TOTAL CVE Records: 240830

NOTICE: Transition to the all-new CVE website at WWW.CVE.ORG and CVE Record Format JSON are underway.

NOTICE: Support for the legacy CVE download formats ended on June 30, 2024.
New CVE List download format is available now on CVE.ORG.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE Board Meeting Minutes, 26 July 2017

To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: CVE Board Meeting Minutes, 26 July 2017
From: "Coffin, Chris" <ccoffin@mitre.org>
Date: Wed, 2 Aug 2017 11:45:36 -0500
Accept-language: en-US
Delivery-date: Wed Aug 2 17:18:06 2017
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
Sender: "owner-cve-editorial-board-list@lists.mitre.org" <owner-cve-editorial-board-list@lists.mitre.org>
Thread-index: AdMLrhsVKR+6LRrXShuU8dKo0KEb9A==
Thread-topic: CVE Board Meeting Minutes, 26 July 2017

CVE Board Meeting 26 July 2017

Board Members in attendance:

Taki Uchiyama (JPCERT/CC)

David Waltermire (NIST)

Kent Landfield (McAfee)

Andy Balinsky (Cisco)

Pascal Meunier (Purdue)

Beverly Finch (Lenovo)

Kurt Seifried (DWF)

Members of MITRE CVE in attendance:

George Theall

Chris Coffin

Jonathan Evans

Lynne Miller

Alex Tweed

Agenda

2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin

2:05 – 2:25: Working Groups

Strategic Planning – Kent Landfield/Chris Coffin

Issues

Actions

Board Decisions

Automation – Kurt Seifried/George Theall

Issues

Actions

Board Decisions

2:25 – 2:50: CNA Update

DWF – Kurt Seifried

Issues

Actions

Board Decisions

General – Chris Coffin

Issues

Actions

Board Decisions

2:50 – 3:00: JSON Update Process – Chris Coffin

3:00 – 3:10: Assigner field for CVEs – Chris Coffin

3:10 – 3:20: RSS 2.0 feeds – Chris Coffin/George Theall

3:20 – 3:40: Updated CVE references (10k in two batches so far) – Chris Coffin

3:40 – 3:50: REJECT CVE IDs can move to another state starting July 27 – Chris Coffin

3:50 – 3:55: Open discussion – CVE Board

3:55 – 4:00: Action items, wrap-up – Chris Coffin

Review of Action Items from last meeting:

Previous Action Item: MITRE will continue trying to contact Apple in regards to discussed issues

Status: MITRE received a response from Apple, but the issue is not completely resolved. Apple did notify upstream users. Apple and Google always notify upstream users for shared library/code products, but may not publish all details right away.

Previous Action Item: MITRE will work towards having github Issues setup for all CNA Rules change

Status: MITRE has added a significant number and will keep working on adding.

Previous Action Item: Kent to send out previous Strategic Planning WG slides and notes to Board

Status: Done

Previous Action Item: MITRE to follow up with Kurt on git pilot plans and Test ID work

Status: Still TBD.

Previous Action Item: Need an additional conversation on timeframe for JSON transition (add to agenda for Board or Strategic Planning WG)

Status: Need to bring this up to the Automation Working Group. Need to determine if this will be preferred format or only format after a transition period.

Previous Action Item: MITRE to work on setting timelines/milestones for CVE training materials to the Board’s agenda

Status: Strategic Planning Working Group to look at possibly using presentation from RSA as starting point. Kent will send to MITRE.

Previous Action Item: Need a discussion of future requirements for being a Root and governance of Root CNAs (add to agenda for Strategic Planning WG)

Status: MITRE will put on agenda for next Strategic Planning Working Group agenda.

Previous Action Item: MITRE to send out email and links for proposed RSS feeds

Status: Done.

Previous Action Item: Discuss closing the gap of publicly disclosed vulnerabilities that are not reported to the CVE program (add to agenda for Strategic Planning WG)

Status: Need to add to agenda of Strategic Planning Working Group.

Previous Action Item: MITRE to update quarterly report card based on Board feedback

Status: MTIRE is making changes based on feedback. An updated deck will be sent out after changes are incorporated.

Agenda Items:

Working Groups

Strategic Planning

Status: The Strategic Planning Working Group met for the second time this year. The WG is looking at what they have accomplished, agreements, and what is expected from a deliverable perspective to establish a foundation for moving forward. Deck is available on Strategic Planning Working Group list.

