CVE Board Meeting summary - 6JAN2021

03:35-03:55: Review of Action items (see attached excel file)

See attached Excel spreadsheet (CVE Board Meeting 20Jan21 – Agenda and Action items)

    • The group discussed in detail about if CVE ID's should be assigned to vulnerabilities in Docker Containers.
        • Description of issue: Insecure defaults configuration for the admin password. The issue occurs because the base docker image was configured incorrect, and is used by other people, creating their own docker image.
      • If we do not assign, a policy needs to be put in place.
        • Proposal: Documenting corner cases in a public way to reveal decision making processes (e.g., best practices for making these decisions)
    • The group agreed to begin drafting up guidance on how to handle these types of issues. Pascal has offered to begin writing the first draft once additional information about the issue is provided from MITRE.
      • The mission of the Common Vulnerabilities and Exposures (CVE) Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalog. The vulnerabilities are discovered, by vendors and researchers then assigned and published by organizations from around the world that have partnered with the CVE Program as CVE Numbering Authorities (CNAs) and Root CNAs. As CNAs, vendors publish CVE Records to communicate consistent descriptions of vulnerabilities to their customers, while IT and cybersecurity professionals use CVE Records to ensure they are discussing the same issue, and to coordinate their efforts to prioritize and address the vulnerabilities.
    • The group approved the short form and agreed the long form needs more work, removing vendors and researchers and Root CNAs.
    • ID Reservation (IDR) Service: Self-service allowing CNAs to get either an arbitrary number of non-sequential IDs, or a block of sequential IDs
    • Record Submission and Upload Service (RSUS): Replace the Github submission service so that CNAs can submit CVE information directly to the database, without the need for manual review
      • Next milestone: User stories will be presented in the next SPWG meeting and the sprint plan will be presented in AWG in late January.
    • User Registry: Provides permissions that will control who has access to features and information that are not publicly available.
    • The group agreed to discuss this topic at the next meeting, when there are more folks in attendance. Katie presented the polling results, about 70 people responded.
    • The group briefly chatted about this issue and agreed there is no consensus on this issue. Malware to one organization is not malware to another organization.
  • The CVE Board meeting recording archives are in transition to a new platform. Once the new platform is ready, the Board recordings will be readily available to CVE Board Members. Until then, to obtain a recording of a CVE Board Meeting, please reach out to Jo Bazar ().


Previous Email: New CNA - WPScan

Next Email: CVE Virtual Summit 2021 and CFP

January 2021 Email Index