CVE Board Meeting Minutes, 6 September 2017

["Coffin, Chris" < ccoffin@mitre.org >]

CVE Board Meeting 6 September 2017

 

Board Members in attendance:

Taki Uchiyama (JPCERT/CC)

David Waltermire (NIST)

Kent Landfield (McAfee)

William Cox (BlackDuck)

Art Manion (CERT-CC)

Andy Balinsky (Cisco)

Scott Lawyer (LP3)

Kurt Seifried (Red Hat)

Members of MITRE CVE in attendance:

Dan Adinolfi

George Theall

Chris Coffin

Jonathan Evans

Anthony Singleton

Agenda

 

2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin

2:05 – 2:25: Working Groups

            Strategic Planning – Kent Landfield/Chris Coffin

                        Issues

                        Actions

                        Board Decisions

            Automation – Kurt Seifried/George Theall/Chris Coffin

                        Issues

                        Actions

                        Board Decisions

2:25 – 2:50: CNA Update

            DWF – Kurt Seifried

                        Issues

                        Actions

                        Board Decisions

            General – Dan Adinolfi

                        Issues

                        Actions

                        Board Decisions

2:50 – 3:00: URL Update Status – George Theall/ Chris Coffin

3:00 – 3:30: Service Vulnerabilities – Andy Balinsky

3:30 – 3:55: Open discussion – CVE Board

3:55 – 4:00: Action items, wrap-up – Chris Coffin

Review of Action Items from last meeting

PREVIOUS ACTION ITEM:   The Automation Working Group will review different approaches for git pilot submissions for Roots and sub roots

STATUS: No updates at the moment. Meeting scheduled for 9/7. Will notify board of outcome by late next week.

PREVIOUS ACTION ITEM: MITRE to send documentation and operational priorities to Board list for discussion.

STATUS:  Working on edits and will post to the board soon.

PREVIOUS ACTION ITEM: Kurt will send email to Board to start discussion around paying customers and CVE assignments.

STATUS:  Kurt is waiting for contact to reach back to him with more information.

Agenda Items:

Working Groups

Strategic Planning

Status:   No updates

             

Issues: None

Actions: Group is still working to put information together

Board Decisions : Waltermire will respond to Millar’s board email post to facilitate conversation on topic of Strategic objectives for CVE.

Automation

Status:  Working on next phase of pilot program.

Discussion:   Some JSON data fields have been implemented with limits (see https://github.com/CVEProject/automation-working-group/pull/44 ). U pdated the CVE_JSON_4.0_min.schema to limit the length of a description (3999), length of a given reference (500), and the number of references (500). No comments received from the community on the current data field size changes.

Issues:  

Action:

Board Decisions:

CNA Update

CNA DWF

Status: None

Discussion :  None

Issues: Issue with reference material in embargo assignments and public entries from DWF.

Action:   Kurt is still cleaning data for his workflow.

Board Decisions: Kurt will email Chris Coffin and George Theall to further discuss work flow for DWF assignment and publication.

CNA MITRE

Status: CNA rules revisions continue. Currently in week 5.

Issues: Need to figure out a better solution to track the progress/completion of any given issue or effort.

Actions: MITRE intends to add content to CVE website in regards to how to submit requests to the web form.

Board Decisions : Please include link to resolved webpage in the issue tracker that was closed.

URL Update Status

Status: MITRE has gone through 30k url for X-Force references, urls that are broken and IBM not willing to change.

Discussion: Can the remaining references to be repaired be done in one swoop or should batches continue to be used.

Issues:

Action : 20k in total that need to be repaired remaining.

Board Decisions :  Waltermire will consult with the NVD team regarding whether a limit on the number of changes is still needed and rely the answer to MITRE.

Service Vulnerabilities

Status : Andy proposes that CVEs be assigned to vulnerabilities that reside in services.

Discussion : Board discusses ideas and counter ideas.

Issues: What is the value of assigning IDs to these issues?

Actions:   Board email list contains discussion in more detail.

Board Decisions : Andy will provide to the board the escalation process and format of the advisories in relation to vulnerabilities in services.

Open discussion

Discussion : Work flow of changing CVE Reject status / Reservation status

Issue: When there is a provenance issue MITRE historically notes in the entry reason describing the issue.

Action: Kurt asks board to consider a variation of publishing guidelines of CVE IDs that are under embargo.

Board Decisions :

Discussion : 

Issue:

Action:

Board Decisions :

Summary of Action Items

• Waltermire will respond to Millar’s board email post to facilitate conversation on topic of Strategic objectives for CVE.
• Kurt asks board to consider a variation of publishing guidelines of CVE IDs that are under embargo.
• MITRE will open a Board mailing list discussion on CVE references and what purpose they serve.
• MITRE to update board with git pilot phase 2
• MITRE will send board prioritized artifact list and outlines.
• Andy will share with us Cisco policy for vulnerabilities in services.
• MITRE will consider solutions to better track issues resolution and progress.

Significant Decisions, Policy Changes, or Events

• None

Attachment: CVE Board Meeting 06 September 2017.docx
Description: CVE Board Meeting 06 September 2017.docx