TOTAL CVE Records: 240830

NOTICE: Transition to the all-new CVE website at WWW.CVE.ORG and CVE Record Format JSON are underway.

NOTICE: Support for the legacy CVE download formats ended on June 30, 2024.
New CVE List download format is available now on CVE.ORG.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE Board Meeting Minutes - 24 May 2017

To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: CVE Board Meeting Minutes - 24 May 2017
From: "Adinolfi, Daniel R" <dadinolfi@mitre.org>
Date: Thu, 3 Aug 2017 08:38:05 -0500
Accept-language: en-US
Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=mitre.org;
Delivery-date: Thu Aug 3 17:26:26 2017
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
Sender: "owner-cve-editorial-board-list@lists.mitre.org" <owner-cve-editorial-board-list@lists.mitre.org>
Thread-index: AQHTDF280hNH6IMtqkajwdWmdJY45w==
Thread-topic: CVE Board Meeting Minutes - 24 May 2017
User-agent: Microsoft-MacOutlook/f.24.0.170702

(Our apologies for the delay in sending these out. - CVE Team)

CVE Board Meeting

24 May 2017, 2:00 p.m. ET

The CVE Board met via teleconference on 24 May 2017.

Board members in attendance were:

Harold Booth (NIST)

Beverly Finch (Lenovo)

Art Manion (CERT/CC)

Kent Landfield (McAfee)

Kurt Seifried (Red Hat/DWF)

William Cox (Black Duck)

Dave Waltermire (NIST)

Taki Uchiyama (JPCERT/CC)

Ken Williams (CA Technologies)

Andy Balinsky (Cisco)

Members of the MITRE CVE Team who attended the call are as follows:

Dan Adinolfi

Chris Coffin

Matt Hansbury

Anthony Singleton

George Theall

Agenda

CVE Board Meeting 24 May 2017

Agenda

2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin

2:05 – 2:25: Working Groups

Strategic Planning - Harold Booth/Art Manion

Issues

Actions

Board Decisions

Automation - Harold Booth/Kurt Seifried

Issues

Actions

Board Decisions

2:25 – 2:50: CNA Update

DWF – Kurt Seifried

Issues

Actions

Board Decisions

General - Dan Adinolfi

Issues

Actions

Board Decisions

2:50 – 3:20: Discussion of CVE ID statuses and states - Chris Coffin

Continues conversation being had on the AWG mailing list

Related: Should reserved CVE IDs be listed in the CVE List at all? If so, do we need types of reserved status in the list?

3:20 – 3:30: Anonymized CNA Report Card - Dan Adinolfi

3:30 – 3:45: Time limit for reserved CVE IDs? Should there be different time limits for the MITRE CNA, since their model is slightly different? - Dan Adinolfi

3:45 – 3:55: Open discussion – CVE Board

3:55 – 4:00: Action items, wrap-up – Chris Coffin

Introductions and review of previous action items

The Automation WG was to email the Board to get permission for the Automation WG pilot. This was done.
MITRE was to provide the anonymized report draft the middle of next week. This was done and feedback is being collected.

Working Groups

Strategic Planning – Kent Landfield
- Issues
  - Working Group meetings will Mondays 1-2PM on the same weeks as the regularly scheduled Board meetings.
- Actions
  - No actions.
- Board Decisions
  - There was no additional Board Discussion.
Automation – Kurt Seifried
- Issues
  - The WG had a meeting 15 May 2017, and some notes from the meeting were posted to the Automation WG mailing list.
  - The WG is going ahead with the Git-based pilot for pushing information to MITRE.
  - A list of the old and new sets of states (e.g., reject sub-state, reserved/assigned/allocated states, etc.) for CVE IDs will be sent via mail for discussion.
  - The WG discussed the idea that data sharing should be push-based. The responsibility for updating CVE data should be on the data contributor.

Actions
- The WG fleshed out a plan for an information sharing experiment using Git and will share this with the Board.
Board Decisions
- The Board needs to clear the bi-directional sharing Pilot. The WG will post a proposal for the sharing Pilot to the Board list and give the Board a week to review it.

CNA Update

DWF – Kurt Seifried
- Issues
  - DWF is working through backlog of assignment requests.
  - More CVE requests will be submitted to MITRE by the DWF this week.
  - Some CVE ID requesters are not replying to the DWF’s email messages (especially those asking for acceptance of the CVE Terms of Use), which is slowing the publishing process. DWF is looking for more reliable ways to do this.
- Actions
  - More infrastructure will be developed in the next week.
- Board Decisions
  - There was no additional Board Discussion.
General - Dan Adinolfi
- Issues
  - The two-day training in Tokyo went well. 9 groups attended. The language barrier was an issue, but the group worked past it. The more technical sections went well, and the content-writing part went well. The CNA program may want to consider translations of training materials.
- Actions
  - None.
- Board Decisions
  - There was no additional Board Discussion.

States Topic – Chris Coffin

See above in the Automation WG notes.

CNA Report Card Update – Dan Adinolfi

Based on Board feedback, the explanatory material should be expanded. The report card should be made it more self-contained, including more background material. Paragraph or two for each slide would be useful. MITRE will get back to the Board in two weeks with new version.

Time limit for reserved CVE IDs? Should there be different time limits for the MITRE CNA, since their model is slightly different? – Dan Adinolfi

An automated process for tracking this would be ideal. The goal would be to revoke a CVE ID assignment after a period of time or publish after a period of time, which will reduce the number of “stale” CVE IDs in the CVE list. MITRE will send a proposal to the Board with specifics.

Open Discussion – CVE Board

Can rejected CVE IDs be moved back into an active state?

The Board discussed this and agreed that CVE IDs should be able to change state to accommodate mistakes. Doing so would require notification and awareness that rejected CVE IDs can be changed. MITRE will issue a 30-day notice that this policy is changing and formalize the process to manage communication about problems as they arise.

Regarding MITRE’s response to Congress’ request for specific information about the CVE program, MITRE will look into sharing their response as soon as they can.

The Board discussed the use of “Undefined behavior” in vulnerability descriptions. If a vendor/developer asserts that a vulnerability that exhibits undefined behavior is legitimate, then the CVE ID should be assigned. Without that confirmation, a researcher should provide more proof that the undefined behavior represents a vulnerability. MITRE should push back on requesters who offer only “undefined behavior” as a description of the vulnerability.

MITRE is still working with HP to update the Board on questions related to their scope.

Action items, wrap-up – Chris Coffin

A list of the old and new sets of states for CVE IDs will be sent via mail for discussion.
Write up communication plan.
2 weeks new anonymized report card
Write-up on time limits for reserved CVE IDs.

Attachment: CVE Board Meeting 24 May 2017.docx
Description: CVE Board Meeting 24 May 2017.docx

Prev by Date: New CNA: Alibaba, Inc.
Next by Date: CNA Rules Revision Phase 2 - Week 1
Previous by thread: New CNA: Alibaba, Inc.
Next by thread: CNA Rules Revision Phase 2 - Week 1
Index(es):
- Date
- Thread