWG): Kent Landfield/Chris Coffin

 

2:30 – 2:45: Root CNA Update

• MITRE: Jo Bazar
• JPCERT: Jonathan Evans/Chris Coffin

 

2:45 – 3:00: CVE Global Summit – Beverly Alvarez

3:00 – 3:15: CNA Rules Revision Status – Jonathan Evans

3:15 – 3:30: Researcher Requirements – Chris Levendis

3:30 – 3:55: Open Discussion  

3:55 – 4:00: Action items, wrap-up

#	Action Item	Responsible Party	Status	Comments
1.23.1	Assemble additional operational guidance for program participation by CNAs (e.g., webinars, instructional videos).	MITRE (Evans)	In Process	MITRE assembled a list of guidance priorities and other areas of the program; the top five priorities are listed below: How to submit entries to MITRE using the web form (CNA Submission process) CVE ID assignment rule (Counting) – DRAFT sent for inputs to CNACWG and OCWG Becoming a CNA – DRAFT sent for inputs to CNACWG and OCWG CVE Program (includes Root structure)  How to request MITRE CNA populate a CVE entry (CNA Process) How to create a CVE Entry (CNA Entry creation)   10/30 Update: A timeline was prepared and will be shared at the next board meeting. “Becoming a CNA” will be sent by COB 11/1/19, and the CVE Board members will have two weeks to provide feedback. 11/13 Update: Feedback is due by 11/17 for Becoming a CNA, and the CVE Entry Creation is scheduled to be released NLT 11/17; feedback is due by 12/1/2019. 12/11 Update: Next video to be released for feedback is CVE Submission Process.
4.17.5	Research solution for storing, archiving, and central repository for CVE Board and WG meeting minutes, recordings, as well as tracking action items.	MITRE (Lew L.)	In Process	10/30 Update: The developers are setting up online storage in Glacier; download will be available after 90 days and will take a few days.
7.24.01	Develop a strategy for handling public but low-quality vulnerabilities, especially cases where the vendor or maintainer has not acknowledged the vulnerability.	MITRE (Chris C./Jonathan E.)	In Process	9/4 Update: Outline drafted by Jonathan and is being reviewed by the CVE team.
8.21.01	Take the lead for contest open to the community to create new CVE logo.	OCWG	In Process	9/4 Update: OCWG discussed at last meeting and is seeking additional guidance from the CVE Board. 10/16 Update: Shannon provided a list of requirements/questions for the CVE Board to consider.
10.16.01	Follow up with MITRE legal about CVE logo language and design usage and required approvals.	MITRE (Chris L.)	In Process	12/11 Update: MITRE legal team is drafting language to provide to OCWG.
10.16.02	MITRE communicate RBP backlog strategy to CVE Board.	MITRE (Chris L.)	In Process	11/13 Update: To date, 331 (19%) CVE Entries have been populated from the MITRE backlog (was 1,700), with 1,369 remaining. Based on the current run rate, the remaining MITRE backlog can be worked off by the end of January.  The CVE Entries are taking longer due to counting issues, and CNAs unable to help us identify which CVE ID goes with which vulnerabilities.
10.30.02	Update RBP threshold policy to include consequences for CNA’s with backlogs over the specific threshold.	MITRE (Jonathan E./Jo B.)	In Process	11/13 Update: RBP policy drafted and being reviewed by CVE team. Policy document will be sent to the CVE Board for review and comment.
11.13.01	Update CNACWG charter to reflect updates to the voting process, CNACWG Chair role and CNA Liaison role, to match CVE Charter.	Tod Beardsley	Completed	12/11 Update: Charter 2.0 distributed to the CVE Board and posted on CVE Website.

 

• Outreach and Communications Working Group (OCWG): Shannon Sabens
• OCWG meeting was held on December 9, 2019:
• CVE Logo contest - https://99designs.com/how-it-works
• Text out to the group for feedback by 12/13 to send to the logo design team.
• Press Release template for CNAs to use for new CNA announcements. Shannon explained that the requirements needed to be nailed down.
• The group agreed to review the press releases for new CNAs, instead of providing a press release template for now. 
• Potential introductory letter is drafted and customizable for different audiences (vendors, researchers, bug bounties, PSIRT’s, etc).   

§  CNA Coordination Working Group (CNACWG): Tod Beardsley

• CNACWG meeting held on December 4, 2019:
• CNACWG documents and files were moved from GoogleDocs to SharePoint and the CNACWG mailing list was transferred to MITRE.
• Draft dispute process sent on 12/11 to CVE Board for review and feedback.
• Call for Papers (CFP) email sent to CNAs; one response and two suggested topics from thus far. Deadline is January 3.

• Quality Working Group (QWG): Dave Waltermire/Chris Coffin
• QWG meeting was held on December 5, 2019:
• Use case interview with Patrick Emsweller from CISCO and the next use case interview will be with NIST.
• Automation Working Group (AWG) – Lew Loren

• No Updates
1. Strategic Planning (SPWG) – Kent Landfield
• No Updates

• MITRE –Jo Bazar

• Requests to become a CNA
• Received six CNA requests since the last CVE Board meeting:
• On-Boarding
• Conducted one on-boarding session since the last boarding meeting:
• One organization actively working through the guided examples.
• Two CNA on-boarding sessions scheduled in December 2019:
• One on-boarding session is pending scheduling.

