|
|
|||
|
|
|
|||
|
Editorial Board Teleconference January 8, 2013 =================================================
Participants
Andy Balinsky, Cisco Kent Landfield, McAfee Harold Booth, NIST Adam Shostack, Microsoft Art Manion, CERT/CC Ken Williams, CA
FIRST Kyoto Summit
The GVR summit discussion, hosted by JPCERT-CC / IPA, was one of two tracks going on at the FIRST Technical Colloquium, held on November 13 - 15. There were over a hundred people at the colloquium, and the GVR summit received good attendance. Harold Booth, Kent Landfield, and Steve Christey were in attendance.
Some of the presentations and discussion are restricted to FIRST only.
Main takeaways * Participation in the GVR discussion is worthwhile. * The international discussion is just getting started. * There was not a big focus on CVE as the solution. * There are wide variations in development among regions. * Disclosure practices definitely vary across markets. * Language barriers could be a challenge. * Regional vulnerabilities can have global implications. * A new FIRST SIG will continue the work.
Day 1
Day 1 reviewed the history and current state of vulnerability reporting. Several of the board members gave talks this day. Harold Booth started off the day by giving an overview of the current reporting landscape and how NVD handles vulnerability reporting.
Kent Landfield gave a vendor's view of the current state of vulnerability reporting. Kent emphasized that without a way of referencing a vulnerability that everyone can understand, vendors have great difficulty identifying and integrating vulnerabilities into their products. Many regions do not have an identification system, or where they do, it is usually immature. Vendors have been focused on CVE, which primarily focuses on the English speaking world. Vendors cannot aid in verification and correlation of reports when they do not know about the vulnerability in the first place.
Steve Christey's talk went over CVE's history and the lessons learned from running the project. Steve emphasized that CVE is not the solution to the GVR discussion but its experience in the field could help avoid some of the pitfalls CVE identified. Steve discussed the evolution of the content decisions and the difficulties that caused the changes. Steve explained how CVE's content decisions reflect its mission as coordinator. The decisions cause
CVEs to be written in a way that is somewhere between advisories and specific bugs, not perfect for any particular group but good enough for most.
Day 2
Day 2 was taken up by the Japanese (IPA, JPCERT/CC), Koreans (KrCERT/CC, KISA), and Thais (ThaiCERT), who discussed their vulnerability handling and reporting practices. Each demonstrated how vulnerability reporting practices vary from region to region. The two Japanese presentations gave a detailed description of JPCERT's CVE adoption process and their current vulnerability ID practices. JPCERT issues several identifiers for the vulnerabilities they handle.
Most of the presentation by Soranun Jiwasurat (ThaiCERT) is restricted to FIRST members, but it did prompt the creation of CVE-2012-6498, which demonstrates how a local vulnerability can have global impact. CVE-2012-6498 is for an unrestricted file upload in Atomymaxsite, a Thai-based CMS. A demonstration of an exploit in Arabic was uploaded to YouTube and became actively exploited. This prompted the ThaiCERT to create an advisory (http://thaicert.or.th/alerts/admin/2012/al2012ad025.html).
HongSoon Jung (KrCERT/CC, KISA) discussed the Korean reporting environment in his presentation, which is also restricted. Three different Korean government organizations were listed as handling vulnerability information: KISA under the Korea Communications Commission for the private sector, National Intelligence Service (National Cyber Security Center) for the public sector, and Ministry of National Defense (National Cyber Command & Control Center) for the military. A Korean law, Article 47-4, requires vendors to notify users twice within one month. Publication to a web site is sufficient notification. KrCERT/CC deals privately with vendors but does not publish vulnerabilities to their website. KISA provides advisories for major international products but does not publish technical details. KISA (KrCERT/CC) has an easy vulnerability reporting process. They confirm the issue and coordinate with the vendor.
In October 2012 they implemented a reward program that seems to be having some success.
Day 3
The third day focused on framing the problem of global vulnerability reporting, discussing best practices, and possible solutions. These discussions had less participation than desired. Several reasons for this were suggested, such as the language barrier or the participants being too new to the problem. It was suggested that greater participation may be found through email as the members will have time to process and compose responses. We will need to be mindful of such issues for subsequent events.
Two items came out of Day 3, a GVR Sharing mind-map and a plan to create the Vulnerability Reporting and Data eXchange (VRDX) FIRST Special Interest Group (SIG). The mind-map captures many of common concepts and discussion points around the GVR discussion. Kent Landfield sent the mind-map to the Board on January 18, 2013. The SIG will be co-chaired by Masato Terada (IPA) and Art Manion (CERT/CC). The SIG is still in the information gathering and planning phase. Further conversation on the GVR issue will be held through the SIG, and the CVE team will keep the Editorial Board apprised of the developments.
CVE ID syntax change update
Steve Christey announced that the CVE team would be doing a downselect based on the Board's feedback on the proposed option. There will then be a public call for feedback on the selected options. The CVE team will announce the public call on CVE Announce, certain security focused mailing lists, and to the CNAs. Kent Landfield proposed that CVE should contact tool vendors directly, and Steve agreed. After the public comment period, there will be a formal Editorial Board vote, at which time an official option will be selected. Around RSA is the target time for the final decision to be made. We have not yet reached the point to discuss transition strategies. |
