[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE Board Meeting Minutes, 20 September 2017

CVE Board Meeting 20 September 2017

Board Members in Attendance

Taki Uchiyama (JPCERT/CC)

David Waltermire (NIST)

Kent Landfield (McAfee)

William Cox (Black Duck)

Art Manion (CERT-CC)

Andy Balinsky (Cisco)

 

Members of MITRE CVE in attendance:

Dan Adinolfi

George Theall

Chris Coffin

Jonathan Evans

Anthony Singleton

Joe Sain

Alex Tweed

 

Agenda

2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin

2:05 – 2:25: Working Groups

            Strategic Planning – Kent Landfield

                        Issues

                        Actions

                        Board Decisions

            Automation – George Theall

                        Issues

                        Actions

                        Board Decisions

2:25 – 2:50: CNA Update

            General – Dan Adinolfi

                        Issues

                        Actions

                        Board Decisions

2:50 – 2:55: Board Membership Change - Chris Coffin

2:55 – 3:05: CNA Rules: Submission Formats - Dan Adinolfi

3:05 – 3:20: CNA Rules: CVE for Services - Dan Adinolfi

3:20 – 3:35: CNA Rules: Minimally required information - Dan Adinolfi

3:35 – 3:45: CNA Training Modules - Chris Coffin

3:45 – 3:55: CVE Priorities and Tasks - Chris Coffin

3:55 – 4:00: Action items, wrap-up – Chris Coffin

 

Review of Action Items from Last Meeting

PREVIOUS ACTION ITEM: Waltermire will respond to Millar’s board email post to facilitate conversation on topic of Strategic objectives for CVE.

STATUS: Done.

PREVIOUS ACTION ITEM: Variation of publishing guidelines (provenance). MITRE will open a Board mailing list discussion on CVE references and what purpose they serve.

STATUS: MITRE will ask Kurt will submit a write-up of the provenance issue.

PREVIOUS ACTION ITEM: MITRE to update board with git pilot phase 2

STATUS: Discussions have taken place. Still requires some decisions to be made before updating Board.

PREVIOUS ACTION ITEM: Prioritized artifact list and items for training.

STATUS: List of training modules has been sent to the Board. Outlines of what we currently have is in the pipeline for the board. The Board will review for any issues or ideas. The Board would like to see more information for each item, specifically the intended audience for each document.

PREVIOUS ACTION ITEM: Cisco policy for vulnerability and services

STATUS: Andy Balinsky is currently working on this.

PREVIOUS ACTION ITEM: MITRE is reviewing ideas for better issue tracking.

STATUS: Another group in GitHub has been set up for issue tracking for board discussions. A number of communication issues are in flux; MITRE will put together briefing of all ideas we have for communication methods for discussion at the next Board meeting.

 

Agenda Items:

 

Working Groups

Strategic Planning (Kent Landfield)

STATUS: There was a discussion around the need for different types of communications with the individual elements of the CVE program. Not just the Board/MITRE/CNAs, but from an Ops perspective being able to quickly coordinate with a tier 2 CNA.

ISSUES:

  1. Need a direct channel to communicate with the CNA community.
  2. Look at roles and hierarchy of roots, sub-roots, CNAs buried down in the hierarchy.

ACTIONS:

  1. Establish tier 2 channel for communication so CNAs do not have to go through MITRE. MITRE will start this effort by writing up a purpose statement.
  2. Look at the role of the Primary CNA.
  3. There was a discussion around training and priorities. The training modules represent a good start, but we should be clear on the priorities and expectations of the CNAs as well.

Automation (George Theall)

STATUS: The Automation discussion began with the potential move of the Git pilot to Github. Cautionary text will be required to minimize the risk of accidentally disclosing issues. Board members asked MITRE to provide assurances that they’d be able to pull info from a stable branch and start using that within NIST; whether that will be in an integration or public server depends on what assurances MITRE can provide. Discussion of the issues defined in the issue tracker including simplifying the JSON as well as how to best represent affected versions.

ISSUES: Dave Waltermire is interested in participating in the Git pilot from an NVD perspective.

ACTIONS: NIST can contribute to the effort in two areas:

  1. Take a downstream feed from Github. Currently, NIST parses the XML feed; this would be a way for them to parse the feed in JSON.
  2. Publish additional information and or corrections back to the CVE list.

