FW: Proposed Working group and workshop

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

FW: Proposed Working group and workshop

Landfield, Kent B

All,

 

First off, a little history.  Six months ago CVE was in a very different place than it is today. There was a lot of frustration around. Security researchers had nearly given up trying to work with CVE to get the IDs needed to label discovered vulnerabilities. Competing efforts seemed on the horizon. Board members’ frustration was becoming extremely apparent. Negative articles were being published about CVE management and while MITRE was doing things behind the scenes to try to improve the CVE processes, it was not apparent to anyone else.

 

Fast-forward 6 months… During this time, we have had a reasonable amount of success.

 

Successes since March 1:

1)      Regular Board Meeting Calls

2)      New Charter developed and about to be voted on

3)      Federated Proof of Concept with DWF conceived and successfully started

4)      CVE ID Request changes with automation aspects (new web request page)

5)      New CVE Counting Document

6)      Multiple CNAs trained and added

7)      MITRE communication plan for introducing public CVE process changes

8)      First issuance of CVEs in the 1,000,000 range

9)      New Board member and old ones resigning

10)  Newly proposed Terms of Use to include support for Description contributions

11)  CNA List created for all those actually acting as a CNA

12)  CNA Governance and Rules document to be released next week to the Board

                                                          

We have changed our risk averse approach to CVE to one of “We are not afraid to fail. We will evolve.”

 

We have refocused our Board membership back on the passionate individuals wishing to advance CVE instead of any specific organization, which is now reflected on the web site.

 

We have taken the time to change the CNA architecture from the hub and spoke model to a federated model. The DWF “proof of concept” is operational and from all apparent perspectives, successful. While there is a lot to do, it is obvious the federated CVE CNA model is here to stay.

 

So what do we want CVE to look like in 3-5 years?  How do we plan on getting there? 

 

On the Board call today I suggested we create a working group to try to address some of those questions. This is a working group as identified in the Charter. Instead of waiting weeks to get started, I suggested we create the WG as an ad-hoc working group until the Charter is approved and then we can ‘officially anoint’ it. 

 

The purpose of the working group is to create the overall CVE strategy, identify where it is we want to go, assure we identify what is needed to create a generic new ‘root’ CNA, (get our terminology consistent), and then start addressing a tactical plan to get there. There are lots of questions we need to address. It is envisioned we will be using the CNA Rules document as one of the more foundational documents to describe the overall effort, governance and coordination processes.

 

I would like to ask who would like to participate? I have talked with a few of you and there seemed to be interest in the past. I will let MITRE work the mechanics of getting things set up.  They get paid to do those types of things for the Board. ;-)  Chris offered. ;)

 

Time to have the real foundational conversations needed in order to lay the ground work for the future of CVE, it’s expanded coverage and capabilities.

 

Thanks.

 

---

Kent Landfield

+1.817.637.8026

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Proposed Working group and workshop

Scott Lawler

Kent,

 

Thank you for capturing this list of successes…great progress! 

 

I would like to support the 3-5 year vision working group.   It’s really important to lay that out so we know where we’re going.  

 

The hardware vulnerability discussions are a good example of one of those percolating things we need to address…closely related to IoT which is likely to be embedded hardware as well.  

 

Glad to help. 

 

Thank you,

Scott

 

 

Scott A. Lawler

Chairman/CEO

[hidden email]

703-509-9330

http://www.LP3.com

 

 

 

 

 

 

 

From: <[hidden email]> on behalf of "Landfield, Kent B" <[hidden email]>
Date: Friday, August 26, 2016 at 8:30 AM
To: cve-editorial-board-list <[hidden email]>
Subject: FW: Proposed Working group and workshop

 

All,

 

First off, a little history.  Six months ago CVE was in a very different place than it is today. There was a lot of frustration around. Security researchers had nearly given up trying to work with CVE to get the IDs needed to label discovered vulnerabilities. Competing efforts seemed on the horizon. Board members’ frustration was becoming extremely apparent. Negative articles were being published about CVE management and while MITRE was doing things behind the scenes to try to improve the CVE processes, it was not apparent to anyone else.

 

Fast-forward 6 months… During this time, we have had a reasonable amount of success.

 

Successes since March 1:

1)      Regular Board Meeting Calls

2)      New Charter developed and about to be voted on

3)      Federated Proof of Concept with DWF conceived and successfully started

4)      CVE ID Request changes with automation aspects (new web request page)

5)      New CVE Counting Document

6)      Multiple CNAs trained and added

7)      MITRE communication plan for introducing public CVE process changes

8)      First issuance of CVEs in the 1,000,000 range

9)      New Board member and old ones resigning

10)  Newly proposed Terms of Use to include support for Description contributions

11)  CNA List created for all those actually acting as a CNA

12)  CNA Governance and Rules document to be released next week to the Board

                                                          

We have changed our risk averse approach to CVE to one of “We are not afraid to fail. We will evolve.”

 

We have refocused our Board membership back on the passionate individuals wishing to advance CVE instead of any specific organization, which is now reflected on the web site.

 

We have taken the time to change the CNA architecture from the hub and spoke model to a federated model. The DWF “proof of concept” is operational and from all apparent perspectives, successful. While there is a lot to do, it is obvious the federated CVE CNA model is here to stay.

