CVE Board Meeting
22 February 2017, 2:00 p.m. EST
The CVE Board met via teleconference on 22 February 2017.
Board members in attendance were:
Harold Booth (NIST)
Art Manion (CERT-CC)
Kurt Seifried (Red Hat)
William Cox (Black Duck)
Dave Waltermire (NIST)
Ken Williams (CA Tech)
Members of the MITRE CVE Team who attended the call are as follows:
2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin
2:05 – 2:25: Working Groups
Automation - Harold Booth
2:25 – 2:50: CNA Update
DWF – Kurt Seifried
General - Dan Adinolfi
2:50 – 3:00: Documentation update (Researcher Reservation Guidelines, CVE Vision) - Chris Coffin
3:00 – 3:10: RSA Conference Debrief - Dan Adinolfi
3:10 – 3:30: Coverage of services - Jonathan Evans
3:30 – 3:55: Open discussion – CVE Board
3:55 – 4:00: Action items, wrap-up – Chris Coffin
Meeting Began with review of previous action items
Introductions, action items from the last meeting – Chris Coffin
Documentation update (Researcher Reservation Guidelines, CVE Vision)
MITRE is fleshing out the documentation plan that had been presented to the Board. Development of those documents will be done on GitHub. Among other documents, a revision of the CVE reservation guidelines for non-CNAs will be included.
RSA Conference Debrief - Dan Adinolfi
CVE had some representation at the RSA Conference 2017. Dan Adinolfi presented to the pre-conference CERT Vendor Meeting, describing the CNA program and CVE federation. Kent Landfield and Kurt Seifried presented two sessions relating to the DWF process. Dan also conducted a large amount of outreach with vendors at the RSA Expo with the hope of drumming up more interest and participation in the CNA program. Dan also had some discussions with Apple and Synopsis among other existing CNAs.
Coverage of services
Continuing the discussion regarding including hosted service vulnerabilities in CVE, MITRE asked the Board if it could offer some use cases to help understand the requirements. Kurt Seifried is working with the Cloud Security Alliance on tracking these kinds of issues, and he will share their development with the Board. The discussion will continue on the mailing list, and the Board will create those use cases.
Open discussion – CVE Board
The Board discussed the implications of CVE IDs remaining in a “reserved” state indefinitely. This may happen for numerous reasons, one being organizations using CVE IDs for internal issue tracking even when many of those issues will never be public or may be public. The Board asked MITRE to consider the addition of a field that will indicate what CNA is responsible for a reserved CVE ID, which may help mitigate confusion caused by CVE IDs that are reserved but unpopulated.
Action items, wrap-up – Chris Coffin