|
|
CVE Board Meeting 14 December 2016, 2:00 p.m. EST The CVE Board met via teleconference on 14 December 2016. Board members in attendance were: Andy Balinsky (Cisco) Harold Booth (NIST) Kent Landfield (Intel) Scott Lawler (LP3) Pascal Meunier (CERIAS/Purdue University) Ken Williams (CA Technologies) Kurt Seifried Members of the MITRE CVE Team who attended the call are as follows: Dan Adinolfi Chris Coffin Jonathan Evans Anthony Singleton George Theall Christine Deal Jon Baker Agenda 2:00 – 2:05: Introductions, action items from the last meeting – Daniel Adinolfi 2:05 – 2:10: CVE Strategic Planning Working Group Update – Kent Landfield 2:10 – 2:40: DWF Update – Kurt Seifried 2:40 – 2:50: Automation Working Group - Kurt Seifried and Harold Booth 2:50 – 3:20: MITRE CNA adoption of CNA rules - Jonathan Evans 3:20 – 3:40: Pain Points - Daniel Adinolfi 3:40 – 3:55: Open discussion – CVE Board 3:55 – 4:00: Action items, wrap-up – Daniel Adinolfi The meeting began with a review of the action items from the previous Board meeting. There were four action items. First, MITRE confirmed that they will be sending a CVE representative to RSA. They will be
available to participate in the presentation and talk planned to announce the CVE Mentor program. Also, the Vulnerability Naming Working Group is still to be created, and MITRE will complete this task. The JSON schema was shared with the Automation Working
Group. Finally, the December 28, 2016, Board meeting has been cancelled due to the holiday. CVE Strategic Planning Working Group Update At the previous meeting of the Strategic Planning Working Group (WG), the group discussed the potential impact of the planned CVE Mentor Program being developed by Kurt Seifried and Kent Landfield. (As mentioned
above, the Mentoring Program will be formally announced at RSA 2017 in February.) The Mentor Program, as with other parts of CVE, must be built to allow for the flexibility required to work across multiple domains and CNA roots.
Also, the WG will be doing additional work on comparing NIST’s vulnerability ontology with the data elements of the proposed JSON scheme to ensure that both efforts are heading in the same or compatible direction. DWF Update The DWF has been performing a clean-up of data submitted through its web form. They found that much of the data was not well-formatted, clearly stated, or sufficient. Also, having submitters acknowledge their
acceptance of the terms of use has been a challenge. The hope is for the Mentor Program to help train submitters to include well-formatted and proper data. Also, the DWF will continue to work through their backlog, which mostly involves obtaining affirmation of acceptance of the Terms of Use. The DWF is also looking at identity management schemes to facilitate identifying users, authorizing their roles within DWF, and generating a clear history of their participation. Automation Working Group The Automation Working Group met on December 6, 2016. The WG reviewed the and commented on the JSON format. The strengths and weaknesses of using the format were discussed, and that discussion is ongoing,
both within the WG and on the automation and CNA mailing lists. The WG is waiting on explicit permission from Intel to make use of their excellent counting spreadsheet so that it can act as a starting point for further automation development. The next meeting of the WG will be scheduled soon. MITRE CNA Adoption of CNA rules MITRE has been reviewing its operational procedures to bring them into alignment with the CNA Rules. The Board considered the implications of changing the requirements that MITRE places on CVE ID requests
to ensure MITRE can follow the CNA Rules. For example, MITRE has assigned a CVE ID to a vulnerability before it becomes public and then is not notified when the vulnerability is made public. This leaves the CVE ID entry listed as “RESERVED” in the CVE list
and without a description, even though the details about the vulnerability are public, which causes confusion by CVE consumers.
MITRE will continue to investigate options for reducing the occurrence of this and related issues. Pain Points The CVE Board discussed a recent incident on the CNA mailing list involving a Board member acting unprofessionally and inappropriately. The Board agreed that any response should be as transparent as possible.
MITRE, speaking on behalf of the CVE Board, will send a public message to the CNA list that calls out the unacceptable behavior. It will explain that such repeated behavior will result in removal from the
CNA list. MITRE, speaking on behalf of the CVE Board, will send a direct warning to the Board member with the Private Board mailing list CC'd. That warning will explain to the individual that disciplinary actions will
be taken, up to and including, removal from the CNA list if there is any further unacceptable behavior. The Board member will not be removed at this time. The Board will be updating the Board Charter to include more specific language regarding what is considered appropriate for a Board member. It was suggested that the Board adopt the Contributor Covenant as
a Code of Conduct: http://contributor-covenant.org/version/1/4/. This is used for DWF's Code of Conduct. MITRE will create some updated language for the Charter by the next Board meeting, and that proposed language will be discussed. The Charter already has what it needs to censure or remove a Board member, but this update will reinforce what is already included. Open Discussion
Action Items:
The next Board Meeting will be held on January 11, 2017.
|
Attachment:
CVE Board Meeting_12_14.docx
Description: CVE Board Meeting_12_14.docx