|
|
CVE Board Meeting 8 March 2017, 2:00 p.m. EST The CVE Board met via teleconference on 8 March 2017. Board members in attendance were: Andy Balinsky Harold Booth (NIST) William Cox (Black Duck) Kent Landfield Taki Uchiyama Members of the MITRE CVE Team who attended the call are as follows: Dan Adinolfi Jon Baker Chris Coffin Jonathan Evans Matt Hansbury Anthony Singleton George Theall Agenda 2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin 2:05 – 2:25: Working Groups Strategic Planning - Kent Landfield Issues Actions Board Decisions Automation - Harold Booth Issues Actions Board Decisions 2:25 – 2:50: CNA Update DWF – Kurt Seifried Issues Actions Board Decisions General - Dan Adinolfi Issues Actions Board Decisions 2:50 – 3:00: FIRST PSIRT Meeting - Dan Adinolfi 3:00 – 3:10: CNA Documentation - Dan Adinolfi 3:10 – 3:20: CNA Report Card - Chris Coffin 3:20 – 3:40: Twitter and LinkedIn Presences - Chris Coffin 3:40 – 3:50: Pain Points - Chris Coffin - CVE entry sources. 3:50 – 3:55: Open discussion – CVE Board 3:55 – 4:00: Action items, wrap-up – Chris Coffin Introductions and review of previous action items
·
A poll for scheduling the next and future Automation Working Group meetings was shared.
·
A version of the CNA documentation list was added to GitHub under a new branch. The link will be shared widely once all the placeholders have been created. This list includes a placeholder for a
paper describing vulnerabilities in more detail.
·
A summary of observations from the RSA Conference will be sent to the Board.
·
Use cases for including services in the CVE list are still being developed by the Board. Working Groups
·
Strategic Planning - Kent Landfield
o
Issues
§
There were no updates from the Strategic Planning Working Group.
o
Actions
§
The WG is considering changing their meeting schedule to once a month instead of every other week.
o
Board Decisions
§
There was no additional Board Discussion.
·
Automation - Harold Booth
o
Issues
§
The WG is considering how to allow for bi-directional data flow of CVE Data between CNAs.
o
Actions
§
The WG is waiting for a pull request to be accepted within GitHub and a message to be sent to the CNAs and Board that they can start using the current version of the JSON format.
o
Board Decisions
§
The Board suggested moving the bi-directional data flow issue to the Strategic Planning group. CNA Update
·
DWF – Kurt Seifried
o
Issues
§
CNAs are required to push data to their parents and ultimately to MITRE, how does data from MITRE or data that goes directly to MITRE filter back to the original CNA? As mentioned during the Automation
WG discussion, the need for bi-directional data flow needs to be considered.
o
Actions
§
DWF would like additional CNA/CVE training material to help with the creation of more CVE Mentors.
§
There is interest in CVEMentors becoming CNAs for third party projects (e.g. Adam Caudhill covering Wordpress). CVE should consider the creation of this category of CNA.
o
Board Decisions
§
There was no additional Board Discussion.
·
General - Dan Adinolfi
o
Issues
§
The Board suggests that CVE should being working with the Chinese government as soon as possible to avoid any political complications of introducing CVE into the Chinese market.
o
Actions
§
MITRE met with Netgear, who is now on-boarded as a CNA.
§
Met with Qihoo 360, who is now on-boarded as a CNA.
o
Board Decisions
§
There was no additional Board Discussion. FIRST PSIRT Meeting - Dan Adinolfi
o
Daniel Adinolfi attended the FIRST PSIRT Technical Colloquium in Raleigh and presented on CVE and the CNA program. He received a good deal of feedback on the CNA rules and the direction CVE is heading.
He also got a few more leads on new CNAs. CNA Documentation - Dan Adinolfi
o
MITRE will send out a link to the CNA documentation list in GitHub.
o
As discussed in previous meetings, once initial drafts are completed of documentation within the tree, the Board will be given two weeks for comment. Those comments will be integrated into a final
draft by MITRE within a week and then included on the CVE website as official documents. CNA Report Card - Chris Coffin
o
Design of the CNA Report Card is close to completion.
o
MITRE will send out the template before the next Board meeting. Twitter and LinkedIn Presences - Chris Coffin
o
MITRE has created two Twitter accounts and is actively updating them. These accounts are @CVEnew (listing new CVE IDs as they are published) and @CVEannounce (listing announcements by the CVE team).
They are both getting followers.
o
A LinkedIn CWE/CVE/CAPEC page has been created as well. This will be used in support of the CVE blog.
Pain Points - Chris Coffin
o
Should CVE entries include the source of the CVE ID?
o
MITRE is considering providing information on who submitted CVE request information.
o
MITRE asked the Board for their thoughts on this and if they thought it was something that the public would be interested in participating in. The Board’s reaction to the question was mixed and
no definitive conclusion was reached. Open discussion – CVE Board
o
The Board needs to develop additional clarification and have more discussion related to the use cases for including services in the CVE list.
o
Action items, wrap-up – Chris Coffin
o
The CNA Report Card template will be provided to the Board by the next Board meeting.
o
MITRE will create a poll to determine when the Strategic Planning WG should meet each month.
o
Descriptions for each document listed in the CNA documentation tree will be created. |
Attachment:
CVE Board Meeting_3_8_17.docx
Description: CVE Board Meeting_3_8_17.docx