|
|
Hi Beverly –
We are assembling the list today. Regards, Joe From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org]
On Behalf Of Beverly Finch Thanks for the summary Kent! I thought it was well worth the time and was glad to meet folks in person.
Is it possible to get a roster of those who attended?
**For the latest on Lenovo security advisories, click
here.**
Regards,
From:
owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org]
On Behalf Of Landfield, Kent All, For those that joined us and participated in the CNA Summit, thank you. It was a very good event and the feedback was outstanding. I personally think we accomplished a great deal of what we tried to achieve. After the summit ended, a few of us met to discuss what we had heard and what we thought we might need to be doing moving forward. The group included MITRE CVE leadership and a few Board members. We came up with
a reasonable list of action items which are reflected below. CVE/CNA Summit This was a very productive summit. It is obvious that we need to do these on a more regular basis. The discussions we had suggested we should have these once a year. Additionally, we would like to consider having
two online events for the combined CVE Board and CNA community each year. These events will be treated much like a mini-CVE/CNA summit. The focus would be multi-hour, not multi-day as the physical F2F meetings are. CNA Liaison Board Representative: It was apparent that we have not done a really good job of keeping the CNA community properly informed of both Board actions and working group status. One of the thoughts we had was to create a seat on the Board
for a liaison representative from the CNA community. The thought was this would be an elected position that the CNAs would vote on at the newly established CVE/CNA annual summit. This position would be a full voting member of the Board, who would have a one-year
term. They would be responsible for acting as a representative to the CNA community, assuring CNAs were up-to-date with various status and activity related information. This position would be the conduit for CNAs to bring things to the Board in a more official
and structured way. This would be a two-way street when it comes to information. Things the Board needs to get answers to, the Liaison would research, poll the CNAs and report back. I have volunteered to develop the initial wording for Charter changes and
will involve the Board if it is so decided to move in this direction. CNA Collaboration WG: An additional thought, to better involve the CNA community, was to create a CNA Collaboration working group. This group would be populated by CNAs and a few Board member representatives. The intent was to provide
a forum for allowing certain CNA specific activities to occur. For example, the Collaboration working group could take control of the Summit planning, site and date selection process. They could establish the at-large CNA liaison voting process. The group
could collaborate on needs and requirements directly related to CNAs. We discussed using this group to experiment with using Google Groups as basis for their communication and collaboration.
Existing Working Group Changes: Through the course of the summit we discussed various opportunities to automate certain aspects of the CVE operations and infrastructure. When the Automation WG was initially set up, it was intended the working
group would be the place where the needed automation infrastructure requirements were developed and then efforts created to actually do the implementation for each of the identified projects. The Automation working group has a great deal on its plate right
now but from very tactical perspective. It was felt we need to restructure how the Automation WG works to achieve the initial intent.
Instead of creating working groups for each of these projects, we have decided to create projects that are not considered permanent working groups but in fact are ‘short-term’ project working groups.
Below are areas of needed automation we discussed that would benefit us today and in implementing the new federated infrastructure.
You’ll notice that these are requirements projects. After the requirements projects are done, those projects will terminate, and we will look to create design and development projects to support those phases, which may or may not contain
the same participants. The actual Automation working group will focus on more higher-level architecture and project management to assure the automation needs of the federated roles can be properly supported in the future, while being able to be used today
to reduce MITRE’s existing workload. If there needs to be additional projects, they can be created under the Automation WG. As a part of the discussions, it was felt there needs to be a Chair selected for each of the working groups. The Chair identified for the Automation WG is Chris Johnson of NIST. I will act as the Chair of the Strategic
WG. I am on the hook to
write a brief description of existing WGs and for the associated projects listed above.
Community Tools: During the summit, various CNA’s offered to contribute tools for the community’s benefit. Chandan Nandakumaraiah (Juniper Networks) demonstrated his Vulnogram.gethub.io environment for creating CVE JSON data, and Oracle offered a tool for
translating CVRF formatted documents to JSON. MITRE is going to establish a location to store tools contributed by the CNA community on github. They will then send a message to the CNA and Board lists describing how to contribute tools and where to retrieve
them. CVE Awards: We discussed how to recognize and incentivize good behavior. We talked about issuing CVE awards. Reality is we don’t understand what they should be at this point, as in what should be rewarded… That is a conversation we need to have on
the Board. It was discussed that we should make rewards public but find ways to correct bad behavior privately.
Other action items to come out of the discussions are:
As these topics are under consideration, we thought they needed to be discussed on the next Board call. To those in attendance during the discussions, please correct any errors. Those are all mine. ;-) Thanks again for all the work that went into putting on this successful summit.
Thank you, Gracias, Grazie, 谢谢, Merci!, Спасибо!, Danke!, ありがとう, धन्यवाद! -- Kent Landfield +1.817.637.8026 |