[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE Board Meeting Minutes, 18 October 2017

CVE Board Meeting 18 October 2017


Board Members in attendance:

William Cox (Black Duck)

Scott Lawyer (LP3)

Kent Landfield (McAfee)

Andy Balinsky (Cisco)

Kurt Seifried (Red Hat/DWF)

Taki Uchiyama (JPCERT)

Pascal Meunier (Purdue University)

Ken Williams (CA Technologies)

Art Manion (CERT-CC)

Members of MITRE CVE in attendance:

Dan Adinolfi

George Theall

Chris Coffin

Jonathan Evans

Joe Sain

Anthony Singleton

Alex Tweed



2:00 – 2:15 - Introductions, action items from the last meeting – Chris Coffin


2:15 – 2:30 - Working Groups


            Strategic Planning – Kent Landfield



                        Board Decisions


            Automation – George Theall



                        Board Decisions


2:30 – 2:45 - CNA Update


            DWF – Kurt Seifried



                        Board Decisions


            General – Dan Adinolfi



                        Board Decisions


2:45 – 3:15 – Q3 Report Card presentation (Chris Coffin, Dan Adinolfi)


3:15 – 3:20 – How should links with defunct domains be handled? (George Theall)


3:20 – 3:30 – CVEs for Services (Andy Balinsky)


3:30 – 3:40 - Disposition of Board members who have not responded regarding their continuing participation – (Chris Coffin)


Action items, wrap-up – Chris Coffin


Review of Action Items from last meeting

PREVIOUS ACTION ITEM: Kurt Seifried will put together a container item. Will setup a meeting on adding CVE tags (categories) (med_device, IT automotive, etc.) to CVE JSON fields.

STATUS:  Kurt sent email 10/18/17 1:58 pm to board list.

PREVIOUS ACTION ITEM: Andy Balinsky will send email to the list for review of the CVEs for services document

STATUS: Completed

PREVIOUS ACTION ITEM:  Agenda item in next call for discussion with Andy on CVEs for services

STATUS: Completed

PREVIOUS ACTION ITEM: MITRE will add prior action items to the meeting agenda email moving forward.

STATUS: Completed

PREVIOUS ACTION ITEM: Automation WG to add action item for ci/travis integration in future git pilot phase.  Dave will email the Automation WG list with ideas for this.

STATUS: Discussed ci/travis integration in the 10/16 Automation WG meeting and work is moving forward. MITRE will communicate with Dave about his ideas for the next phase of the pilot.

PREVIOUS ACTION ITEM: MITRE to find a place for collaborative document sharing; possibly Handshake, creating a presentation on this.

STATUS:  Going through transition internally and will create test cases to use with the board.

PREVIOUS ACTION ITEM: MITRE to send email to Board regarding status of Board members.

STATUS: Completed

PREVIOUS ACTION ITEM: Research tools for JSON development—query the CNAs for suggestions that would be helpful to them. What would the CNAs like to see as far as JSON tools? MITRE will email the CNA list for thoughts and plant the seed for a future CNA Summit discussion.

STATUS: Completed. Have received some feedback from community.

PREVIOUS ACTION ITEM: MITRE will make sure that the CVE submission requirements discussion continues on the Board list.

STATUS: Discussed internally and will move to the list soon.



Agenda Items:

Working Groups


Strategic Planning


Status: Discussed roles of Root and what Root means.


Actions: Kent was going to send out a draft document that captures all of the recent discussions on strategy. This was an action item from the 10/16 Strategic Planning WG meeting.

Board Decisions:




Status: Lead off with affects containers in the JSON schema.

Discussion:  Public CVE GitHub repository was launched on 10/16 and begins Phase 2 of the Git pilot.

Issues:   None

Action: Continue to work with CNAs during Phase 2.

Board Decisions: None


CNA Update


Status: None

Discussion:  None

Issues: None

Action:  None

Board Decisions: None




Status: Sent out CNA Rules updates. Added NetApp as new CNA.

Issues: None

Actions: Web site now lists new CNA Rules (v2.0). The rules are available but are properly noted as not taking effect until Jan 1, 2018.

Board Decisions: None


Q3 Report Card presentation


Status: Presented the 2017 Q3 CVE Quarterly Program Review and CNA Report. Asked for feedback/comments on Presentation.

Issues: None

Actions: A few minor suggestions by Board will be included in future reports.

Board Decisions: None

Note: Presentation has been recorded and slide deck has been shared with the board private list.

Discussion:  Add GitHub statistics, How can the board aid in recruiting vendors from other Domains?


How should links with defunct domains be handled?


Status: Kurt believes we should keep the urls and follow a process like Wikipedia uses in archive.org.

Issues: The urls can be reused and pointed to explicit material that is not CVE related.

Actions: An Board email thread will be used to continue the discussion.

Board Decisions: None


CVEs for Services


Status: Andy Balinsky presented his report on cases on CVEs for Services.

Issues: How does the CVE program handle situations where the root cause is not entirely clear, what if there are many root causes or one single root cause.

Actions: The Board should consider what kind of process to follow for this type of domain. Claimed-based or policy based.

Board Decisions: Moving conversation back to the thread to decide whether Cisco to be the head of the pilot for CVEs for services. Reach out to HackerOne to gauge their interest in CVEs for services.

Note: Document used for presentation can be found at https://github.com/CVEProject/Board-Discussions/blob/master/CVE_IDs_for_Services.md


Disposition of Board members who have not responded regarding their continuing participation


Status: Some Board members have not replied to the annual pole for participation on the CVE Board. These members have until the end of the month to reply or else they will be removed.



Board Decisions: Board will try to contact missing members if they have additional contact information.



Summary of Action Items


  • Continue discussing defunct domain issue for references using a Board email thread.
  • Category/tag discussion with Kurt – Board to review and provide thoughts via a Board email thread.
  • Send email to HackerOne to gauge their interest in issuing CVE IDs for Services.
  • MITRE will continue to work putting together ideas and thoughts for collaborative document sharing.



Significant Decisions, Policy Changes, or Events


  • None


Attachment: CVE Board Meeting Minutes 18 October 2017.docx
Description: CVE Board Meeting Minutes 18 October 2017.docx

Attachment: Q3 2017-10172017_r2.pptx
Description: Q3 2017-10172017_r2.pptx

Page Last Updated or Reviewed: October 31, 2017