 

So what do we want CVE to look like in 3-5 years?  How do we plan on getting there? 

 

On the Board call today I suggested we create a working group to try to address some of those questions. This is a working group as identified in the Charter. Instead of waiting weeks to get started, I suggested we create the WG as an ad-hoc working group until the Charter is approved and then we can ‘officially anoint’ it. 

 

The purpose of the working group is to create the overall CVE strategy, identify where it is we want to go, assure we identify what is needed to create a generic new ‘root’ CNA, (get our terminology consistent), and then start addressing a tactical plan to get there. There are lots of questions we need to address. It is envisioned we will be using the CNA Rules document as one of the more foundational documents to describe the overall effort, governance and coordination processes.

 

I would like to ask who would like to participate? I have talked with a few of you and there seemed to be interest in the past. I will let MITRE work the mechanics of getting things set up.  They get paid to do those types of things for the Board. ;-)  Chris offered. ;)

 

Time to have the real foundational conversations needed in order to lay the ground work for the future of CVE, it’s expanded coverage and capabilities.

 

Thanks.

 

---

Kent Landfield

+1.817.637.8026

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Proposed Working group and workshop

Williams, Ken
In reply to this post by Landfield, Kent B

I’d definitely like to participate.  Comprehensive CVE coverage of ALL vulnerabilities is a worthwhile goal to consider in such a WG.

 

Regards,
Ken Williams

Vulnerability Response Director, Product Vulnerability Response Team

CA Technologies | 520 Madison Avenue, 22nd Floor, New York NY 10022

 

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Landfield, Kent B
Sent: Friday, August 26, 2016 7:30 AM
To: cve-editorial-board-list <[hidden email]>
Subject: FW: Proposed Working group and workshop

 

All,

 

First off, a little history.  Six months ago CVE was in a very different place than it is today. There was a lot of frustration around. Security researchers had nearly given up trying to work with CVE to get the IDs needed to label discovered vulnerabilities. Competing efforts seemed on the horizon. Board members’ frustration was becoming extremely apparent. Negative articles were being published about CVE management and while MITRE was doing things behind the scenes to try to improve the CVE processes, it was not apparent to anyone else.

 

Fast-forward 6 months… During this time, we have had a reasonable amount of success.

 

Successes since March 1:

1)      Regular Board Meeting Calls

2)      New Charter developed and about to be voted on

3)      Federated Proof of Concept with DWF conceived and successfully started

4)      CVE ID Request changes with automation aspects (new web request page)

5)      New CVE Counting Document

6)      Multiple CNAs trained and added

7)      MITRE communication plan for introducing public CVE process changes

8)      First issuance of CVEs in the 1,000,000 range

9)      New Board member and old ones resigning

10)  Newly proposed Terms of Use to include support for Description contributions

11)  CNA List created for all those actually acting as a CNA

12)  CNA Governance and Rules document to be released next week to the Board

                                                          

We have changed our risk averse approach to CVE to one of “We are not afraid to fail. We will evolve.”

 

We have refocused our Board membership back on the passionate individuals wishing to advance CVE instead of any specific organization, which is now reflected on the web site.

 

We have taken the time to change the CNA architecture from the hub and spoke model to a federated model. The DWF “proof of concept” is operational and from all apparent perspectives, successful. While there is a lot to do, it is obvious the federated CVE CNA model is here to stay.

 

So what do we want CVE to look like in 3-5 years?  How do we plan on getting there? 

 

On the Board call today I suggested we create a working group to try to address some of those questions. This is a working group as identified in the Charter. Instead of waiting weeks to get started, I suggested we create the WG as an ad-hoc working group until the Charter is approved and then we can ‘officially anoint’ it. 

 

The purpose of the working group is to create the overall CVE strategy, identify where it is we want to go, assure we identify what is needed to create a generic new ‘root’ CNA, (get our terminology consistent), and then start addressing a tactical plan to get there. There are lots of questions we need to address. It is envisioned we will be using the CNA Rules document as one of the more foundational documents to describe the overall effort, governance and coordination processes.

 

I would like to ask who would like to participate? I have talked with a few of you and there seemed to be interest in the past. I will let MITRE work the mechanics of getting things set up.  They get paid to do those types of things for the Board. ;-)  Chris offered. ;)

 

Time to have the real foundational conversations needed in order to lay the ground work for the future of CVE, it’s expanded coverage and capabilities.

 

Thanks.

 

---

Kent Landfield

+1.817.637.8026

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Proposed Working group and workshop

kseifried@redhat.com
Stupid Question but why are we being so stingy with CVEs? We should be handing them out like candy, and putting the "important" ones into the database (and accepting well formed database submissions from all).

My only concern with DWF right now is SLAs (so we measure/do the right things) and then automation of it all.

On Fri, Aug 26, 2016 at 9:14 AM, Williams, Ken <[hidden email]> wrote:

I’d definitely like to participate.  Comprehensive CVE coverage of ALL vulnerabilities is a worthwhile goal to consider in such a WG.

