CVE Board Meeting
22 March 2017, 2:00 p.m. ET
The CVE Board met via teleconference on 22 March 2017.
Board members in attendance were:
Andy Balinsky (Cisco)
Harold Booth (NIST)
Kent Landfield (Intel)
Art Manion (CERT/CC)
Kurt Seifried (Red Hat/DWF)
Taki Uchiyama (JPCERT/CC)
David Waltermire (NIST)
Members of the MITRE CVE Team who attended the call are as follows:
CVE Board Meeting 22 March 2017
2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin
2:05 – 2:25: Working Groups
Strategic Planning - Kent Landfield
Automation - Harold Booth/Kurt Seifried
2:25 – 2:50: CNA Update
DWF – Kurt Seifried
General - Dan Adinolfi
2:50 – 3:10: Timeframe for Updating Upstream CNAs - Dan Adinolfi
3:10 – 3:30: CNA Report Card Template - Dan Adinolfi
3:30 – 3:55: Open discussion – CVE Board
3:55 – 4:00: Action items, wrap-up – Chris Coffin
Introductions and review of previous action items
CNA Report Card – Dan Adinolfi
MITRE presented a draft template for the quarterly CNA Report Card to the Board. The Board accepted the current template and plans to update and revise it over time. MITRE will provide the metrics for the first quarter 2017 at the next Board meeting.
The Board suggested that to create a more transparent environment, a public issue tracker would be useful. Through such a thing, individuals with questions or comments on CVE ID assignments would be able to post those and have the details directed to the appropriate CNA. Also, the Board reiterated that there should be an easy way to link individual CVE IDs to the CNAs that assigned them. Finally, the Board suggested that including meta-information about CVE IDs and CNAs within CVE entries themselves may help automate and crowdsource the requirement for accurate metrics. These three suggestions will be discussed more fully in the future.
Timeframe for Updating Upstream CNAs – Chris Coffin
The current CNA rules do not stipulate a specific time by which a CNA should update their upstream CNA after a CVE ID has been made public. MITRE asked the Board for guidance on the most time a CNA can wait. The Board suggested that CNAs should update their upstream CNAs within 24 hours of the publication of a CVE ID. This recommendation will be added to the list of updates to be considered for the next CNA Rules update.
Additionally, CVE IDs that have been reserved for long periods of time without any public assignment could be “REJECT”ed or labeled in some other way to indicate they are inactive in the CVE list. This idea will also be considered further.
Open Discussion - Dan Adinolfi
The Board was directed to the GitHub branch of the CVE repository that has placeholders and early drafts for CNA documentation. The first document to be taken on by the Board, a CVE 101 white paper, will be shared with the Board and developed in the two-week timeframe that was previously discussed.
The Board was reminded that CVE now has two Twitter accounts (@CVEannounce and @CVEnew) and a LinkedIn page. As of the Board meeting, @CVEannounce had approximately 40 followers, @CVEnew had approximately 500 followers, and the LinkedIn page had approximately 80 followers.
The Board suggested that it should begin planning on another face-to-face meeting of the Board and CNAs.
MITRE will be attending a few conferences in the next few months to raise awareness of the CVE and CNA programs, to encourage participation, and to solicit feedback from stakeholders. The Board suggested that MITRE share their travel plans where they cannot go to give the Board an idea of where they could go out to raise awareness themselves.
The Board discussed whether it should be an accepted practice for a CNA to assign CVE IDs to issues that will never be made public. Most of the Board felt this was not acceptable, but additional debate will be had on this topic.
Action items, wrap-up – Chris Coffin
CVE Board Meeting_3_22_17.docx
Description: CVE Board Meeting_3_22_17.docx