CVE Board Meeting 21 February 2018
Board Members in Attendance
Mark Cox (Red Hat)
Beverly Finch (Lenovo)
Kent Landfield (McAfee)
Pascal
Meunier (CERIAS/Purdue University)
Scott Moore (IBM)
Kurt Seifried (Red Hat/DWF)
Taki Uchiyama (JPCERT/CC)
Dave Waltermire (NIST)
Members of MITRE CVE Team in Attendance
Nick Caron
Chris Coffin
Christine Deal
Jonathan Evans
Kevin Greene
Joe Sain
Anthony Singleton
George Theall
Alex Tweed
Agenda
2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin
2:05 – 2:15:
Working Groups
Strategic Planning – Kent Landfield
Automation – George Theall
2:15 – 2:30:
CNA Update
DWF – Kurt Seifried
2:30 – 3:40:
Discussion on the 2nd CVE CNA Summit
3:40 – 3:50:
Open Discussion
3:50 – 4:00:
Action items, wrap-up – Chris Coffin
Review of Action Items from Last Meeting
-
Previous Action Item: MITRE
will distribute draft slide deck for the Summit
-
Previous Action Item: MITRE to Draft additional text for CVE Board Charter to support proxy voting.
-
Status: TBD
-
Discussion: Should a timeframe
(3 months or less) be specified (within the Charter) for an appointed proxy? Kent Landfield thinks we can just work on case by case basis but is fine with assigning a timeframe; need to be flexible. Beverly Finch asked if we specify that it’s short term, less
than six months? Pascal Meunier doesn’t have a strong opinion, but wondered if a Board member is going to be absent for several months at a time, will they really have the context to vote? Kent Landfield stated that that’s the purpose of the proxy. Kurt
Seifried stated that for organizations with one vote, as in Red Hat (Kurt/Mark), they can manage the situation internally unless all member will be absent. General consensus is to leave the language in the Charter more flexible
(no stated timeframe). Kent Landfield will add a statement or two to the Charter to clarify how organizations will handle the proxy scenario if all members are going to be absent and send it back out to the Board for review.
-
Previous Action Item: Strategic Planning Working Group to discuss use cases for CVE ID assignment currently and in the future
-
Status: No SPWG meeting Monday
Agenda Items
Board Working Groups
Strategic Planning Working Group (Kent Landfield)
ISSUES: No SPWG meeting so no update.
ACTIONS:
N/A
BOARD DECISIONS:
N/A
Automation Working Group (George Theall)
ISSUES:
Discussed several use cases for the CNA Registry files that we’ve been talking about. There was consensus for using a UUID for identifying CNAs in both the CNA Registry and cvelist
repos. Also, consensus on use of CNA Registry JSON in automatic handling of pull requests.
Dave Waltermire: Our engineers are working on implementing the import from the JSON feeds and we are running into a
few problems. The general JSON schema doesn’t validate because it doesn’t have the state field in it. There’s the individual state ones as well that you may be having problems with. Also having problems with how to deal with references. The source attribute
is more useful in the XML format than in the JSON schema. There is also extraneous white space that needs to be removed from the descriptions. I think we might be able to deal with it, but there are almost 10,000 descriptions that need the white space change.
We found about 900 hyperlinks that don’t have proper encoding; maybe that’s something we should be validating for.
George: Can we support that in the schema as it currently stands? Kurt: Yes. George: Okay, it’s just a case of MITRE
adding it in. We should be able to do it pretty easily. I’d like to talk about the schema validation problems, but maybe we can talk about that (in a separate call). Dave will have some of his engineers call George to discuss.
ACTIONS:
MITRE to set up meeting between NIST/MITRE to discuss validation problems.
BOARD DECISIONS:
N/A
CNA Updates
JPCERT (Taki Uchiyama)
STATUS:
Still waiting on some vendors that are wanting to become CNAs, but they aren’t technically CNAs yet. No further updates. Kurt: Are you going to be posting a list of what you cover?
Taki: I haven’t really thought about that yet.
