CVE Board Meeting summary

Members of MITRE CVE Team in Attendance

Christine Deal

Jonathan Evans

Chris Levendis

3:55 – 4:00: Action items, wrap-up

02.19.01	Identify the industries for active and pipeline CNAs so get a complete picture of the CNA profile.	OCWG	In Process	5/27 Update: The group reviewed the active and pipeline CNAs and have begun to assign industries.
4.1.07	Formalize Council of Roots responsibilities in anticipation of new Roots joining the program	SPWG	Not Started	Assigned on 4/1/2020.
4.29.02	Updating the CVE Board charter to address exceptions issues CVE board member voting.	Kent L.	In Process
5.13.02	Take the lead for developing a proposal about approach for automated vulnerability identification workshop that includes an initial target participant list, and report back to next CVE Board Meeting on May 27, 2020.	Kent L. (McAfee)	Not Started
5.13.03	Add future discussion items from May 13, 2020 CVE Board meeting to future agenda (Open source project discussion and sponsor liaison)	Chris L. (MITRE)	Completed

§The group reviewed the active and pipeline CNA list and assigned industries.

§The podcast planning is underway; the group agreed to use Skype or MS Teams and a tentative date is scheduled for June 11.

§Jonathan will provide an updated list of vendors based on the CVE IDs requested from MITRE.

§Successful non-US meetings were held with European and Asian participants (Taki attended, and JP-CERT is interested in attending future meetings)

§The virtual summit is scheduled for Monday, October 19, 2020, from 1:00 p.m. to 5:00 p.m. ET.

§Matt B/Joe W. provided an overview of the CVE Entry states for the feedback for the Entry Submission and Upload Service.

§Focused on general design document around container tagging for EOL and service tags

§Starting to talk through how new tags will get added: How will the proposals be processed and approved and assigned to the right working group (e.g., CNA specific tags)?

§Also discussing different types of tagging around reference types

§Dave explained that we need a place to host the list, valid tag names, valid reference types, etc.

§The document was sent to the CNA list for feedback on May 21.

§Next step is to tech edit the document and then send to CVE Board for approval and program acceptance.

§Received six CNA requests since the last CVE Board meeting (held on 5/13/20):

§Four CNA announcements since last CVE Board meeting: GitLab, OpenVPN Inc., NortonLifeLock and Sierrawireless

§There are now 127 CNAs participating in the program in 21 countries

§103 in total CNA pipeline: 15 in Q3'19; 16 in Q4’19; 23 in Q1’20 and 17 in Q2’20

– CNAs missing disclosure policies and/or advisory locations (as required based on CNA rules 3.0)

§We have emailed CNAs that are missing disclosures policies and/or advisory locations. We have emailed 19 CNAs and we have received the requested information from 8 CNAs; 11 are outstanding.

§The initial translation is finished and we are now reviewing the slides internally. This is taking a bit long, as the amount of our coordination work has increased more than we expected. Therefore, although things are still moving forward, not everything (including our PR team review) will be finished by the end of May as we planned.

The group discussed if CVE IDs should be assigned to vulnerabilities that require physical attacks (e.g., opening the case or "evil maid" attacks)?

If the vulnerability is created by a physical attack that violates a security model, we will assign a CVE ID. If it does not violate that security model, then we would not assign a CVE ID.

DWF Postmortem discussion: Lessons learned and opportunities going forward

Many companies use open source products. INTEL has experienced an influx in CVE IDs requests and no one wants to deal with it. DWF provided coverage for open source products, but today we do not have a representative from a CNA perspective.
David expressed that we need a little time to think about it and discuss at the next meeting or schedule a meeting specific for this topic.

We already have people coming to us, telling us about RBPs. If we make this metric public facing, then community members will be motivated to report them to us. The only number to be reported will be the total number RBPs, not the actual IDs with the details.
Chris L. explained the two benefits from publishing the metrics 1) to get more community help and 2) to tell a story about the reduction in RBPs

I wanted to resurface the Physical Attack Discussion. I think we agreed to update the counting rules to reflect the conversation below. Intel is planning to update our Bug Bounty Scope guidance to clarify the physical attack scope.

I wondered what the next steps are for the CVE program?