 

Regards,
Ken Williams

Vulnerability Response Director, Product Vulnerability Response Team

CA Technologies | 520 Madison Avenue, 22nd Floor, New York NY 10022

 

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Landfield, Kent B
Sent: Friday, August 26, 2016 7:30 AM
To: cve-editorial-board-list <[hidden email]>
Subject: FW: Proposed Working group and workshop

 

All,

 

First off, a little history.  Six months ago CVE was in a very different place than it is today. There was a lot of frustration around. Security researchers had nearly given up trying to work with CVE to get the IDs needed to label discovered vulnerabilities. Competing efforts seemed on the horizon. Board members’ frustration was becoming extremely apparent. Negative articles were being published about CVE management and while MITRE was doing things behind the scenes to try to improve the CVE processes, it was not apparent to anyone else.

 

Fast-forward 6 months… During this time, we have had a reasonable amount of success.

 

Successes since March 1:

1)      Regular Board Meeting Calls

2)      New Charter developed and about to be voted on

3)      Federated Proof of Concept with DWF conceived and successfully started

4)      CVE ID Request changes with automation aspects (new web request page)

5)      New CVE Counting Document

6)      Multiple CNAs trained and added

7)      MITRE communication plan for introducing public CVE process changes

8)      First issuance of CVEs in the 1,000,000 range

9)      New Board member and old ones resigning

10)  Newly proposed Terms of Use to include support for Description contributions

11)  CNA List created for all those actually acting as a CNA

12)  CNA Governance and Rules document to be released next week to the Board

                                                          

We have changed our risk averse approach to CVE to one of “We are not afraid to fail. We will evolve.”

 

We have refocused our Board membership back on the passionate individuals wishing to advance CVE instead of any specific organization, which is now reflected on the web site.

 

We have taken the time to change the CNA architecture from the hub and spoke model to a federated model. The DWF “proof of concept” is operational and from all apparent perspectives, successful. While there is a lot to do, it is obvious the federated CVE CNA model is here to stay.

 

So what do we want CVE to look like in 3-5 years?  How do we plan on getting there? 

 

On the Board call today I suggested we create a working group to try to address some of those questions. This is a working group as identified in the Charter. Instead of waiting weeks to get started, I suggested we create the WG as an ad-hoc working group until the Charter is approved and then we can ‘officially anoint’ it. 

 

The purpose of the working group is to create the overall CVE strategy, identify where it is we want to go, assure we identify what is needed to create a generic new ‘root’ CNA, (get our terminology consistent), and then start addressing a tactical plan to get there. There are lots of questions we need to address. It is envisioned we will be using the CNA Rules document as one of the more foundational documents to describe the overall effort, governance and coordination processes.

 

I would like to ask who would like to participate? I have talked with a few of you and there seemed to be interest in the past. I will let MITRE work the mechanics of getting things set up.  They get paid to do those types of things for the Board. ;-)  Chris offered. ;)

 

Time to have the real foundational conversations needed in order to lay the ground work for the future of CVE, it’s expanded coverage and capabilities.

 

Thanks.

 

---

Kent Landfield

<a href="tel:%2B1.817.637.8026" value="+18176378026" target="_blank">+1.817.637.8026




--

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Proposed Working group and workshop

Landfield, Kent B

Looks like you are indicating you are interested as well? ;-)  This will be a great question to discuss during the WG calls.   I see a strategic direction question there on approaches to issuance. …

 

---

Kent Landfield

+1.817.637.8026

 

From: Kurt Seifried <[hidden email]>
Date: Friday, August 26, 2016 at 11:02 AM
To: "Williams, Ken" <[hidden email]>
Cc: Kent Landfield <[hidden email]>, cve-editorial-board-list <[hidden email]>
Subject: Re: Proposed Working group and workshop

 

Stupid Question but why are we being so stingy with CVEs? We should be handing them out like candy, and putting the "important" ones into the database (and accepting well formed database submissions from all).

 

My only concern with DWF right now is SLAs (so we measure/do the right things) and then automation of it all.

 

On Fri, Aug 26, 2016 at 9:14 AM, Williams, Ken <[hidden email]> wrote:

I’d definitely like to participate.  Comprehensive CVE coverage of ALL vulnerabilities is a worthwhile goal to consider in such a WG.

 

Regards,
Ken Williams

Vulnerability Response Director, Product Vulnerability Response Team

CA Technologies | 520 Madison Avenue, 22nd Floor, New York NY 10022

 

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Landfield, Kent B
Sent: Friday, August 26, 2016 7:30 AM
To: cve-editorial-board-list <[hidden email]>
Subject: FW: Proposed Working group and workshop

 

All,

 

First off, a little history.  Six months ago CVE was in a very different place than it is today. There was a lot of frustration around. Security researchers had nearly given up trying to work with CVE to get the IDs needed to label discovered vulnerabilities. Competing efforts seemed on the horizon. Board members’ frustration was becoming extremely apparent. Negative articles were being published about CVE management and while MITRE was doing things behind the scenes to try to improve the CVE processes, it was not apparent to anyone else.

 

Fast-forward 6 months… During this time, we have had a reasonable amount of success.

