NOTE: Please send an email to the Secretariat if you have a topic to add to the agenda for the next Board meeting on March 2.
CVE Board Meeting Notes, February 16, 2022 Members of CVE Board in Attendance ☐Ken Armstrong, EWA-Canada, An Intertek Company<https://www.intertek.com/cybersecurity/ewa-canada/> ☒Tod Beardsley, Rapid7<https://www.rapid7.com/> ☒Chris Coffin, The MITRE Corporation<https://www.mitre.org/> (MITRE At-Large) ☐Jessica Colvin ☒Mark Cox, Red Hat, Inc.<https://www.redhat.com/> ☒William Cox, Synopsys, Inc.<https://www.synopsys.com/> ☒Patrick Emsweller, Cisco Systems, Inc.<https://www.cisco.com/> ☐Jay Gazlay, Cybersecurity and Infrastructure Security Agency (CISA)<https://www.dhs.gov/cisa/cybersecurity-division/> ☐Tim Keanini, Cisco Systems, Inc.<https://www.cisco.com/> ☒Kent Landfield, McAfee<https://www.mcafee.com/enterprise/en-in/home.html> Enterprise ☒Scott Lawler, LP3<https://lp3.com/> ☒Chris Levendis, CVE Program<https://cve.mitre.org/> (CVE Board Moderator) ☐Art Manion, CERT/CC (Software Engineering Institute, Carnegie Mellon University)<https://www.cert.org/> ☐Pascal Meunier, CERIAS/Purdue University<https://www.cerias.purdue.edu/> ☐Ken Munro, Pen Test Partners LLP<https://www.pentestpartners.com/> ☐Tom Millar, Cybersecurity and Infrastructure Security Agency (CISA)<https://www.dhs.gov/cisa/cybersecurity-division/> ☒Chandan Nandakumaraiah, Palo Alto Networks<https://www.paloaltonetworks.com/> ☐Kathleen Noble, Intel Corporation<https://www.intel.com/> ☒Lisa Olson, Microsoft<https://www.microsoft.com/> ☐Shannon Sabens, CrowdStrike<https://www.crowdstrike.com/> ☒Takayuki Uchiyama, Panasonic Corporation<https://www.panasonic.com/global/home.html> ☒David Waltermire, National Institute of Standards and Technology (NIST)<https://www.nist.gov/index.html> ☐James “Ken” Williams, Broadcom Inc.<https://www.broadcom.com/> Others in Attendance (MITRE CVE Team) ☒Kris Britton ☒Christine Deal ☒Art Rich ☒Thu Tran Agenda * Introductions and Roll Call * Today’s Topics * Vulnogram adoption * CVE website metrics * Open Discussion * Review of Action Items * Next Meetings and Future Agenda Topics New Action Items from Today’s Board Meeting Action Item # Action Item Responsible Party Due 02.16.01 Begin planning next steps related to Vulnogram. TWG 2/17/2022 02.16.02 Update cve.org website to fix Partners List (incorrect roles for Google (add Root) and Android (remove Root) and format “Root Scope” and “CNA Scope” consistently (bold/not bold). Secretariat 2/22/2022 Today’s Topics * Vulnogram adoption (Lisa Olson/Chris Levendis) * Vulnogram was discussed as a tool to replace the current web form to reserve CVE IDs and submit/retrieve CVE Records. * Implementation may include a period of overlap when Vulnogram or the webform may be used. * Discussion was positive, and the consensus was the tool is better than the webform, but could use some simplification (i.e., it is not intuitive). * The Automation Working Group (AWG) supports Vulnogram as an option to reserve CVE ID Reservations and to submit/retrieve CVE Records. AWG observations include: * Current version needs to demonstrate that is supports JSON 5.0, and interfaces cleanly with CVE Services 2.1. Testing can begin after February 25. * Planning is needed to determine an adoption schedule for Vulnogram and integrating that with the CVE Services 2.1 deployment schedule. * Program will need to provide resources for tool management, e.g., configuration management, security. * Proposal to the Board: Should the CVE Program move to implement Vulnogram (replacing current webform)? * Decision: YES (All 12 Board members on the call voted YES) * The Transition Working Group (TWG) will begin planning next steps, e.g., adoption schedule, customization needs, creation of user documentation. * New CVE Website Metrics (Thu Tran/Kris Britton) * CVE website metrics (about site activity since the roll-out) were shared and discussed: * Number of Users over time (stable to upward trend, spike in December due to log4j, total users since deployment is 216k) * Top Countries with the greatest number of users (top 3 are U.S., Germany, and India). This metric indicates an opportunity to recruit more CNAs from particular countries, e.g., there are currently only four CNAs in India, yet they represent the third greatest number of users who accessed the website. * Web Pages accessed (top 3 are CVE Record Details, Home, and News). * The Board agreed to add the metrics to Quarterly Reports. Open Discussion * CNA inactivity (not assigning CVE IDs) and subsequent removal from the program was raised as a concern. Chris Levendis reminded the Board that the Program tries every avenue, over at least a six-week period, to communicate with the inactive CNA to understand the reason for the inactivity. There are valid reasons, such as the CNA did not identify any vulnerabilities in their area of scope. Only after the program has communicated with the CNA at least three times over a six-week period, without a response or satisfactory response, is the CNA considered for removal. * Highlights of the February 16, 2022, Council of Roots meeting were shared: * Google attended for the first time as a new Root. * Program recognizes the onboarding videos are out of date and is waiting until CVE Services 2.1 is deployed and stable before making significant updates. In the meantime, supplemental/clarifying documentation may be used as needed. * Groups.io is viewed positively by Roots. Monday.com is less popular, and it was suggested a future Roots meeting be used to conduct a walk through of the tool. * An agenda for the April 7 Summit was developed by the TWG and sent to the Board for review/comments on February 16, 2022. The agenda focuses on CVE Services 2.1. Review of Action Items * Program will reach out to Tod Beardsley to get status updates on his Action Items. * Program will check with MITRE Help Desk about the Zoom meeting problem (Kent Landfield can’t access). Related to Action Item number 01.05.01. Next CVE Board Meetings § Wednesday, March 2, 2022, 2:00pm-4:00pm (ET) § Wednesday, March 16, 2022, 9:00am-11:00am (ET) § Wednesday, March 30, 2022, 2:00pm-4:00pm (ET) § Wednesday, April 13, 2022, 9:00am-11:00am (ET) Discussion Topics for Future Meetings * CVE Working Groups Updates – March 2, 2022 CVE Board Recordings The CVE Board meeting recording archives are in transition to a new platform. Once the new platform is ready, the Board recordings will be readily available to CVE Board Members. Until then, to obtain a recording of a CVE Board Meeting, please reach out to the CVE Program Secretariat (cve-prog-secretar...@mitre.org<mailto:cve-prog-secretar...@mitre.org>). Christine Deal Homeland Security Systems Engineering and Development Institute (HSSEDI) MITRE | Solving Problems for a Safer World™ 813-830-2338 (cell)