Re: Agenda for CVE Board Meeting March 8 (Wednesday)

To: "Adinolfi, Daniel R" <dadinolfi@mitre.org>
Subject: Re: Agenda for CVE Board Meeting March 8 (Wednesday)
From: Kurt Seifried <kseifried@redhat.com>
Date: Wed, 8 Mar 2017 12:08:07 -0700
Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=redhat.com;
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Delivery-date: Wed Mar 8 14:21:23 2017
In-reply-to: <278AE068-E53A-42BB-B01E-EE5D3EF41F08@mitre.org>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <278AE068-E53A-42BB-B01E-EE5D3EF41F08@mitre.org>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
Spamdiagnosticoutput: 1:2

My throat is mostly packed up today, so mostly what I have to report:

1) need to CNA/CVE training material to mint more CVE Mentors (since I can't just use existing trained people =)

2) there is definitely interest in CVEMentors becoming CNAs for third party projects (e.g. Adam Caudhill doing wordpress)

One thing that I forgot to mention on the CVE automation WG yesterday but is worth thinking about both for them and the board:

CNA's are required to push data to their parents and ultimately to MITRE, BUT:

how does data from MITRE or data that goes directly to MITRE filter back up the patch?

E.g. DWF CNA creates CVE-XXXX-YYYYYYY and pushes to the DWF which pushes it to MITRE. Then an existing root CNA, say a commercial one, comes along and updates the CVE root level description. How does that updated description go back up the chain to the DWF/child CNA? Do we care? My concern is ending up with different versions of a CVE that become difficult to merge (e.g. a DWF sub CNA updates the root description and then tries to send that up the line to MITRE).

This won't be a problem for sometime I suspect, but it will become a problem eventually.

On Wed, Mar 8, 2017 at 11:59 AM, Adinolfi, Daniel R <dadinolfi@mitre.org> wrote:

All,

I apologize for the late arrival of the agenda for this week's CVE Board meeting. It is below.

Thanks.

-Dan

CVE Board Meeting 8 March 2017

Agenda

2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin

2:05 – 2:25: Working Groups

            Strategic Planning - Kent Landfield

                        Issues

                        Actions

                        Board Decisions

            Automation - Harold Booth

                        Issues

                        Actions

                        Board Decisions

2:25 – 2:50: CNA Update

            DWF – Kurt Seifried

                        Issues

                        Actions

                        Board Decisions

            General - Dan Adinolfi

                        Issues

                        Actions

                        Board Decisions

2:50 – 3:00: FIRST PSIRT Meeting - Dan Adinolfi

3:00 – 3:10: CNA Documentation - Dan Adinolfi

3:10 – 3:20: CNA Report Card - Chris Coffin

3:20 – 3:40: Twitter and LinkedIn Presences - Chris Coffin

3:40 – 3:50: Pain Points - Chris Coffin

            - CVE entry sources.

3:50 – 3:55: Open discussion – CVE Board

3:55 – 4:00: Action items, wrap-up – Chris Coffin

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Follow-Ups:
- Re: Agenda for CVE Board Meeting March 8 (Wednesday)
  - From: "Adinolfi, Daniel R" <dadinolfi@mitre.org>

References:
- Agenda for CVE Board Meeting March 8 (Wednesday)
  - From: "Adinolfi, Daniel R" <dadinolfi@mitre.org>

Prev by Date: Agenda for CVE Board Meeting March 8 (Wednesday)
Next by Date: Re: Agenda for CVE Board Meeting March 8 (Wednesday)
Previous by thread: Agenda for CVE Board Meeting March 8 (Wednesday)
Next by thread: Re: Agenda for CVE Board Meeting March 8 (Wednesday)
Index(es):
- Date
- Thread