RE: CVE Board Agenda for Wednesday, September 5, 2018

To: Common Vulnerabilities & Exposures <cve@mitre.org>, "CVE Editorial Board Discussion" <cve-editorial-board-list@mitre.org>
Subject: RE: CVE Board Agenda for Wednesday, September 5, 2018
From: Lisa Olson <elolson@microsoft.com>
Date: Wed, 5 Sep 2018 16:09:14 +0000
Accept-language: en-US
Authentication-results: spf=fail (sender IP is 192.52.194.235) smtp.mailfrom=microsoft.com; imc.mitre.org; dkim=pass (signature was verified) header.d=microsoft.com;imc.mitre.org; dmarc=pass action=none header.from=microsoft.com;
Authentication-results-original: spf=none (sender IP is ) smtp.mailfrom=elolson@microsoft.com;
Delivery-date: Wed Sep 5 12:30:41 2018
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3GgoWEF0SZzhDG8n+rIed5lLZiMBLyWXX2JYDf/nNJM=; b=IhS7wgUr+KzFFckjs2M54Gd00K1P3x479iiLcsamFUjaPr6uPmcbHwyL4WF0oEuQVTQLgAq83etMSNY0rh5ONXR2VUBwESGyAlfWVLkqwGuwK9ry60w1eIW+snbb4r50SiSIBim3YwcyH5TTGg683kGJG/19Wlh7osf3WQAzhQM=
In-reply-to: <SN6PR09MB2559BBE16EF05E211F324EA3B1020@SN6PR09MB2559.namprd09.prod.outlook.com>
Msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=elolson@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2018-09-05T16:09:12.9080849Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General
References: <SN6PR09MB2559BBE16EF05E211F324EA3B1020@SN6PR09MB2559.namprd09.prod.outlook.com>
Spamdiagnosticmetadata: NSPM
Spamdiagnosticoutput: 1:99
Thread-index: AdRFLTCjTPtbunBGSquxYdggXQxi2QABSURg
Thread-topic: CVE Board Agenda for Wednesday, September 5, 2018

Here is the document that I was referring to earlier. I’ve genericized it by taking out the name Microsoft and removing links to the Security Update Guide. I’ve received permission from Management to use it as a straw horse, but not an official statement from Microsoft. We change it over time, it is no means set in stone.

Lisa

From: Common Vulnerabilities & Exposures <cve@mitre.org>
Sent: Wednesday, September 5, 2018 8:30 AM
To: CVE Editorial Board Discussion <cve-editorial-board-list@mitre.org>
Subject: CVE Board Agenda for Wednesday, September 5, 2018

Dear members of the CVE Board –

Here is the agenda for today’s Board meeting.

Regards,

The MITRE CVE Team

Agenda

2:00 – 2:15: Introductions, action items from the last meeting – Chris Coffin

Previous Action Item: MITRE (Chris C/Jonathan) to send out an email to the Board list to initiate the CNA Rules revision process (regarding inclusion).

Status: Not done.

Previous Action Item: CNA rules discussion—MITRE will start putting together a list of things to discuss in follow up calls.
- Not Done
Previous Action Item: Send out note to the Board on the CVE Quality WG (MITRE).
- Status: Not done.

Previous Action Item: Lisa Olson (Microsoft) to investigate sharing a paper as a place to start with CNA scope work.
- Status: TBD.
Previous Action Item: MITRE will contact HackerOne to inquire about WordPress vulnerability and contact Kurt Seifried (CSA).
- Status: Told Kurt that he should reach out to HackerOne directly on this and let us know if he had any issues in doing so.
Previous Action Item: Set up another discussion for Appthority as a research CNA.
- Status: Done. Appthority is cleared to become a CVE CNA. We will have another call for Appthority and some Board members to discuss further.
Previous Action Item: Continue discussion to define set of product types, define value, determine whether it can be automated, and the effort involved in doing so (tagging).
- Status: Not done.
Previous Action Item: Marketing message for CVE—send out CVE 101 to group and use as starting point (may need to customize for different audiences).
- Status: Not Done.

2:15 – 2:30: Working Groups

· Strategic Planning – Kent Landfield / Chris Coffin

· Automation – Chris Johnson / Dave Waltermire

2:30 – 2:45: CNA Update

· DWF – Kurt Seifried

· MITRE – Jonathan Evans

· JPCERT – Taki Uchiyama

2:45 – 3:50: Open Discussion

3:50 – 4:00: Action items, wrap-up – Chris Coffin

Attachment: CVE Strawman.docx
Description: CVE Strawman.docx

References:
- CVE Board Agenda for Wednesday, September 5, 2018
  - From: Common Vulnerabilities & Exposures <cve@mitre.org>

Prev by Date: CVE Board Agenda for Wednesday, September 5, 2018
Next by Date: CVE 101
Previous by thread: CVE Board Agenda for Wednesday, September 5, 2018
Next by thread: CVE 101
Index(es):
- Date
- Thread