 

Successes since March 1:

1)      Regular Board Meeting Calls

2)      New Charter developed and about to be voted on

3)      Federated Proof of Concept with DWF conceived and successfully started

4)      CVE ID Request changes with automation aspects (new web request page)

5)      New CVE Counting Document

6)      Multiple CNAs trained and added

7)      MITRE communication plan for introducing public CVE process changes

8)      First issuance of CVEs in the 1,000,000 range

9)      New Board member and old ones resigning

10)  Newly proposed Terms of Use to include support for Description contributions

11)  CNA List created for all those actually acting as a CNA

12)  CNA Governance and Rules document to be released next week to the Board

                                                          

We have changed our risk averse approach to CVE to one of “We are not afraid to fail. We will evolve.”

 

We have refocused our Board membership back on the passionate individuals wishing to advance CVE instead of any specific organization, which is now reflected on the web site.

 

We have taken the time to change the CNA architecture from the hub and spoke model to a federated model. The DWF “proof of concept” is operational and from all apparent perspectives, successful. While there is a lot to do, it is obvious the federated CVE CNA model is here to stay.

 

So what do we want CVE to look like in 3-5 years?  How do we plan on getting there? 

 

On the Board call today I suggested we create a working group to try to address some of those questions. This is a working group as identified in the Charter. Instead of waiting weeks to get started, I suggested we create the WG as an ad-hoc working group until the Charter is approved and then we can ‘officially anoint’ it. 

 

The purpose of the working group is to create the overall CVE strategy, identify where it is we want to go, assure we identify what is needed to create a generic new ‘root’ CNA, (get our terminology consistent), and then start addressing a tactical plan to get there. There are lots of questions we need to address. It is envisioned we will be using the CNA Rules document as one of the more foundational documents to describe the overall effort, governance and coordination processes.

 

I would like to ask who would like to participate? I have talked with a few of you and there seemed to be interest in the past. I will let MITRE work the mechanics of getting things set up.  They get paid to do those types of things for the Board. ;-)  Chris offered. ;)

 

Time to have the real foundational conversations needed in order to lay the ground work for the future of CVE, it’s expanded coverage and capabilities.

 

Thanks.

 

---

Kent Landfield

<a href="tel:%2B1.817.637.8026" target="_blank">+1.817.637.8026



 

--

 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: 
[hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Proposed Working group and workshop

Millar, Thomas
I think we need to consider how any Strategy WG output will be aligned or used to inform DHS funding and program direction. I guess that means I'm signing up.



Tom Millar, US-CERT

Sent from +1-202-631-1915
https://www.us-cert.gov
 

From: [hidden email] on behalf of Landfield, Kent B
Sent: Friday, August 26, 2016 5:05:23 PM
To: Kurt Seifried; Williams, Ken
Cc: cve-editorial-board-list
Subject: Re: Proposed Working group and workshop

Looks like you are indicating you are interested as well? ;-)  This will be a great question to discuss during the WG calls.   I see a strategic direction question there on approaches to issuance. …

 

---

Kent Landfield

+1.817.637.8026

 

From: Kurt Seifried <[hidden email]>
Date: Friday, August 26, 2016 at 11:02 AM
To: "Williams, Ken" <[hidden email]>
Cc: Kent Landfield <[hidden email]>, cve-editorial-board-list <[hidden email]>
Subject: Re: Proposed Working group and workshop

 

Stupid Question but why are we being so stingy with CVEs? We should be handing them out like candy, and putting the "important" ones into the database (and accepting well formed database submissions from all).

 

My only concern with DWF right now is SLAs (so we measure/do the right things) and then automation of it all.

 

On Fri, Aug 26, 2016 at 9:14 AM, Williams, Ken <[hidden email]> wrote:

I’d definitely like to participate.  Comprehensive CVE coverage of ALL vulnerabilities is a worthwhile goal to consider in such a WG.

 

Regards,
Ken Williams

Vulnerability Response Director, Product Vulnerability Response Team

CA Technologies | 520 Madison Avenue, 22nd Floor, New York NY 10022

 

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Landfield, Kent B
Sent: Friday, August 26, 2016 7:30 AM
To: cve-editorial-board-list <[hidden email]>
Subject: FW: Proposed Working group and workshop

 

All,

 

First off, a little history.  Six months ago CVE was in a very different place than it is today. There was a lot of frustration around. Security researchers had nearly given up trying to work with CVE to get the IDs needed to label discovered vulnerabilities. Competing efforts seemed on the horizon. Board members’ frustration was becoming extremely apparent. Negative articles were being published about CVE management and while MITRE was doing things behind the scenes to try to improve the CVE processes, it was not apparent to anyone else.

 

Fast-forward 6 months… During this time, we have had a reasonable amount of success.

 

Successes since March 1:

1)      Regular Board Meeting Calls

2)      New Charter developed and about to be voted on

3)      Federated Proof of Concept with DWF conceived and successfully started

4)      CVE ID Request changes with automation aspects (new web request page)

5)      New CVE Counting Document

6)      Multiple CNAs trained and added

7)      MITRE communication plan for introducing public CVE process changes

8)      First issuance of CVEs in the 1,000,000 range

9)      New Board member and old ones resigning

10)  Newly proposed Terms of Use to include support for Description contributions

11)  CNA List created for all those actually acting as a CNA

12)  CNA Governance and Rules document to be released next week to the Board

                                                          

We have changed our risk averse approach to CVE to one of “We are not afraid to fail. We will evolve.”

