|
|
Kurt Landfield? I guess you are only half confused. But which half? ;-) -- Kent Landfield 817-637-8026 kent_landfield@mcafee.com From: <owner-cve-editorial-board-list@lists.mitre.org> on behalf of "Adinolfi, Daniel R" <dadinolfi@mitre.org> CVE Board Meeting 3 May 2017, 2:00 p.m. ET The CVE Board met via teleconference on 3 May 2017. Board members in attendance were: Harold Booth (NIST) Art Manion (CERT/CC) Kent Landfield (McAfee) Kurt Seifried (Red Hat/DWF) William Cox (Black Duck) Pascal Meunier (Purdue)
Scott Lawler (LP3) Dave Waltermire (NIST) Members of the MITRE CVE Team who attended the call are as follows: Dan Adinolfi Chris Coffin Jonathan Evans Anthony Singleton George Theall Agenda CVE Board Meeting 3 May 2017 Agenda 2:00 – 2:05: Introductions, action items from the last meeting - Chris Coffin 2:05 – 2:35: Interview Board Member Candidate - CVE Board 2:35 – 2:55: Working Groups Strategic Planning - Harold Booth/Art Manion/Kent Landfield Issues Actions Board Decisions Automation - Harold Booth/Kurt Seifried Issues Actions Board Decisions 2:55 – 3:20: CNA Update DWF – Kurt Seifried Issues Actions Board Decisions General - Dan Adinolfi Issues Actions Board Decisions 3:20 – 3:30: CNA Report Card for First Quarter 2017 Follow-up - Dan Adinolfi 3:30 – 3:40: Formal CNA Rules Change - 24-hour notification limit upon CVE ID used publicly - Chris Coffin 3:40 – 3:55: Discussion: Three potential topics: 1) Should CNAs assign CVE IDs to bundled third-party components where the component isn't in their scope, strictly speaking? Should they instead assign through the DWF for OSS, for
example? 2) We will consider whether Working Groups can run pilots without the Board's permission, and in what form should that permission come? 3) There is a suspicion that most people they do not know how to interact with the Board (e.g., just email random members?), so contacting MITRE and doing it via MITRE seems reasonable,
but also a potential conflict of interest as it were. The Board should start a laundry list of process/procedural things that might need fixing. 3:55 – 4:00: Action items, wrap-up – Chris Coffin Interview Board Member Candidate - CVE Board The CVE Board interviewed a prospective Board member. Introductions and review of previous action items
Working Groups
CNA Update
CNA Report Card Update – Dan Adinolfi After the Board’s review of the CNA Report Card during the last Board meeting, and after some additional email discussion, the Board was given an opportunity to have a follow-up discussion. The Board felt
no additional discussion was needed beyond the recommendation that an anonymized version of the Report Card be shared with the CNAs. MITRE is developing that version of the Report Card and hopes to have a draft available to the Board before the next Board
meeting. Changing the CNA Rules to Enforce the 24-hour publishing expectation – Dan Adinolfi Will begin the review cycle for the CNA Rules and include the 24-hour rules. This should be starting in June with a 3-month development process. Working Group Process – CVE Board Any significant, organized development by a Board Working Group should be treated as any other change to the CVE program. Therefore, before beginning such efforts, the Working Group in question should post
a description of the effort to the public Board list with the statement, including the goals and general process the effort will follow. The Board would then have an opportunity to discuss the effort, come to a consensus on it, and either accept or reject
the proposal within a specific time limit. This process will be included in the Board Charter during the next Charter revision.
Communications with CVE – CVE Board CVE Program directs stakeholder to the CVE Request web form or to
cve@mitre.org for communicating with the CVE program. The Board wondered if a separate contact method was needed for those looking to reach the CVE Board directly. With almost no such communications coming through the regular
communication methods, the Board decided against this. Instead, MITRE will share with the Board some general info and trends that we see in our communications with stakeholders. Action items, wrap-up – Chris Coffin
|