CVEBoard teleconference summary - August 25, 2016

[：“塞恩，乔” <jas@mitre.org>]

CVEBoard Meeting

25 August 2016, 2:00 p.m. EST

The CVE Board met via teleconference on 25 August 2016.

出席董事会成员是：

Andy Balinsky (Cisco)

Harold Booth (NIST)

肯特·兰德菲尔德（英特尔）

Scott Lawler (LP3)

Pascal Meunier (CERIAS/Purdue University)

Kurt Seifried（红色帽子）
戴维·沃尔赛（David Waltermire）（NIST）

Members of the MITRE CVE Team who attended the call are as follows:

丹·阿迪诺夫（Dan Adinolfi）

Jon Baker

Tiffany Bergeron

史蒂夫·博伊尔

克里斯·科芬

Christine Deal

乔纳森·埃文斯（Jonathan Evans）

Chris Levendis

Meghan Manley

Joe Sain

Anthony Singleton

乔治·蒂尔（George Theall）

Donna Trammell

议程

2:00 – 2:05: Introductions, action items from the last meeting

2:05 - 2:15：DWF更新

2:15 - 2:45：CVE董事会宪章；投票结果和下一步

2:45 – 3:15: CVE Operations Update

3:15 – 3:45: CNA Update and CVE Outreach Discussion

3:45 – 3:55: Updated CVE Counting Rules Document

3:55：动作项目，总结

The meeting began with an announcement that Alan Paller (SANS) has stepped down as a member of the Board since he has been unable to participate recently.

上周的所有动作项目都已解决。8月24日（星期三）发送了一个新版本的计数文件列出^Th，最新版本的《宪章》于8月22日发送^nd。

DWF Update

DWF has been training a new analyst, and that training is now complete. A discussion on Service Level Agreements (SLAs) is needed to ensure CNAs, including DWF, are maintaining a suitable level of service and focusing on measuring “things that matter”. The start of this discussion will be posted to the Board list and will include:

• What information do they have to publish and how often should it be published? This will be described in ranges instead of absolute numbers, since there must be flexibility to fit various business processes and domains. Disclosure schedules and embargo periods will be addressed.
• 对于禁运策略，不同的领域将具有不同的禁运策略。我们希望鼓励尽可能多的禁运类型。我们还想阻止过度使用异常过程。

CVE董事会宪章;投票结果和下一步

The latest version of the Charter went out for feedback on Monday, August 22^nd。The Board was comfortable with moving forward with the vote based on the current draft of the Charter. The Charter will be sent out Friday, August 25^Th截至9月8日的两周投票期^Th。

CVE操作更新

MITER最近宣布，他们将远离CVE电子邮件请求，而是使用网络表单来收集CVE请求。一个目标是使CVE团队与其他利益相关者之间的CVE沟通更加容易。这将是MITER的运营环境的重大改进。新的Web表格将于8月29日星期一播出^Th;但是，CVE电子邮件请求将持续很短的时间，直到CVE请求者意识到CVE Web表格。

The Board expressed some concern over how the news of the change was generally communicated. That said, the Board was happy to see automation and structure in the CVE request system.

Miter认为Web表单的格式是早期版本，将在短时间内进行改进。MITER计划在实施的前几周监视该表格的使用，从该用途中获得了课程，并计划快速改进。

The Board was informed that they were welcome to test the web form and provide feedback to MITRE.

• 一个人可以打开票以测试系统，但MITER要求测试人员将其识别为测试票。
• There are no limitations on testing, but MITRE requested that testers avoid denial of service attacks. Note, the system has been tested internally at MITRE.

• Send MITRE your feedback- one can send feedback directly to MITRE through the form itself or through cve@mitre.org.
• The form can accommodate one CVE ID request at a time or a request for more than one CVE ID. Requesters can enter up to ten CVE requests at a time. CNAs can request a block of CVE IDs. One can also request an update to an existing CVE entry, send a question or comment, or notify MITRE of a CVE publication.
• 票务系统的使用仅是MITER内的操作更改，不会更改CVE列表。对于Miter团队来说，进行此更改将更加高效，更容易跟踪CVE请求。

The cve-assign email account will remain open for a short time after the web form is put into production. Any messages sent to the account will receive an auto-response informing people that they should use the new CVE web form. Each request made through the web form will have a confirmation number, and that number will be provided in a message from the new cve-requests email address to the requester.

CNA Update and CVE Outreach Discussion

Intel和Apache最近被任命为CNA。一旦英特尔与合作伙伴组织讨论了他们的CNA流程，在CVE网站上将更好地定义英特尔的范围。

The Board discussed developing a long term strategy for CVE and the CNA program. DWF was the first CNA to be created as a federated CNA. Federation will facilitate growth of the CVE program over time with MITRE as the coordinator. The Board needs to consider how they would advise the CNA program be organized going forward. The Board then needs to act on those ideas. One main question that must be answered is, “Where does the Board want CVE to be in two or three years as CVE further develops?” Right now the federation is starting to crawl. What can be done internally to support this evolution?

董事会感到建立一个工作组通过其中一些事情是一个好主意。董事会需要就三年来联合环境的外观进行对话。

• 您如何带上CNA？
• What should be included in CVE’s scope?

• CVE如何与社区合作实现可以适应增长和新技术的最终解决方案？
• 董事会应计划进行讨论，并提出一个工作组，以开放和透明的方式创建文物和文档。通过这样做，CVE可以更加协作地收集许多想法和想法。

The CNA Rules document is going through final revision and will be ready next week. This document describes the federated structure and operational tasks and governance.

Assuming that a Working Group can be created after the Charter vote, the Board wanted to begin the discussions informally and then bring them to the Working Group once it has formed. In addition, the Board proposed holding face-to-face working meetings. Plans for scheduling such meetings will begin immediately, including a meeting for the CNAs to gather and work through training and other CNA-specific issues. A call for participation will be sent out over the Board mailing list for the pre-Working Group and Working Group.

Updated CVE Counting Rules Document

The current draft of the CVE Counting Rules Document was sent out Wednesday, August 24^Th。Some comments were received from the Board. Based on comments received the document will be revised, and a new version will be distributed. The conversations on the Board mailing list will continue and any new thoughts are appreciated. A new update will be shared within the next few days.

在脆弱性定义的方式上表达了关注。该定义似乎排除了硬件漏洞，这不是意图。董事会希望确保所使用的定义不会无意中限制CVE扩大其范围的潜力。

其他问题

An update on the creation of a vulnerability taxonomy by NIST was requested, and that taxonomy will be presented in the next few weeks. Feedback from the CVE web form and verbiage in the taxonomy will be aligned as identified in the community. The Board will expand the taxonomy as needed. Development of the second version of the CVE web form will be around the same time as feedback from the taxonomy. The description alignment should be right on target.

行动项目：

- Miter将发送新版本的CNA规则文档，以反映董事会建议的更改。

- A vote on adoption of the revised Charter will be initiated by MITRE on Friday, August 26. There will be a two week voting period that ends on Thursday, September 8. Results of the vote will be announced at the CVE Board meeting later that day.

- 肯特·兰德菲尔德（Kent Landfield）将制定有关CNA工作组组建的公告。

- Harold Booth will send a vulnerability description to the MITRE CVE Content team.

下一个董事会会议将于9月8日举行^Th。

依恋：cve_board_summary_20160825.pdf
描述：cve_board_summary_20160825.pdf