We may want to structure the next phases of the pilot to build in time for experimentation.

 

CNA MITRE

STATUS: CNA rules revision continues.

ISSUES: The discussion focused on what information should be required for a CVE entry submission and what format is acceptable for submissions. There were a number of differing opinions on the topic.

ACTIONS: MITRE will put these collect these issues and distribute them to the board.

CNA UPDATE: Riverbed and Zephyr project were recently added. Github is currently in the on-boarding process.

 

Board Membership Change

STATUS/ISSUE: Mike Prosser recently retired from Symantec and is still listed as a board member.

ACTIONS:

  1. MITRE is reaching out to Mike to determine whether he wishes to continue to be on the board.
  2. MITRE will send out a query to all Board members to verify their intention to remain on the Board.

 

Open Discussion

DISCUSSION: Submission formats— It has been proposed to require submissions in JSON.

  • ISSUE: The discussion centered on whether to go to JSON exclusively or continue to support flat files. If we do continue supporting other formats, should submission requirements be changed to ensure that the content mirrors the JSON format?
  • ACTION: MITRE and the Board should find a tool (or set of tools) to make this process easy on CNAs. We need to understand the operations of the CNAs so we can verify they would actually use this tool.
  • BOARD DECISION: Support other formats in the current CNA Rules, but move to a single JSON format in the next version of the CNA Rules. Create guidance within the current rules or a related guidance document that lists JSON as the preferred format until the next version of the CNA Rules.

DISCUSSION: Github issue 18: Allow CVE IDs to be assigned to service

  • ISSUE: Andy Balinsky states, “Cisco has a policy of releasing advisories for services-based or cloud-based products. We would like to when appropriate create a CVE for them.”
  • ACTION: More research and analysis are required before we introduce this into the CNA rules today.
  • BOARD DECISION: Wait until there is better agreement before moving forward. The CNA Rules and the counting rules contained within will not be changed to support CVEs for service vulnerabilities at this time. If at a later time the research and analysis support it, a pilot program could be introduced to test the assignment of CVE IDs to service vulnerabilities.

DISCUSSION/ ISSUE: CNA submission requirements.

  • ISSUE: The current direction of the CNA Rules Issue discussions could lead to a number of changes in the required fields for a CVE entry. Of note are the potential removal of the description and reference, and the addition of impact.
  • ACTION: Lots of debate, action is to discuss for next call and email about required/not required fields. Next call will discuss especially: Removing references and description. Board feels that there is room for more guidance around required fields. MITRE will look into adding this guidance to the CNA Rules or providing it in referenced guidance documents.
  • BOARD DECISION: Continue discussion over email.

 

Summary of Action Items

  1. MITRE to find a place for collaborative document sharing; possibly Handshake.
  2. Kurt Seifried to write-up a summary of the references/provenance issue—more robust descriptions without references.
  3. MITRE to send email to Board regarding the status of Board members.
  4. MITRE to send email to the Board to inquire about contact information for Board member Mike Prosser.
  5. Research tools for JSON development—query the CNAs for suggestions that would be helpful to them. What would the CNAs like to see as far as JSON tools?
  6. Andy Balinsky will summarize issues around CVEs for services.
  7. MITRE will make sure that the CVE submission requirements discussion continues on the Board list.
  8. MITRE will put together briefing of all ideas we have for communication methods for discussion at the next Board meeting.

 

Significant Decisions, Policy Changes, or Events

  1. CNA Rules: Support set of CVE data formats in the current CNA Rules, but move to a single JSON format in the next version of the CNA Rules. Create guidance within the current rules or a related guidance document that lists JSON as the preferred format until the next version of the CNA Rules.
  2. CNA Rules: Wait until there is better agreement before moving forward on assigning CVEs to service vulnerabilities. The CNA Rules and the counting rules contained within will not be changed to support CVEs for service vulnerabilities at this time. If at a later time the research and analysis support it, a pilot program could be introduced to test the assignment of CVE IDs to service vulnerabilities.

 

 

Attachment: CVE Board Meeting Minutes 20 September 2017.docx
Description: CVE Board Meeting Minutes 20 September 2017.docx

Page Last Updated or Reviewed: September 29, 2017