CVE Board teleconference summary - August 25, 2016

["Sain, Joe" <jas@mitre.org>]

CVE Board Meeting

25 August 2016, 2:00 p.m. EST

 

The CVE Board met via teleconference on 25 August 2016.

 

Board members in attendance were:

Andy Balinsky (Cisco)

Harold Booth (NIST)

Kent Landfield (Intel)

Scott Lawler (LP3)

Pascal Meunier (CERIAS/Purdue University)

Kurt Seifried (Red Hat)
David Waltermire (NIST)

Members of the MITRE CVE Team who attended the call are as follows:

Dan Adinolfi

Jon Baker

Tiffany Bergeron

Steve Boyle

Chris Coffin

Christine Deal

Jonathan Evans

Chris Levendis

Meghan Manley

Joe Sain

Anthony Singleton

George Theall

Donna Trammell

 

Agenda

 

2:00 – 2:05: Introductions, action items from the last meeting

2:05 – 2:15:  DWF Update

2:15 – 2:45: CVE Board Charter; vote results and next steps

2:45 – 3:15: CVE Operations Update

3:15 – 3:45: CNA Update and CVE Outreach Discussion

3:45 – 3:55: Updated CVE Counting Rules Document

3:55: Action items, wrap-up

 

The meeting began with an announcement that Alan Paller (SANS) has stepped down as a member of the Board since he has been unable to participate recently.

 

All action items from last week have been resolved. A new version of the Counting Document was sent to the Board list on Wednesday, August 24^th, and the latest version of the Charter was sent on August 22^nd.

 

DWF Update

DWF has been training a new analyst, and that training is now complete. A discussion on Service Level Agreements (SLAs) is needed to ensure CNAs, including DWF, are maintaining a suitable level of service and focusing on measuring “things that matter”. The start of this discussion will be posted to the Board list and will include:

• What information do they have to publish and how often should it be published? This will be described in ranges instead of absolute numbers, since there must be flexibility to fit various business processes and domains. Disclosure schedules and embargo periods will be addressed.
• For embargo policies, different domains will have different embargo policies. We want to encourage as small a number of embargo types as possible. We also want to discourage the overuse of exception processes.

 

CVE Board Charter; vote results and next steps

The latest version of the Charter went out for feedback on Monday, August 22^nd. The Board was comfortable with moving forward with the vote based on the current draft of the Charter. The Charter will be sent out Friday, August 25^th with a two-week voting period through September 8^th.

 

CVE Operations Update

MITRE recently announced they would be moving away from CVE email requests and instead use a web form for collecting CVE requests. One goal is to make CVE communications easier between the CVE team and other stakeholders. This will be a significant improvement to MITRE’s operational environment. The new web form will be in place Monday, August 29^th; however, the CVE email requests will continue for a short period of time until CVE requesters are made aware of the CVE web form.

 

The Board expressed some concern over how the news of the change was generally communicated. That said, the Board was happy to see automation and structure in the CVE request system.

 

MITRE considers the format of the web form to be an early version which will be improved upon in short order. MITRE plans to monitor the use of the form in the first few weeks of its implementation, derive lessons-learned from that use, and plan for improvements quickly.

 

The Board was informed that they were welcome to test the web form and provide feedback to MITRE. 

• One can open up a ticket to test the system, but MITRE requested that the tester identify it as a testing ticket.
• There are no limitations on testing, but MITRE requested that testers avoid denial of service attacks. Note, the system has been tested internally at MITRE.

• Send MITRE your feedback- one can send feedback directly to MITRE through the form itself or through cve@mitre.org.
• The form can accommodate one CVE ID request at a time or a request for more than one CVE ID. Requesters can enter up to ten CVE requests at a time. CNAs can request a block of CVE IDs. One can also request an update to an existing CVE entry, send a question or comment, or notify MITRE of a CVE publication.
• The use of the ticketing system will only be an operational change within MITRE and will not change the CVE list. Making this change will be more efficient and easier for the MITRE team to track CVE requests.

The cve-assign email account will remain open for a short time after the web form is put into production. Any messages sent to the account will receive an auto-response informing people that they should use the new CVE web form. Each request made through the web form will have a confirmation number, and that number will be provided in a message from the new cve-requests email address to the requester.

 

 

CNA Update and CVE Outreach Discussion

Intel and Apache were recently brought on as CNAs. The scope for Intel will be better defined on the CVE web site once Intel has discussed their CNA processes with their partner organizations.

 

The Board discussed developing a long term strategy for CVE and the CNA program. DWF was the first CNA to be created as a federated CNA. Federation will facilitate growth of the CVE program over time with MITRE as the coordinator. The Board needs to consider how they would advise the CNA program be organized going forward. The Board then needs to act on those ideas. One main question that must be answered is, “Where does the Board want CVE to be in two or three years as CVE further develops?” Right now the federation is starting to crawl. What can be done internally to support this evolution?

 

The Board felt setting up a Working Group to hash through some of these things is a good idea. The Board needs to have conversations regarding what a federated environment will look like in three years.

• How do you bring on a CNA?
• What should be included in CVE’s scope?

• How does CVE get collaboration with the community towards the final solutions that can accommodate growth and new technology?
• The Board should plan on having discussions and proposing a working group to develop artifacts and documentation created in an open and transparent manner. By doing so, CVE can work more collaboratively to collect many thoughts and ideas.

The CNA Rules document is going through final revision and will be ready next week. This document describes the federated structure and operational tasks and governance.

 

Assuming that a Working Group can be created after the Charter vote, the Board wanted to begin the discussions informally and then bring them to the Working Group once it has formed. In addition, the Board proposed holding face-to-face working meetings. Plans for scheduling such meetings will begin immediately, including a meeting for the CNAs to gather and work through training and other CNA-specific issues. A call for participation will be sent out over the Board mailing list for the pre-Working Group and Working Group.

 

Updated CVE Counting Rules Document

The current draft of the CVE Counting Rules Document was sent out Wednesday, August 24^th. Some comments were received from the Board. Based on comments received the document will be revised, and a new version will be distributed. The conversations on the Board mailing list will continue and any new thoughts are appreciated. A new update will be shared within the next few days.

 

Concern was expressed over the way the vulnerability definition is framed. The definition seems to exclude hardware vulnerabilities, which was not the intention. The Board wants to ensure that the definitions used do not inadvertently limit the potential of CVE as it expands its scope.

 

Additional Issues

 

An update on the creation of a vulnerability taxonomy by NIST was requested, and that taxonomy will be presented in the next few weeks. Feedback from the CVE web form and verbiage in the taxonomy will be aligned as identified in the community. The Board will expand the taxonomy as needed. Development of the second version of the CVE web form will be around the same time as feedback from the taxonomy. The description alignment should be right on target.

 

Action Items:

¨      MITRE will send out a new version of the CNA Rules document to reflect the changes suggested by the Board.

¨      A vote on adoption of the revised Charter will be initiated by MITRE on Friday, August 26. There will be a two week voting period that ends on Thursday, September 8. Results of the vote will be announced at the CVE Board meeting later that day.

¨      Kent Landfield will develop an announcement on the formation of a CNA Working Group.

¨      Harold Booth will send a vulnerability description to the MITRE CVE Content team.

 

The next Board Meeting will be held on September 8^th.

 

Attachment: CVE_Board_Summary_20160825.pdf
Description: CVE_Board_Summary_20160825.pdf