|
02:35-03:55: Review of Action items (see attached excel file) See attached Excel spreadsheet for open action items from prior meetings (CVE Board Meeting 12May21– Agenda and Action items) oKris Britton explained that on the morning of April 20, 2021, the MITRE Top-Level Root (TL-Root) became aware of an incident that compromised CVE Program information at various levels of sensitivity. §Bottom Line Up Front: A CNAs API secret for the ID Reservation (IDR) Service was exposed to the public for 19 hours. Upon discovering this, the Secretariat initiated the incident response plan that was agreed to by the Automation Working Group (AWG) approximately five weeks ago. Consistent with that plan, the Secretariat took immediate action to address the risk by resetting the CNAs API secret. Upon further review of the logs, no nefarious activity was discovered. Other programmatic information was leaked, but none of it appears significant. oThe Board discussed marking CVE Summit materials, presentations, and notes TLP and agreed this approach should be best practice for the CVE Summits moving forward. Tod B. has the action to announce using TLP for CVE Summit presenters and attendees. oThe Board agreed the CVE Program needs to have better discipline for the use of TLP with CVE Program materials. For the most part, items should be marked as TLP, Amber. oDavid W. submitted Chandan B.N. as a CVE Board member nominee on April 16, 2021. Below is Chandan's nomination statement. §With over 20 years of experience working in product security, Chandan is an insightful, strong technical leader with an eye towards vulnerability issues that affect end user organizations. He has a long history of contributing to the CVE program, demonstrating a commitment to improving CVE, and working as both a producer and consumer of CVE information. I have worked with him as co-chair of the quality working group for the last few months. He demonstrates extensive knowledge of the vulnerability coordination and management, is well organized, a good communicator, and able to develop consensus around complex topics. He is interested in automation within the CVE program and improving the user experience of our stakeholders. To this end he developed Vulnogram, a tool used by some CNAs, which provides a graphical web-based interface for producing and updating CVE records. Chandan will be an active contributor to the CVE board, helping in this new capacity to evolve CVE in a positive, user centric way, and will remain an active contributor to the CVE program. He is the type of engaged participant in the CVE program we need more of. oThe Board agreed to press forward with the CVE Board nomination of Chandan B.N. The next steps are to schedule a 30–45-minute interview with Chandan. oThe Secretariat has the action to reach out to Chandan for his availability on May 12 th at 9:00AM EDT. § CVE Program Professional Code of Conduct – Kent Landfield oThe Board agreed that one code of conduct for the entire CVE program appropriate. oThe Board agreed move forward with integrating the Professional Code of Conduct and publish on the CVE Website. In addition, the Professional Code of Conduct will be included in the CNA onboarding PowerPoint and all the WG charters will point to the CVE Program-wide Code of Conduct. oSecretariat will review, edit, and post on the new CVE website. oKatie explained that NVD overwrites vendor CVSS scores, and vendors suggested having both scores available for viewing. David W. explained that both scores are listed on the NVD. If both vendor and NVD CVSS scores agree, NVD will list only the vendor's CVSS score; however, if they do not agree, then both CVSS scores are listed. §The CVE Board meeting recording archives are in transition to a new platform. Once the new platform is ready, the Board recordings will be readily available to CVE Board Members. Until then, to obtain a recording of a CVE Board Meeting, please reach out to CVE Program Secretariat (). |