|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CVE Board Meeting Summary - 13 June 2018
- To: CVE Editorial Board Discussion <cve-editorial-board-list@mitre.org>
- Subject: CVE Board Meeting Summary - 13 June 2018
- From: "Coffin, Chris" <ccoffin@mitre.org>
- Date: Thu, 21 Jun 2018 12:27:46 -0400
- Accept-language: en-US
- Authentication-results: mitre.org; dkim=none (message not signed) header.d=none;mitre.org; dmarc=none action=none header.from=mitre.org;
- Delivery-date: Thu Jun 21 12:29:30 2018
- Thread-index: AdQJfJix8OkX1/4OR/ShmAOgShqQzw==
- Thread-topic: CVE Board Meeting Summary - 13 June 2018
|
CVE Board Meeting 13 June 2018 Board Members in Attendance William Cox (Black Duck Software) Kent Landfield (McAfee) Scott Lawler (LP3) Scott Moore (IBM) Pascal
Meunier
(CERIAS/Purdue University) Kurt Seifried (RedHat) Taki Uchiyama (Panasonic) Andy Balinsky (Cisco) Members of MITRE CVE Team in Attendance Chris Coffin Christine Deal Jonathan Evans Joe Sain George Theall Agenda 2:00 – 2:15:
Introductions, action items from the last meeting – Chris Coffin 2:15 – 2:30:
Working Groups
·
Strategic Planning – Kent Landfield
·
Automation – Chris Johnson, Dave Waltermire
2:30 – 2:45:
CNA Update
·
DWF – Kurt Seifried
·
MITRE – Jonathan Evans, Nick Caron
2:45 – 3:15:
Amazon Alexa Decision Summary – Chris Coffin 3:15 – 3:50:
Open Discussion 3:50 – 4:00:
Action items, wrap-up – Chris Coffin Review of Action Items from Last Meeting
Agenda Items Board Working Groups Strategic Planning Working Group (Chris Coffin / Kent Landfield) ISSUES: We started discussing how
to write the CNA Collaboration Working Group announcement from the standpoint of getting the WG stood up. The majority of the discussion was around the face to face we are having 26-28 June and the CONOPS we are developing. We are establishing requirements
that will drive the Automation WG projects. We have a lot of different areas that will need to be addressed: rule changes that could be impacted by how the board voted on the Alexa vulnerability; how do you handle a vulnerability with an AI product; starting
discussion on updating the counting rules in early July. We need to set up a Board meeting specifically to discuss how to go about updating CNA Rules.
ACTIONS:
N/A
BOARD DECISIONS:
N/A
Automation Working Group (Chris Johnson / Dave Waltermire) ISSUES:
Microsoft attended for the first time. They are very interested in being part of the process to help shape the automation efforts. Chris mentioned the ID allocation service to them
and they (Microsoft) are very interested. Chris Johnson had a chance to define some labels and attach those to some of the GitHub issues for the AWG. Microsoft went through some of their process with how they use CVE today. We talked a little about how to
handle goals for phase 3 of the GitPilot. BOARD DECISIONS:
N/A CNA Updates DWF (Kurt Seifried) STATUS:
Nothing major to report. ISSUES/DISCUSSION:
N/A ACTIONS:
N/A MITRE (CVE Team) STATUS:
We’ve had two organizations reach out to become CNAs: Johnson Controls (HVAC, automotive) and
5ecurity.CN (researcher organization in China). They appear to be reasonably
active and they have iwantacve.cn (helping Chinese researchers
request CVEs through that website). They could be thought of similar to a vendor coordinator.
Kurt wants to know if we are doing anything to assure that people wanting to become coordinator CNAs are not doing
this for malicious reasons? (Jonathan posted this in the chat window: http://cve.mitre.org/cve/cna/rules.html#Section_2_2_communication_rules
item 10 and http://cve.mitre.org/cve/request_id.html).
Kent agrees with the concern; we need to reach out to them and talk to them about their expectations and how they see
themselves fitting into the environment going forward. Jonathan added that we’ve been working with Qualcomm. They’ve re-submitted their CVE entries; they did much better
this time so we’ve populated those. Mozilla submitted most of their backlog to us so we’ve populated those (about 300 entries).
DISCUSSION:
N/A ACTIONS:
None JPCERT Status: Taki reached out to JPCERT
and they plan to be a root CNA and can report any updates through Taki; he hasn’t received any updates yet. He will see some people face to face at FIRST and may get some updates then. No indication of sub-CNAs.
Amazon Alexa Decision Summary (Chris Coffin) DISCUSSION: We held the vote; a CVE
was issued and it was populated. Essentially, we chose to assign and populate for the Amazon Alexa issue even thought there was nothing on the part of the end user that they had to do—it was all mitigated in the cloud by Amazon. It does beg the question, going
forward, whether or not customer control and INC3 specifically in the current Counting Rules, is required or if it needs to be slightly different depending on the issue domain (which raises its own complexities)? Kurt: Has Amazon made any comments about this? They were of the opinion it was a non-customer controlled situation—they
knew that we had that rule—and they didn’t necessarily agree with us populating the CVE but they were happy we gave them a heads up and keeping them in the loop. Pascal: Turning off the device is a form of customer control. Kent: Are there going to be situations in the Counting Rules where we have to customize them for specific types of
technological uses? I suspect yes—especially regarding medical devices. During the review of the counting rules, we need to look at how we structure it so that we can support this kind of situation--one that, for all intents and purposes, is a technological
environment that is different from anything we’ve faced, and how can it be applicable to the rest of the group? We may have to have different counting rules for different kinds of technical vulnerabilities.
Kurt: Part of me would like to have one set of rules. I get that automotive, medical, tech, etc., are very different.
But my concern is how do you split that up? The lines are already blurry. I think we need a master set of rules with an addendum.
Kent: I just want to add flexibility to the Counting Rules so that we can address these issues when they come up.
Chris: We held a vote for the Amazon Alexa issue, but we don’t want to have to do that for every undefined issue.
Kent: We need to talk about the scope and focus of what we’re going to do with the CNA Rules this year. How do we envision
this occurring appropriately so that we can get the CNA Rules updated? Chris: Last year, we focused on the entire document. This year, we need to have a separate meeting to discuss the major
issues we need to address with the update. Kent: I’m not sure what the impact is to the CNAs. This needs to be a combined effort. We need to have more than two
meetings with the CNAs to make sure they’re involved. ACTION: Open Discussion Kent: Where do we stand on the CNA registry proposal? George: We are using a slightly newer version of that internally,
but we haven’t done anything with the AWG about that. Kent: Can you post that to the list so we are aware of the changes? Summary of Action Items
Significant Decisions: None |
Attachment:
CVE Board Meeting 13 June 2018.docx
Description: CVE Board Meeting 13 June 2018.docx
- Prev by Date: New CNA - Naver
- Next by Date: REF URL require ToU/Conduct policy
- Previous by thread: New CNA - Naver
- Next by thread: REF URL require ToU/Conduct policy
- Index(es):