 

We have refocused our Board membership back on the passionate individuals wishing to advance CVE instead of any specific organization, which is now reflected on the web site.

 

We have taken the time to change the CNA architecture from the hub and spoke model to a federated model. The DWF “proof of concept” is operational and from all apparent perspectives, successful. While there is a lot to do, it is obvious the federated CVE CNA model is here to stay.

 

So what do we want CVE to look like in 3-5 years?  How do we plan on getting there? 

 

On the Board call today I suggested we create a working group to try to address some of those questions. This is a working group as identified in the Charter. Instead of waiting weeks to get started, I suggested we create the WG as an ad-hoc working group until the Charter is approved and then we can ‘officially anoint’ it. 

 

The purpose of the working group is to create the overall CVE strategy, identify where it is we want to go, assure we identify what is needed to create a generic new ‘root’ CNA, (get our terminology consistent), and then start addressing a tactical plan to get there. There are lots of questions we need to address. It is envisioned we will be using the CNA Rules document as one of the more foundational documents to describe the overall effort, governance and coordination processes.

 

I would like to ask who would like to participate? I have talked with a few of you and there seemed to be interest in the past. I will let MITRE work the mechanics of getting things set up.  They get paid to do those types of things for the Board. ;-)  Chris offered. ;)

 

Time to have the real foundational conversations needed in order to lay the ground work for the future of CVE, it’s expanded coverage and capabilities.

 

Thanks.

 

---

Kent Landfield

<a href="tel:%2B1.817.637.8026" target="_blank">+1.817.637.8026



 

--

 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: 
[hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Proposed Working group and workshop

Adinolfi, Daniel R
In reply to this post by Landfield, Kent B

Kent,

 

For the record, I also plan to participate in this group. I look forward to the work.

 

-Dan

 

From: <[hidden email]> on behalf of "Landfield, Kent B" <[hidden email]>
Date: Friday, August 26, 2016 at 12:05
To: Kurt Seifried <[hidden email]>, "Williams, Ken" <[hidden email]>
Cc: cve-editorial-board-list <[hidden email]>
Subject: Re: Proposed Working group and workshop

 

Looks like you are indicating you are interested as well? ;-)  This will be a great question to discuss during the WG calls.   I see a strategic direction question there on approaches to issuance. …

 

---

Kent Landfield

+1.817.637.8026

 

From: Kurt Seifried <[hidden email]>
Date: Friday, August 26, 2016 at 11:02 AM
To: "Williams, Ken" <[hidden email]>
Cc: Kent Landfield <[hidden email]>, cve-editorial-board-list <[hidden email]>
Subject: Re: Proposed Working group and workshop

 

Stupid Question but why are we being so stingy with CVEs? We should be handing them out like candy, and putting the "important" ones into the database (and accepting well formed database submissions from all).

 

My only concern with DWF right now is SLAs (so we measure/do the right things) and then automation of it all.

 

On Fri, Aug 26, 2016 at 9:14 AM, Williams, Ken <[hidden email]> wrote:

I’d definitely like to participate.  Comprehensive CVE coverage of ALL vulnerabilities is a worthwhile goal to consider in such a WG.

 

Regards,
Ken Williams

Vulnerability Response Director, Product Vulnerability Response Team

CA Technologies | 520 Madison Avenue, 22nd Floor, New York NY 10022

 

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Landfield, Kent B
Sent: Friday, August 26, 2016 7:30 AM
To: cve-editorial-board-list <[hidden email]>
Subject: FW: Proposed Working group and workshop

 

All,

 

First off, a little history.  Six months ago CVE was in a very different place than it is today. There was a lot of frustration around. Security researchers had nearly given up trying to work with CVE to get the IDs needed to label discovered vulnerabilities. Competing efforts seemed on the horizon. Board members’ frustration was becoming extremely apparent. Negative articles were being published about CVE management and while MITRE was doing things behind the scenes to try to improve the CVE processes, it was not apparent to anyone else.

 

Fast-forward 6 months… During this time, we have had a reasonable amount of success.

 

Successes since March 1:

1)      Regular Board Meeting Calls

2)      New Charter developed and about to be voted on

3)      Federated Proof of Concept with DWF conceived and successfully started

4)      CVE ID Request changes with automation aspects (new web request page)

5)      New CVE Counting Document

6)      Multiple CNAs trained and added

7)      MITRE communication plan for introducing public CVE process changes

8)      First issuance of CVEs in the 1,000,000 range

9)      New Board member and old ones resigning

10)  Newly proposed Terms of Use to include support for Description contributions

11)  CNA List created for all those actually acting as a CNA

12)  CNA Governance and Rules document to be released next week to the Board

                                                          

We have changed our risk averse approach to CVE to one of “We are not afraid to fail. We will evolve.”

 

We have refocused our Board membership back on the passionate individuals wishing to advance CVE instead of any specific organization, which is now reflected on the web site.

 

We have taken the time to change the CNA architecture from the hub and spoke model to a federated model. The DWF “proof of concept” is operational and from all apparent perspectives, successful. While there is a lot to do, it is obvious the federated CVE CNA model is here to stay.