• CNA Announcements and News

• Two CNA announcements since last Board meeting: Eaton and SICK AG.
• There are now 109 CNAs participating in the program, in 20 countries.
• 73 in CNA pipeline, with 42 entering the pipeline this calendar year.  6 = Q1; 6= Q2; 17= Q3, 18 = Q4 so far.
• Three pending CNA Announcements.
• JPCERT - Jonathan Evans/Chris Coffin
• No updates

 

• CVE Global Summit 2020 will be hosted by Lenovo. The Summit will be at Lenovo in Morrisville, NC, and will be held on Monday, March 2, and Tuesday, March 3.
• NetApp will be hosting the FIRST-TC in Raleigh, NC, on Wednesday, March 4 and Thursday, March 5.
• The group discussed if CVE Global Summit attendees should only be CNAs and CVE Board Members. We currently have a request for a PSIRT who wants to attend the Summit.
• The group agreed if a company is in the on-boarding process to become a CNA, a representative from the company can attend the CVE Global Summit.

 

 

§  MITRE has incorporated the comments received from the CNAs. The final comment period for Board members began Tuesday (12/10) and will end Wednesday (12/18).  Comments received during this period will be incorporated into the final version and sent to the CVE Board members for a vote.  

 

• The MITRE CVE Team hosted a booth at the Black Hat Europe 2019 Conference in London, December 3-4. The objective was to educate conference participants about the CVE Numbering Authority (CNA) partnership program. The CVE Program has two main goals: 1) To scale the CVE Program for broader adoption and coverage and 2) To produce more CVE Entries, faster. Both goals can be realized by growing the number of CNA participants. The conference allowed the CVE team an opportunity to reach an international audience—engaging with community members to better understand how they use CVEs, educating them on how they can become involved with solving vulnerability management by participating in the working groups, and providing information about initiatives underway within the CVE program.  Most visitors to the booth knew about the CVE Program, and in fact, indicated that they handle CVEs every day in their various work environments; however, few knew about the goal to federate and add partners (in the form of CNAs) to the program.

 

#	Action Item	Responsible Party	Status	Comments
12.11.01	Send Eventbrite registration form for CVE Global Summit.	Jo Bazar (MITRE)	Not Started	Assigned on 12/11/19
12.11.02	Follow up with MITRE Legal on verbiage for CVE logo contest.	Jo Bazar (MITRE)	Not Started	Assigned on 12/11/19

 

• None

1.     Communication 

a.      Outreach OCWG for most of this section (noted otherwise).

                                                  i.     Localization – should start in the QWG for guidance, then to the AWG for implementation.

                                                ii.     Upstream producers –  

1.     CNA Recruitment 

                                              iii.     Downstream users –   

                                               iv.     Related Projects

1.     Vulnerability Description

a.      VDO

b.     CSAF

2.     Severity

a.      CVSS

3.     Product identification and management

a.      SBOM

4. CWE
1. hardware

b.     Metrics – CVE Board

                                                  i.     Community metrics (Public metrics)

                                                ii.     CNA specific metrics 

                                              iii.     Program performance (Report card)

c.      Knowledge capture/transfer - CVE Board

                                                  i.     Record Working Group meetings

1.     Where to store the recordings?

                                                ii.     Issue tracking

                                              iii.     Storage of WG materials – SharePoint site (CVE CNA site)

2.     Strategy 

a.      Program Structure SPWG

b.     Roles, responsibilities, and requirements SPWG

                                                  i.     Disclosure Policies

                                                ii.     Scope

1.     Non-vendor CNAs

a.      Add new non-vendor CNAs is on hold until the Board can come to an agreement on the requirements for this type of CNA

2.     Root CNA shopping

3.     Assigning CVE IDs to vulnerabilities in a non-CNA vendor’s product

4. CNA scope to the cooperative sub-CNAs

c.      Coverage – CVE Board

                                                  i.     What’s in, What’s out

                                                ii.     End of life

                                              iii.     Software as a service

                                               iv.     Hardware

1. Define (not a wrench)

                                                v.     Open source software

4. Goals - CVE Board
2. Operations
1. Guidance

                                                  i.     Operationalizing Root CNAs - SPWG

1. What is MITRE’s role
2. How to best operationalize Root CNAs

                                                ii.     For new CNAs - CNACWG

1. What is needed?
2. What are the best formats?
3. How to minimize one-on-one guidance

                                              iii.     How to supply refreshers CVE Board/CNACWG

2. CNA Management - CNACWG

                                                  i.     CNA Process – Front Door or Back Door: How should CNAs communicate with each other, and how would that information be managed?

                                                ii.     Requirement

1. Responsiveness
2. Time to populate
3. RBP start time

                                              iii.     Scope statement best practices

                                               iv.     Rules Violations

1. Assignment correction processes (e.g. reject, split, merge) should account for violations
2. Assignments – CVE Board

                                                  i.     Prevent duplicates

1. How can CNA scopes help?
3. Submissions QWG and CVE Board, AWG handle format implementation

                                                  i.     Formats

                                                ii.     Information requirements

1. Add impact
2. Add publication data
3. Add vulnerability type

4.     Split problem type in to vuln. type, root cause, or impact

5.     Don’t require references

                                              iii.     Should the description match the separate metadata fields

4.     CVE List - QWG

a.      Formats (all different formats) – CVE Board

                                                  i.     How can the download formats be updated or retired?

b.     CVE Tagging

                                                  i.     Helps filtering

                                                ii.     How to identify the categories we need

                                              iii.     Should the tagging be attached to the product or the vulnerability?

                                               iv.     Could we leverage a product listing the CVE User Registry?

                                                v.     Can it be automated?

                                               vi.     EOL tagging

3. Prose description, do we need it?