CVE Board Meeting summary -10 June 2020

Members of MITRE CVE Team in Attendance

Christine Deal

Jonathan Evans

Chris Levendis

3:55 – 4:00: Action items, wrap-up

§Shannon said that the group is spread out and doing too many things--need to focus on prime directive which is outreach to potential CNAs (and reaching out more broadly into the community). In short, the podcast we want to do has run into logistical challenges and will not be ready for tomorrow. Shannon will meet with Tod and Jo next week to re-schedule. She will re-update the Board after they meet.

§Jay Gazlay told the group that CISA is onboarding the end of July someone whose job is going to be solely to recruit CNAs.

§The next CNACWG meetings are June 17 & 18, 2020. US and Euro meetings will be held on June 17 and Japan meeting will held on June 18.

§Talking through tagging and have come to a consensus in the WG on the set of tags we would like to support initially both at the container level, the EOL (at time of assignment), the exclusively hosted service. We are starting to talk about the disputed tag, although we have not come to a consensus on that. We have also come to consensus on the list of reference tags (which are basically characterizations of which type of reference the CVE data format uses). We have added a few—based on reference types that NVD uses. We have changed the names of a couple; the final list is out on SharePoint site. We have started conversations with the AWG regarding how to get that deployed in the format—we talked about that yesterday. It looks like we are going to enumerate those tag values in the format. That is work we are coordinating with Joe Whitmore on to get addressed in that format. Continuing to talk about tagging: two areas of focus are around how do we provide for extensibility in the tagging process (so if a CNA wants to use an experimental tag, how would they go about doing that?). And we are also working on trying to formalize the process by which we will vet, review, and approve new tags both for the reference type tags and the container-based tags. We are trying to brainstorm right now about how much review do we need, what WGs need to provide feedback, whether the Board needs to approve, etc. We are hoping to have that conversation tomorrow.

§Overall, it is steady as she goes. Since the last Board meeting, we have continued to have conversations about minimum requirements for the rollout of the AWG services; in particular, we have gone through the Entry Submission and Upload (ESUS) service. We are in the process of turning to user registry discussion. My expectation is that once we move through that one, we should be done identifying the minimum viable product (MVP) services. Simultaneously, we have been having meetings about the new website and content that should go in and how it should be organized. There is some crossover work between AWG/QWG pertaining to the tags. This conversation is occurring early enough that I am not anticipating any issues incorporating it into the JSON 5.0 schema for initial rollout. We are finishing up sprint on the AWG services; we asked Kent to carve out time in the SPWG so we can discuss that on Monday.

§Dave: Brought up on last AWG call that they want to create a registry of current tags with definitions, so they have started brainstorming on that. We need to determine how to operationalize that. We need to also think about providing guidelines for how they should be used (e.g., EOL tag could point to EOL document).

§Chris: Thanks to everyone who has participated in the MVP discussions and website discussions (card sorting). That will make Phase 1 services more effective and will make the website better.

§User registry MVP discussions—still have two meetings to go—important to have these discussions so that we ensure they do what they have to do in Phase 1. The meetings go into what we want as an end-state to look like and we pare back from there.

§We are in the final throes of the EOL process document and will soon be bringing that to the Board for vote. CNAs were given two weeks to comment; we have had discussions, but no comments that would affect the document. The document was sent to the tech editor (Christine) on June 8; we hope to get that tech edited by Monday's meeting. There has been good participation on the SPWG which is appreciated. Next step is to present the EOL document (after tech editing and adjudication) to the Board for a vote.

§On the next SPWG meeting, we will hold a voice vote on the SPWG charter. We are also having a discussion with the AWG concerning their Sprint planning for the last sprint before they standup the production services and some User Registry requirement questions. We do not want to stand in the way of their progress.

§We are currently developing an official Terms and Definitions document, which will be useful during the development of the website and standardizing terms for document uses. We had a good discussion; it is something we need as a program so that we are all speaking the same language. Hopefully, Terms and Definitions document will be done by the end of July.

§I am trying to get a workshop going around creative ways to deal with Open Source (OS) and OS-related issues. This automation workshop that involves fuzzing and other automated approaches to CVE is under development (planning has begun).

§Chris L: When we get to the point where we are doing the automated workshop, does anybody object with my inviting the CWE group to that? There might be some value to the CWE side of things. May change depending on the agenda. (Nobody voiced an objection)

§There is one more vote short term: the exceptions vote (regarding Chris Coffin's participation).

§Received two CNA requests since the last CVE Board meeting (held on 5/27/20).

§105 in total CNA pipeline: 15 in Q3'19; 16 in Q4’19; 23 in Q1’20 and 20 in Q2’20

– CNAs missing disclosure policies and/or advisory locations (as required based on CNA rules 3.0)

§We have emailed CNAs that are missing disclosures policies and/or advisory locations. We have emailed 19 CNAs and we have received the requested information from 9 CNAs; 10 are outstanding.

• The initial translation is complete, and they are now reviewing the slides internally. This is taking longer than anticipated, as the amount of their coordination work has recently increased more than expected. The PR review is complete, and they are now updating the materials; the plan is to finish everything (notes translation-process) by the end of this week.

• The group reviewed the project timeline, updated the completion percentages, and added status updates.
• Chris wants to add, as an action item, for us to ask RCNA1 if they are willing to share the current draft document with the SPWG (which will help inform the SPWG's draft policy and also allow SPWG to provide feedback to RCNA1 on their draft policy)
• RCNA1 will officially announce to the community by the end of June, that RCNA1 Root is coming soon. Will be fully functional by September 30, 2020.

