[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE Board Meeting Minutes, 04 October 2017



CVE Board Meeting 04 October 2017

 

Board Members in attendance:

David Waltermire (NIST)

Kent Landfield (McAfee)

Andy Balinsky

Kurt Seifried

Members of MITRE CVE in attendance:

Dan Adinolfi

George Theall

Chris Coffin

Jonathan Evans

Joe Sain

Anthony Singleton

Alex Tweed

Agenda

2:00 – 2:15 - Introductions, action items from the last meeting – Chris Coffin

2:15 – 2:45 - Working Groups

            Strategic Planning – Kent Landfield

                        Issues

                        Actions

                        Board Decisions

            Automation – George Theall

                        Issues

                        Actions

                        Board Decisions

2:45 – 3:15 - CNA Update

            DWF – Kurt Seifried

                        Issues

                        Actions

                        Board Decisions

            General – Dan Adinolfi

                        Issues

                        Actions

                        Board Decisions

 

3:15 – 3:30 - Open Discussion
Action items, wrap-up – Chris Coffin

 

Review of Action Items from last meeting

PREVIOUS ACTION ITEM: MITRE to find a place for collaborative document sharing; possibly Handshake.

STATUS:  In Progress, looking into features for document sharing and collaboration tooling. Looking to push out documentation prior to the next board meeting. Will test Handshake by posting board meeting notes in the handshake group to ensure board gets a mail update.

PREVIOUS ACTION ITEM:  Kurt Seifried to write-up a summary of the references/provenance issue—more robust descriptions without references.

STATUS: Completed

PREVIOUS ACTION ITEM:  MITRE to send email to Board regarding the status of Board members.

STATUS: MITRE will send mail out before next board meeting.

PREVIOUS ACTION ITEM: MITRE to send email to the Board to inquire about contact information for Board member Mike Prosser.

STATUS: MITRE will be removing Prosser as contact information has not been found.

PREVIOUS ACTION ITEM: Research tools for JSON development—query the CNAs for suggestions that would be helpful to them. What would the CNAs like to see as far as JSON tools?

STATUS: MITRE will send mail out for this topic, also this will be a plug for the upcoming Summit.

PREVIOUS ACTION ITEM: Andy Balinsky will summarize issues around CVEs for services.

STATUS: Completed. Andy submitted the document to the CVE project repo. An agenda item for the next board meeting will be placed to discuss document and opinions on the matter.

PREVIOUS ACTION ITEM: MITRE will make sure that the CVE submission requirements discussion continues on the Board list.

STATUS: MITRE will move conversation to mailing list for comments.

PREVIOUS ACTION ITEM: MITRE will put together briefing of all ideas we have for communication methods for discussion at the next Board meeting.

STATUS: In Progress, looking into features for document sharing and collaboration tooling.

 

Agenda Items:

Working Groups

 

Strategic Planning

 

Status: Part of meeting discussed plan that covers topics as outreach, training, etc. Had discussion on CNA directory. Discussed what goals, coverage, quality, quantity, wide adoption needed to grow CVE project.

Issues: Needs to be documentation on conflict resolution. Also need documentation on roles/responsibility of Roots and sub CNAs.

Actions: Will continue to drive out more goals for the program at the next meeting. Also, will continue discussion on the planning group mailing list.

Board Decisions: NONE

 

Automation

 

Status: Talked about proposal for phase two, moving pilot to public repo on GitHub.com.

Discussion:  Experiment with automation to validate json file against json schema. Expanding to who has read/write access to the repo.

Issues:  What is the possible exposure of vulnerability information before it is intended to be public. There was concern that the pilot would end after phase 2, but this is not the intent and future phases will be defined and implemented in the next couple of weeks.

Action: To make sure that individuals are aware that the location is public and try to minimize the percentage of mistakes.

Board Decisions: Board will need to review proposal and submit their concerns if any. The plan is to initiate phase 2 on 11 Oct unless there are objections from Board members.

 

CNA Update

CNA DWF

Status: Catching up on submissions and pushing out to CVE git pilot. Changed DWF submission form to a public view to enable editing for public requests.

Discussion

Issues: Still working on handling Embargo entries in a more efficient manner.

Action:  Will work towards moving spreadsheet for requests to a system like GitHub to enable a stronger workflow.

Board Decisions:

 

CNA MITRE

 

Status: CVE CNA rule revision is complete. CNAs will have until Jan 1 to prepare for new rules that have been revised and placed into production. Asustor has recently joined the CVE Program.

Issues: Issues are still in GitHub for continual discussion and work but will follow structured ad-hoc revision process if needed.

Actions: Will send out information on the status of open issues, and what will happen next with them this week.

Board Decisions:

 

Open discussion

 

Discussion:  Kurt Seifried to write-up a summary of the references/provenance issue—more robust descriptions without references.

Issue: How would replacement information for references be placed into the CVE submissions. CVE has historically been a dictionary and not a database, so a change of adding fields to JSON may be futile as that data potentially will not be published. It is not clear what impact such a change will have on downstream consumers.

 

How can these enhancements affect the NVD database? (Kent). Kurt suggests that he should create a separate artifact database to be used as a reference in submissions passed back to MITRE. Kurt also proposed putting the artifacts in a separate container within the JSON.

Action: 

Board Decisions: DWF will create a separate repo to be used as a reference for CVE submission.

 

Discussion:  CVE should potentially implement a tagging system that will aid in data analysis. If CVE were to issues millions of CVE IDs per year for many different types and domains of products, a tagging system should be developed that would allow CVE consumers to sort and use the CVE IDs that they are interested in (e.g., medical device, automotive, IT, IoT, etc.).

Issue:  The issue being that a dictionary needs to be created to control the naming convention of the tags to reach normalization.

Action: More research and discussion will need to take place to flesh out the impact and use cases for this issue. Kurt will define a JSON container item to use as an example and a meeting will be setup to continue this discussion.

Board Decisions: NONE

 

Discussion:  DWF asks whether large pull request or smaller pull request be made when submitting to MITRE CNA.

Issues: Larger pulls are rejected because issues such as provenance in some entries.

Action:  DWF will submit smaller pull requests until processes have been fully fleshed out.

Board Decisions: NONE

 

Summary of Action Items

 

  • Kurt will put together a container item. Will setup a meeting on adding CVE tags (categories) (med_device, IT automotive, etc) to CVE JSON fields.
  • Agenda item in next call for discussion with Andy on CVEs for services
  • Andy to send email to the list for review of the CVEs for services document
  • MITRE to add prior action items to the meeting agenda email moving forward
  • Automation WG to add action item for ci/travis integration in future git pilot phase.  Dave will email the Automation WG list with some ideas for this.
  • MITRE to find a place for collaborative document sharing; possibly Handshake, creating a presentation on this.
  • MITRE to send email to Board regarding the status of Board members.
  • Research tools for JSON development—query the CNAs for suggestions that would be helpful to them. What would the CNAs like to see as far as JSON tools? MITRE will email the CNA list for thoughts and plant the seed for a future CNA Summit discussion.
  • MITRE will make sure that the CVE submission requirements discussion continues on the Board list.

 

Significant Decisions, Policy Changes, or Events

  • None

 

 

Attachment: CVE Board Meeting Minutes 04 October 2017.docx
Description: CVE Board Meeting Minutes 04 October 2017.docx


Page Last Updated or Reviewed: October 18, 2017