 

So what do we want CVE to look like in 3-5 years?  How do we plan on getting there? 

 

On the Board call today I suggested we create a working group to try to address some of those questions. This is a working group as identified in the Charter. Instead of waiting weeks to get started, I suggested we create the WG as an ad-hoc working group until the Charter is approved and then we can ‘officially anoint’ it. 

 

The purpose of the working group is to create the overall CVE strategy, identify where it is we want to go, assure we identify what is needed to create a generic new ‘root’ CNA, (get our terminology consistent), and then start addressing a tactical plan to get there. There are lots of questions we need to address. It is envisioned we will be using the CNA Rules document as one of the more foundational documents to describe the overall effort, governance and coordination processes.

 

I would like to ask who would like to participate? I have talked with a few of you and there seemed to be interest in the past. I will let MITRE work the mechanics of getting things set up.  They get paid to do those types of things for the Board. ;-)  Chris offered. ;)

 

Time to have the real foundational conversations needed in order to lay the ground work for the future of CVE, it’s expanded coverage and capabilities.

 

Thanks.

 

---

Kent Landfield

<a href="tel:%2B1.817.637.8026" target="_blank">+1.817.637.8026



 

--

 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: 
[hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FW: Proposed Working group and workshop

Art Manion
In reply to this post by Landfield, Kent B
On 2016-08-26 08:30, Landfield, Kent B wrote:

> So what do we want CVE to look like in 3-5 years?  How do we plan on
> getting there?
>
> On the Board call today I suggested we create a working group to try to
> address some of those questions. This is a working group as identified
> in the Charter. Instead of waiting weeks to get started, I suggested we
> create the WG as an ad-hoc working group until the Charter is approved
> and then we can ‘officially anoint’ it.

Sign me up.  Does this WG include the full board yet :) ?

On 2016-08-26 11:14, Williams, Ken wrote:
> Comprehensive CVE coverage of ALL vulnerabilities is a worthwhile
> goal to consider in such a WG.

Agree.

On 2016-08-26 12:02, Kurt Seifried wrote:
> Stupid Question but why are we being so stingy with CVEs? We should
> be handing them out like candy, and putting the "important" ones into
> the database (and accepting well formed database submissions from
> all).

Agree.

On 2016-08-26 08:30, Landfield, Kent B wrote:
> So what do we want CVE to look like in 3-5 years?  How do we plan on
> getting there?

Some caution here:  3-5 years out in internet time is, IMO, not
predictable.  I do think we can pick some direction/priorities, and make
some design choices that should enable flexibility when the future
arrives, but I'm not a fan of putting lots of effort into a 5 year plan
we'll have to throw away in <2 years.

Regards,

 - Art
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Proposed Working group and workshop

Landfield, Kent B
In reply to this post by Williams, Ken
Art wrote:
Some caution here:  3-5 years out in internet time is, IMO, not predictable.  I do think we can pick some direction/priorities, and make some design choices that should enable flexibility when the future arrives, but I'm not a fan of putting lots of effort into a 5 year plan we'll have to throw away in <2 years.
   
I can’t agree more….

---
Kent Landfield
+1.817.637.8026


On 8/26/16, 12:52 PM, "Art Manion" <[hidden email]> wrote:

    On 2016-08-26 08:30, Landfield, Kent B wrote:
   
    > So what do we want CVE to look like in 3-5 years?  How do we plan on
    > getting there?
    >
    > On the Board call today I suggested we create a working group to try to
    > address some of those questions. This is a working group as identified
    > in the Charter. Instead of waiting weeks to get started, I suggested we
    > create the WG as an ad-hoc working group until the Charter is approved
    > and then we can ‘officially anoint’ it.
   
    Sign me up.  Does this WG include the full board yet :) ?
   
    On 2016-08-26 11:14, Williams, Ken wrote:
    > Comprehensive CVE coverage of ALL vulnerabilities is a worthwhile
    > goal to consider in such a WG.
   
    Agree.
   
    On 2016-08-26 12:02, Kurt Seifried wrote:
    > Stupid Question but why are we being so stingy with CVEs? We should
    > be handing them out like candy, and putting the "important" ones into
    > the database (and accepting well formed database submissions from
    > all).
   
    Agree.
   
    On 2016-08-26 08:30, Landfield, Kent B wrote:
    > So what do we want CVE to look like in 3-5 years?  How do we plan on
    > getting there?
   
    Some caution here:  3-5 years out in internet time is, IMO, not
    predictable.  I do think we can pick some direction/priorities, and make
    some design choices that should enable flexibility when the future
    arrives, but I'm not a fan of putting lots of effort into a 5 year plan
    we'll have to throw away in <2 years.
   
    Regards,
   
     - Art
   


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: FW: Proposed Working group and workshop

Booth, Harold (Fed)
In reply to this post by Art Manion
I am interested as well.

-Harold

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Art Manion
Sent: Friday, August 26, 2016 1:53 PM
To: Landfield, Kent B <[hidden email]>; cve-editorial-board-list <[hidden email]>
Subject: Re: FW: Proposed Working group and workshop

On 2016-08-26 08:30, Landfield, Kent B wrote:

> So what do we want CVE to look like in 3-5 years?  How do we plan on
> getting there?
>
> On the Board call today I suggested we create a working group to try
> to address some of those questions. This is a working group as
> identified in the Charter. Instead of waiting weeks to get started, I
> suggested we create the WG as an ad-hoc working group until the
> Charter is approved and then we can ‘officially anoint’ it.