• Jay asked if MITRE is getting enough material to be useful in terms of creating documentation and processes for onboarding future Root CNAs
• Chris replied: Once RCNA1 goes operational as a Root, we will learn things. As of right now, yes—RCNA1 is providing us with what we need. We will want to have some post on-boarding sessions with them once they are active to take note of lessons learned that can be added to the guidance materials.
• Chris would like to get to the point where we can provide approximate costs, depending on the scope (time, money, etc.)
• Dave added we need to learn where resources are being spent in the process, which may help us understand how to reduce those costs.

• Andy Balinsky would like to resign; should we list him as an Emeritus status? Kent said he is one of the originals I think he should be listed as Emeritus. Shannon asked what are the rights and responsibilities for Emeritus (i.e., can they vote)? Kent: It is in the charter. Emeritus status means they were formerly active on the Board; they must have made significant contributions to CVE and may from time to time be called upon to consult. Chris—not sure if he even wants to be Emeritus. Dave: What were his significant contributions? Kent: He was very active in the early days. He has written a document or two to support the cloud. Chris: He was a big proponent of the increased tempo of Board meetings and of program federation. Chris C: does Emeritus status require that person to do anything going forward? No, it does not involve any action on his part. Kent: It is a show of respect for someone who has contributed to the program for many years. Calling for a voice vote. No dissenters on the call. All agreed.
• The group agreed that Andy will resign from the CVE Board and be re-listed with an Emeritus Status. MITRE will reach out and inform Andy and ask if he still wants to be on the Board mailing list. If not now and wants to be removed, he can get re-added at any point in time going forward. He just has to notify MITRE.
• Chris advocated that the CVE Program should broadcast RBP metrics to the general public, in a way that we are not revealing who has those RBPs, as a program health metric. Ideally, that would spur the community to action to help us identify those RPBs. He tried to generate a conversation about this on the mailing list but has not received any feedback.
• Chris wants to do this—it allows transparency (Jonathan is concerned it may stimulate too much immediate help from the community before we are prepared to deal with it). Chris does not share that concern.
• Dave: There are ways you could effectively deal with that problem by queuing them into a backlog and dealing with them later; I think we should move cautiously forward and deal with the outcomes as we see them. I do not suspect we will get a flood of requests.
• Shannon: Because it's a moving target, I think we should establish what constitutes a baseline of normalcy without throwing it all out there
• Dave agrees with Kent but can understand Shannon's viewpoint. RBPs are going to go up over time as the number of CVEs go up over time. Instead of graphing the total number of RBPs, graph the total number of RBPs relative to the number of allocated CVEs. Need to show the number as a ratio.
• Chris: Right now, we are not talking about doing something hourly or daily (it will be much broader timeframe) but we are moving towards real time public facing metrics. So RBPs will become more real time metrics than they are now. The new services should allow for a reduction (not elimination) of RBPs.
• How should this information be presented? We are making tremendous progress if you chart assignments vs. RBPs over time. Do we agree that RBPs should be broadcast to the general public in a non-CNA specific way? (No objections) YES.

– Next step: We must figure out the process, make a recommendation on what the reporting timeframe is, how often we refresh the metrics, what's the process for the community to report RBPs to us. Maybe this needs to be done through the SPWG to the Board. We need to think all this through.

• When we were conducting our last Board member vote, this idea was generated, and we agreed at the time that this would be a post board member vote. Do we want to move forward with a sponsor liaison position or do we not?
• Kent: I do not see the value. I think it sends the wrong message to the world. We are trying to remove the U.S specific aspects from literature and focus on the fact that this is a global effort. Having a sponsor liaison board position spotlights DHS and sends wrong message from PR perspective. In every case, the sponsors have been added to the Board because of their quality and their individual capabilities.
• Katie: Thinks it is disingenuous to try and hide the fact that DHS sponsors the program. The liaison position allows for flexibility. If someone comes in to replace Jay, they should not have to go through the entire process again. They do not have to be a voting member.
• Chris: Think about a future where there is maybe more than just one sponsor; if we think about that future, that bodes well for a sponsor liaison position because it is anyone bringing cash to the program. If it is a non-voting position, they get to be heard by their Board colleagues but not have any undo influence.
• Jay: I think the only part of this conversation that brings me any real pause is the discussion of voting vs. non-voting. CISA will ask why they are working on a program that will not allow you to vote?
• Dave: Prefers always having a direct conversation with DHS rather than working through a conduit (MITRE). That is the value of having this liaison position.
• Katie: When we nominated Jay to the Board, I brought up the concern that Jay is in that position now but what happens when he leaves and is in a different position? We are not planning for something that is never going to happen. CISA re-organizes every two years.
• Chris: We agreed for our first discussion on this needed to be post-Jay. Jay should have confidence that he was brought on as an individual board member.
• Shannon: To grow globally and to round out as an international body, we cannot and should not hide a DHS presence, but we need to give the impression of DHS neutrality. She wants new, globally located CNAs to have that comfort.
• Dave: We need to assuage concerns with transparency; one way we are transparent is with minutes of the Board being public documents. We share the recordings too. These conversations are all public. The conversations the sponsor has with MITRE are NOT public conversations. To some degree, by having the sponsor participate in the Board, we are providing a better avenue of transparency than by other means.
• Next steps: Kent proposes that Dave or Katie write up the value and limits and we can discuss this on a future call (with boundaries).