|
Members of MITRE CVE Team in Attendance
3:55 – 4:00: Action items, wrap-up
|
05.13.02
|
Take the lead for developing a proposal about approach for automated vulnerability identification workshop that includes an initial target participant list, and report back to next CVE Board Meeting.
|
Kent L.
|
In Progress
|
|
06.10.01
|
Contact RCNA1 to see if they are comfortable sharing their draft Dispute/Escalation policy with the SPWG (and receiving feedback)
|
Jo Bazar (MITRE)
|
Complete
|
7/22 Update: Draft escalation process sent to SPWG/Kent on 7/22/20.
|
|
06.24.03
|
Set up meeting to discuss WG council of Chairs with working group chairs and report back to CVE Board.
|
Jo B. (MITRE)
|
Complete
|
7/22 Update: Meeting held on 7/15 and the group concludes ad-hoc meetings can be scheduled for coordination as needed because the value of a regular meeting is low.
|
|
06.24.04
|
Send message to all the CVE Board members so see if they want to continue being on the CVE Board.
|
Chris L. (MITRE)
|
In Progress
|
7/22 Update: Email message sent on 7/15; CVE Board members have until 7/30 to respond.
|
|
07.08.05
|
Send EOL blog post to CVE Board for review and feedback.
|
Jo B. (MITRE)
|
In Progress
|
7/22 Update: EOL policy posted on CVE website on 7/15; EOL Blog being reviewed and recommended changes being made. Next step is to send back to Kent for final review.
|
-
Met with podcast expert from NVIDIA who offered tips, tricks of the trade, and dos and don'ts of podcasting. Next step is to reach out to MITRE corporate communications to leverage podcasting resources.
-
Continued sending out messages to CNAs targets based on CVE Entries in Master List. As a result, three organizations have expressed interest in joining the CNA program.
§Tod will provide a draft of the blog post that will be published on August 1.
§The next CNACWG meetings are July 29 and 30. US and Euro meetings will be held on July 29 and Asia meeting will be held on July 30.
§Use of Source Names should be reviewed now that reference tagging is being implemented
-
Credentialing, Authentication, and Authorization Service:
This service will verify that a user is who they claim to be
-
User Registry Service:
Provides permissions that will control who has access to features and information that are not publicly available
-
ID Reservation Service:
Self-service allowing CNAs to get either an arbitrary number of non-sequential IDs, or a block of sequential IDs
-
Entry Submission and Upload Service (ESUS):
Replace the Github submission service so that CNAs can submit CVE information directly to the database, without the need for manual review
-
New Website:
Replace existing website with a contemporary technology stack and improved organization and utility
-
The group continues to review and define the CVE Program terms and definitions. Once drafted, it will be sent to the CVE Board for review and approval. The CVE Program website will need to be updated.
–
CNAs missing disclosure policies and/or advisory locations (as required based on CNA rules 3.0)
§We have emailed the 20 CNAs with missing disclosures policies and/or advisory locations; we have received the requested information from 14 CNAs, and 6 remain outstanding.
§Reminders will be sent out monthly beginning in August, then transition to weekly during the month of October.
§Another vendor wishes to experience the actual CVE process (training) with their own product before moving on, and currently waiting for vulnerability reports.
§We will be speaking with another candidate vendor soon and we are currently fixing the schedule for the meeting.
§Regarding the CNA on-boarding slides translation, we have not started the voice-over process yet. We will let you know once the plan is set.
|
07.22.02
|
Send questions to Beverly to be included in the survey regarding CVE Board meeting times (e.g., what is a good meeting time for you? Are you amenable to alternating board meetings? Are you amenable to breaking out the meeting into two, one hour meetings?
|
ALL
|
Not Started
|
Assigned on 7/22/2020.
|
Other discussions items:
-
The CVE Board meeting recordings archives are in transition to a new platform. Once the new platform is ready, the board recordings will be readily available to CVE Board Members. Until then, to obtain a recording of a CVE Board Meeting, please reach out to Jo Bazar ().
Christine Deal
|