Chris Coffin: This is where the CNA registry will come in handy. At the summit, we had a CNA (Trend Micro) that discussed
sending us their CVEs in Japanese so that may be of use to you.
Kent: We probably need a dedicated call on the topic of translations, to talk about the method of distribution and
how to coordinate with the CNAs.
DWF (Kurt Seifried)
STATUS:
In the process of bringing up a couple of sub-CNAs. We need to get the CNA registry set up sooner rather than later. Of the 80-some CNAs that we have, well over half have a large
open source presence. Kurt asked that MITRE send him the official links to the CVE assignment training materials.
ISSUES/DISCUSSION:
None
ACTIONS:
N/A
MITRE (CVE Team)
STATUS:
We’ve talked to Synack, Samsung Mobile, and SonicWall, who all want to become CNAs. Tomorrow we will be talking to Sangoma (a VoIP company) and Cloudflare. As far as I know, all they
do is services, so we’ll see what they’re interested in assigning IDs to. No new CNAs. HPE cleaned up their backlog of 180 CVE IDs and Huawei is working on doing the same.
DISCUSSION:
Kent Landfield: You said Samsung Mobile and not Samsung Corp.; are we breaking up corporations into components or sub-sets? Jonathan: We are already doing that (Google Chrome). Samsung
Corp is not ready to be a CNA, but their mobile component is. Chris Coffin: We may need a process to merge subsets as more come on board. It happens with larger corporations (IBM).
Jonathan: Regarding Samsung Mobile, KrCERT wants to become a root CNA for Korea and I told Samsung Mobile that if they
do, we may want to move them under KrCERT.
Kent: This is another area where we need more discussion. We have no stand-up process for that. We need to walk through
the requirements and document that.
Kurt: Can a sub-CNA pick which root CNA they want to be under?
Kent: We need to figure out the root structure first before we can answer that.
Kurt: I would suggest we go with geography because it seems easiest with respect to language and time zones.
ACTIONS:
None
Discussion on the 2nd CVE CNA Summit
DISCUSSION:
-
General Impressions and Takeaways
-
Chris: 23 CNAs were represented and we did have one potential CNA there. And Board coverage was good because we had 9 Board members present. Pretty good turnout. I think we should do the summit
annually, but we can also conduct more frequent telecom meetings every few months. Dave Waltermire: It was obvious that quite a few CNAs in the room were surprised at the scope and magnitude of the changes being made. They need to be kept abreast of what’s
coming down the road that may impact them. Chris: The CNAs want to be more involved in the coming changes. Dave W: I think we need a better communication strategy with the CNAs. We need to think about how we can better leverage the CNA list, how we can provide
better resources for them, how we can summarize some of the things that may impact them, etc. Chris Coffin: In summary, we need to consider having multiple telecons plus the annual summit. Potentially having a CNA liaison sit in on the Board meetings, etc.
-
Kent: Anyone have a problem with multiple telecons per year? Beverly: I think it’s a great idea. Dave W: We need to ensure we have a good Board presence on these calls. Kurt: Maybe we could
have a pre- and post- summit meeting.
-
Kent: This was a really good event, but it was obvious that we haven’t done a good job of informing the CNAs.
-
Maybe we should re-name CNA Summit to just CVE Summit to incorporate multiple stakeholders
-
Dave W: May want to incorporate some kind of code sprint into the next summit (e.g., IETF)
-
Items for Board consideration
-
Two telecons and one face to face summit per year
-
Kent: Yes, once every four months
-
Dave: Why don’t we schedule the first one and make it part of the agenda to discuss the frequency of the meetings. I think we could get some input on that and use this as an
opportunity for the CNAs to set their own expectations.
-
All agree
-
Chris: Should we wait four months to hold a telecon?
-
Kent: We just had the summit, so it can wait a few months. We need to be able to show some progress. I would rather let CNAs know that we will hold a telecon and let them know
that the date is TBD. I’d put the priority on establishing the collaboration WG.