Issues: None

Actions: None

Board Decisions: None

Automation

Status: Automation Working Group discussed the issue with the description size limit and the JSON format and validating sizes.

Discussion: The Board discussed adding functionality to allow mark-up of CVE descriptions. It was noted that it is important to identify what the requirement is and only implement what is required. Changes impacting downstream users need careful discussion. The community needs time to support a change to lessen the impact. Streamlining the changes will lessen the disruption to the community. Requirements and potential changes should be brought up to the Board List first, and then sent to CVE mailing list for feedback.

Issues None

Action: None

Board Decisions: None

CNA Update

Status: DWF added a couple of new subs

Discussion: The Board discussed if new subs of a Root CNA should be announced by MITRE. It was noted that it is a requirement in the CNA rules for a Root CNA to notify MITRE so subs can be added to the CVE website.

Issues: Are there things that Roots need but don’t have? Need to develop Root CNA documentation.

Action: The issue of Root CNA needs and documentation will be part of Strategic Planning Working Group.

Board Decisions: None

CNA MITRE

Status: MITRE added two new CNAs.

Issues: None

Actions: None

Board Decisions: None

JSON update process;

Status: MITRE sent out update on how process should work.

Issues: None

Actions: None

Board Decisions: None

Assigner field for CVEs

Status: The CNA organization responsible for a CVE entry will be displayed for populated CVEs beginning the week of 8/7. MITRE received positive feedback from a large percentage of CNAs. No negative feedback or objections. The information is not added to data feeds, it is just a new field when you look at CVE entry so it doesn’t impact format downstream.

Discussion: MITRE asked the Board for feedback on providing CNA name for rejected CVEs. Providing this information is just for transparency. The CNA data would have been available if the CVE entry had not been rejected.

Issues: None

Action: MITRE will request feedback from the CNA list about adding CNA information to rejected CVEs.

Board Decisions: None

RSS 2.0 feeds

Status: RSS 2.0 feeds are ready.

Discussion: The Board discussed using Atom format instead of RSS. The Board indicated that it is worthwhile to look at Atom before implementing RSS feeds to avoid changes in the future.

Issues: None.

Actions: MITRE to setup Atom demonstrations and discussion with NIST and the Board.

Board Decisions: None

Updated CVE references (10k in two batches so far)

Status: Next update set for Friday. There has been no feedback that there are any issues or downstream impacts.

Issues: None

Actions: None

Board Decisions: None

REJECT CVE IDs can move to another state starting July 27

Status: Starting July 27 a CVE “rejected” status is not a permanent status. MITRE sent out announcement on twitter and the CVE announce list at the end of June.

Discussion: The Board discussed the importance of notifying the community early of any changes to CVE, especially changes that affect format. It was suggested that the CVE announce list be used to communicate issues that will impact the community. People will not necessarily read a blog or twitter. Incorporate information and announcements to CVE announce list.

Issue: None

Action: MITRE to send out announcement that change in “rejected” status has become effective. MITRE to include potential CVE changes to the CVE announce list for all types of changes going forward.

Board Decisions: None

Summary of Action Items

The issue of Root CNA needs and documentation will be part of Strategic Planning Working Group.
MITRE will request feedback from the CNA list about adding CNA information to rejected CVEs
MITRE to setup Atom demonstrations and discussion with NIST and the Board.
MITRE to send out announcement that change in “rejected” status has become effective.
MITRE to include potential CVE changes to the CVE announce list for all types of changes going forward.

Follow-up on Previous Action Item

MITRE to follow up with Kurt on git pilot plans and Test ID work
Transition to JSON format needs to be added to Automation Working Group agenda.
Add closing the gap of publicly disclosed vulnerabilities that are not reported to the CVE program to the Strategic Planning Working Group agenda.

Significant decisions, policy changes, or events:

REJECT CVEs can now be moved to another state when appropriate beginning July 27. The community was given notice of this via the CVE web site, the CVEannounce Twitter feed, and the CVE Announce mailing list on June 27.

Attachment: CVE Board Meeting Minutes 26 July 2017.docx
Description: CVE Board Meeting Minutes 26 July 2017.docx

Next by Date: New CNA: Alibaba, Inc.
Next by thread: New CNA: Alibaba, Inc.
Index(es):
- Date
- Thread