Sign me up.  Does this WG include the full board yet :) ?

On 2016-08-26 11:14, Williams, Ken wrote:
> Comprehensive CVE coverage of ALL vulnerabilities is a worthwhile goal
> to consider in such a WG.

Agree.

On 2016-08-26 12:02, Kurt Seifried wrote:
> Stupid Question but why are we being so stingy with CVEs? We should be
> handing them out like candy, and putting the "important" ones into the
> database (and accepting well formed database submissions from all).

Agree.

On 2016-08-26 08:30, Landfield, Kent B wrote:
> So what do we want CVE to look like in 3-5 years?  How do we plan on
> getting there?

Some caution here:  3-5 years out in internet time is, IMO, not predictable.  I do think we can pick some direction/priorities, and make some design choices that should enable flexibility when the future arrives, but I'm not a fan of putting lots of effort into a 5 year plan we'll have to throw away in <2 years.

Regards,

 - Art
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Proposed Working group and workshop

Millar, Thomas
In reply to this post by Landfield, Kent B
Plans are nothing, planning is everything.



Tom Millar, US-CERT

Sent from +1-202-631-1915
https://www.us-cert.gov
 

From: [hidden email] on behalf of Landfield, Kent B
Sent: Friday, August 26, 2016 7:03:50 PM
To: Art Manion; cve-editorial-board-list
Subject: Re: Proposed Working group and workshop

Art wrote:
Some caution here:  3-5 years out in internet time is, IMO, not predictable.  I do think we can pick some direction/priorities, and make some design choices that should enable flexibility when the future arrives, but I'm not a fan of putting lots of effort into a 5 year plan we'll have to throw away in <2 years.
   
I can’t agree more….

---
Kent Landfield
+1.817.637.8026


On 8/26/16, 12:52 PM, "Art Manion" <[hidden email]> wrote:

    On 2016-08-26 08:30, Landfield, Kent B wrote:
   
    > So what do we want CVE to look like in 3-5 years?  How do we plan on
    > getting there?
    >
    > On the Board call today I suggested we create a working group to try to
    > address some of those questions. This is a working group as identified
    > in the Charter. Instead of waiting weeks to get started, I suggested we
    > create the WG as an ad-hoc working group until the Charter is approved
    > and then we can ‘officially anoint’ it.
   
    Sign me up.  Does this WG include the full board yet :) ?
   
    On 2016-08-26 11:14, Williams, Ken wrote:
    > Comprehensive CVE coverage of ALL vulnerabilities is a worthwhile
    > goal to consider in such a WG.
   
    Agree.
   
    On 2016-08-26 12:02, Kurt Seifried wrote:
    > Stupid Question but why are we being so stingy with CVEs? We should
    > be handing them out like candy, and putting the "important" ones into
    > the database (and accepting well formed database submissions from
    > all).
   
    Agree.
   
    On 2016-08-26 08:30, Landfield, Kent B wrote:
    > So what do we want CVE to look like in 3-5 years?  How do we plan on
    > getting there?
   
    Some caution here:  3-5 years out in internet time is, IMO, not
    predictable.  I do think we can pick some direction/priorities, and make
    some design choices that should enable flexibility when the future
    arrives, but I'm not a fan of putting lots of effort into a 5 year plan
    we'll have to throw away in <2 years.
   
    Regards,
   
     - Art
   


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Proposed Working group and workshop

Landfield, Kent B
In reply to this post by Williams, Ken
Dear MITRE,

What is the status in setting this WG up? We definitely have interest...

Kent Landfield
+1.817.637.8026 

On Aug 25, 2016, at 5:56 PM, Landfield, Kent B <[hidden email]> wrote:

All,

 

First off, a little history.  Six months ago CVE was in a very different place than it is today. There was a lot of frustration around. Security researchers had nearly given up trying to work with CVE to get the IDs needed to label discovered vulnerabilities. Competing efforts seemed on the horizon. Board members’ frustration was becoming extremely apparent. Negative articles were being published about CVE management and while MITRE was doing things behind the scenes to try to improve the CVE processes, it was not apparent to anyone else.

 

Fast-forward 6 months… During this time, we have had a reasonable amount of success.

 

Successes since March 1:

1)       Regular Board Meeting Calls

2)       New Charter developed and about to be voted on (starts tomorrow)

3)       Federated Proof of Concept with DWF conceived and successfully started

4)       CVE ID Request changes with automation aspects (new web request page)

5)       New CVE Counting Document

6)       Multiple CNAs trained and added

7)       MITRE communication plan for introducing public CVE process changes

8)       First issuance of CVEs in the 1,000,000 range

9)       New Board member and old ones resigning

10)   Newly proposed Terms of Use to include support for Description contributions

11)   CNA List created for all those actually acting as a CNA

12)   CNA Governance and Rules document to be released next week to the Board

                                                          

We have changed our risk averse approach to CVE to one of “We are not afraid to fail. We will evolve.”