-
CNA Liaison Board Representative
-
Discussion: They could help with agenda for summits; that would provide a feedback and participation mechanism.
-
Dave W: Elected by the CNA community using some as-yet-to-be-defined process
-
Beverly: perhaps we (the Board) could start a nomination process across all CNAs
-
Consensus on the call is this is a good idea
-
CNA Collaboration Working Group
-
Discussion: Would be focused on trying to get requirements that CNAs need, working on summits, etc.
-
Consensus is this is a good idea and should be a priority
-
Chris: Do we want to go ahead and assign a Board chair for this working group? Kent: Would they want a Board member on the WG? I think we need to send out a message to the list
as a call for participation in the WG. Let the CNA participants nominate who they want to be their chair. Beverly: How about if the new CNA liaison Board Rep do it? Dave W: I think that’s wise. Chris: Do we frame it as the liaison and the chair should be the
same? That might be a lot of work. Beverly: I think it might be a good idea if someone from MITRE would be the interim chair to get it started and then transfer the duties to the appointed Board Liaison Rep. Chris: Next step is to draft an email as a call
to participation. Kent: We need to draft a letter of intent on a couple different areas (let them know what we’re doing to improve their world).
-
Quarterly report (Board news report for CNAs)
-
Kent: I don’t see putting this together a major effort
-
Chris C: We could use this in the telecons; we can include in GitHub
-
Standing up a resource page for CNAs
-
Chris: Should happen early next week
-
Establish special projects with working groups:
-
Dave: The thought would be to have two separate teams; one for requirements, the other for implementation
-
Shared ID allocation service requirements project
-
Kent: Working group changes—try to reduce the amount of effort that everyone has to do. We put together a requirements team (short term project within the WG) to describe what
we’re trying to do. There may be a requirements project team and an implementation project team.
-
CNA registry capability requirements project
-
Kent: Would be about setting a foundation for the trust aspects of how some of these other pieces and parts are dealt with. It would be a registry for CNAs where they could
come and find all the various information they would need regarding the automation aspects of the system. There is a lot of information we need from and about the CNAs that we don’t want to make public, but we don’t want to put a human where a human doesn’t
need to be. The registry could be leveraged across different projects.
-
Beverly: When would this get kicked off?
-
Kent: It’s already been kicked off.
-
Dave: This particular project will inform other projects so it’s core to what we’re trying to do.
-
CNA Authorized Automated Submissions projects
-
Kent: We will get into the situation rather quickly where you have someone who is a sub-root CNA and they have responsibilities but they have projects beneath them and we have
24 hour response to get info to level above. Why do we need it to go through a hierarchy when the publishing info could go directly into the CNA? The automation will check the registry to validate.
-
JSON format project to enhance and standardize the format for add items such as translations
-
Kent: How to enhance the JSON—could be updated by the CNAs, for example.
-
Community Tools
-
Some CNAs have tools they are willing to donate (e.g., CVRF to JSON translator tool)
-
We need some sort of repository to store these tools
-
Joe Sain: We are looking at this and hope to get it out there as soon as possible
-
Dave W: That reminds me—we talked about experimenting with some public tools that are available for managing the CVE community (Google group). Joe: My only concern is how many
repositories and chat groups are we able to manage?
-
CVE Awards
-
Kent: We want to try to figure out a way to incentivize good behavior while correcting bad behavior privately. Regardless of how silly that sounds, it’s something tangible they
can take to management. This is more a placeholder for future conversations. We need to figure out how to deal with the CNAs who are not following the rules and we need to correct bad behavior privately so they can get back on track. We want to plant the seed
so we can have the conversation in the future.
-
Dave W: Perhaps we can set aside some time in future Board calls to further explore the topic.
ACTION:
Open Discussion
Summary of Action Items
-
Kent to make minor addition to Charter proxy voting language and resend
-
NIST/MITRE to meet about JSON (George already set up the meeting)
-
Kent: message of intent coordination group
-
The automation working group should talk about the projects
Significant Decisions:
None