 

We have refocused our Board membership back on the passionate individuals wishing to advance CVE instead of any specific organization, which is now reflected on the web site.

 

We have taken the time to change the CNA architecture from the hub and spoke model to a federated model. The DWF “proof of concept” is operational and from all apparent perspectives, successful. While there is a lot to do, it is obvious the federated CVE CNA model is here to stay.

 

So what do we want CVE to look like in 3-5 years?  How do we plan on getting there? 

 

On the Board call today I suggested we create a working group to try to address some of those questions. This is a working group as identified in the Charter. Instead of waiting weeks to get started, I suggested we create the WG as an ad-hoc working group until the Charter is approved and then we can ‘officially anoint’ it. 

 

The purpose of the working group is to create the overall CVE strategy, identify where it is we want to go, assure we identify what is needed to create a generic new ‘root’ CNA, (get our terminology consistent), and then start addressing a tactical plan to get there. There are lots of questions we need to address. It is envisioned we will be using the CNA Rules document as one of the more foundational documents to describe the overall effort, governance and coordination processes.

 

I would like to ask who would like to participate? I have talked with a few of you and there seemed to be interest in the past. I will let MITRE work the mechanics of getting things set up.  They get paid to do those types of things for the Board. ;-)  Chris offered. ;)

 

Time to have the real foundational conversations needed in order to lay the ground work for the future of CVE, it’s expanded coverage and capabilities.

 

Thanks.

 

---

Kent Landfield

+1.817.637.8026

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Proposed Working group and workshop

Joe Sain

Kent –

 

Thank you for taking the time to speak with me. Based on our conversation, we will send out an email to members of the Board who have voiced interest, which will determine the Working Group meeting day, frequency, and length. We’d also like to start working with the group to set up a face-to-face meeting.  In the meantime, we would like to kick-start the group by setting up an initial discussion next week.

 

We also encourage other members of the Board who are interested in participating to let us know, and we’ll add you to the list.

 

Regards,

 

Joe Sain

The MITRE CVE Team

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Landfield, Kent B
Sent: Thursday, September 01, 2016 1:27 PM
To: cve-editorial-board-list <[hidden email]>
Subject: Re: Proposed Working group and workshop

 

Dear MITRE,

 

What is the status in setting this WG up? We definitely have interest...

Kent Landfield

+1.817.637.8026 


On Aug 25, 2016, at 5:56 PM, Landfield, Kent B <[hidden email]> wrote:

All,

 

First off, a little history.  Six months ago CVE was in a very different place than it is today. There was a lot of frustration around. Security researchers had nearly given up trying to work with CVE to get the IDs needed to label discovered vulnerabilities. Competing efforts seemed on the horizon. Board members’ frustration was becoming extremely apparent. Negative articles were being published about CVE management and while MITRE was doing things behind the scenes to try to improve the CVE processes, it was not apparent to anyone else.

 

Fast-forward 6 months… During this time, we have had a reasonable amount of success.

 

Successes since March 1:

1)      Regular Board Meeting Calls

2)      New Charter developed and about to be voted on (starts tomorrow)

3)      Federated Proof of Concept with DWF conceived and successfully started

4)      CVE ID Request changes with automation aspects (new web request page)

5)      New CVE Counting Document

6)      Multiple CNAs trained and added

7)      MITRE communication plan for introducing public CVE process changes

8)      First issuance of CVEs in the 1,000,000 range

9)      New Board member and old ones resigning

10)  Newly proposed Terms of Use to include support for Description contributions

11)  CNA List created for all those actually acting as a CNA

12)  CNA Governance and Rules document to be released next week to the Board

                                                          

We have changed our risk averse approach to CVE to one of “We are not afraid to fail. We will evolve.”

 

We have refocused our Board membership back on the passionate individuals wishing to advance CVE instead of any specific organization, which is now reflected on the web site.

 

We have taken the time to change the CNA architecture from the hub and spoke model to a federated model. The DWF “proof of concept” is operational and from all apparent perspectives, successful. While there is a lot to do, it is obvious the federated CVE CNA model is here to stay.

 

So what do we want CVE to look like in 3-5 years?  How do we plan on getting there? 

 

On the Board call today I suggested we create a working group to try to address some of those questions. This is a working group as identified in the Charter. Instead of waiting weeks to get started, I suggested we create the WG as an ad-hoc working group until the Charter is approved and then we can ‘officially anoint’ it. 

 

The purpose of the working group is to create the overall CVE strategy, identify where it is we want to go, assure we identify what is needed to create a generic new ‘root’ CNA, (get our terminology consistent), and then start addressing a tactical plan to get there. There are lots of questions we need to address. It is envisioned we will be using the CNA Rules document as one of the more foundational documents to describe the overall effort, governance and coordination processes.

 

I would like to ask who would like to participate? I have talked with a few of you and there seemed to be interest in the past. I will let MITRE work the mechanics of getting things set up.  They get paid to do those types of things for the Board. ;-)  Chris offered. ;)

 

Time to have the real foundational conversations needed in order to lay the ground work for the future of CVE, it’s expanded coverage and capabilities.

 

Thanks.

 

---

Kent Landfield

+1.817.637.8026

Loading...