：CVE董事会会议摘要 - 2018年7月25日

CVE董事会会议2018年7月25日

出席董事会成员

Andy Balinski (Cisco)

William Cox (Black Duck Software)

Beverly Finch (Lenovo)

斯科特·劳勒（LP3）

艺术马尼昂（CERT-CC）

斯科特·摩尔（IBM）

Kurt Seifried (RedHat)

Taki Uchiyama (Panasonic)

Members of MITRE CVE Team in Attendance

Chris Coffin

Christine Deal

Jonathan Evans

其他与会者

Chris Johnson (NIST)

Agenda

2:00 – 2:15:Introductions, action items from the last meeting– Chris Coffin

2:15 – 2:30:Working Groups

· Strategic Planning – Kent Landfield

· Automation – Chris Johnson, Dave Waltermire

2:30 - 2:45：CNA更新

· DWF – Kurt Seifried

· MITRE – Jonathan Evans

· JPCERT - Taki Uchiyama

2:45 - 3:15：2018第2季度季度计划审查和CNA报告卡 -Chris Coffin

3:15 – 3:50:Open Discussion

3:50 – 4:00:动作项目，总结– Chris Coffin

上次会议的行动项目的审查

• Previous Action Item:MITRE to set up repo in GitHub for CVE User Registry service project.

• Status:完毕
• Previous Action Item:MITRE to send email to Board for CSA cloud services Working Group.
  • Status:完毕
• Previous Action Item:董事会同意休假一周，以便在丽莎·奥尔森（Lisa Olson）董事会提名之前进行进一步讨论。
  • Status:Are we ready to start the vote? Nobody on the call objected to starting the vote
• Previous Action Item:Send out note to the Board on the CVE Quality WG (MITRE).
  • Status:Not Done

Agenda Items

Board Working Groups

战略规划工作组（克里斯·科芬 /肯特·兰德菲尔德）

问题: Talked about current state of Services documents, which are mostly complete. Waiting on final feedback and review from SPWG members and chair.

ACTIONS:N/A

BOARD DECISIONS:N/A

Automation Working Group (Chris Johnson / Dave Waltermire)

问题:Met on Monday and discussed several topics, including the use of 2 digits vs. 3 digits for ISO language code for CVE entries and the need to come to an agreement about which code is preferable. Some scenarios were introduced on emergent issues, including publishing of CVEs and the possible workflows that would happen from such a capability. Also discussed the NVD CPE assignment process—how it happens, what data is used to craft the CPEs (container data or vendor sources)—will look into the process. The group also talked about getting together to plan for phase 3 pilot; there were some activities that were supposed to happen that haven’t yet happened—do those need to be addressed under a follow on phase? A quick status on CONOPS for Services coming out of SPWG was given. Kurt Seifried provided an update on some of the activities he did in getting the CVE User Registry project off the ground.

Scott Moore indicated he was unable to join via Skype so Chris Coffin will look into that before the next meeting.

库尔特（Kurt）表示，有关于我们如何摄取数据的规则（CVE指南）；由于语言问题 - 当他查看ISO标准时，他选择了较新的3位数字，因为它支持了更多的语言。但是，我们是否有有关其他人如何发布数据的规则？在CVE生态系统中，有很多人消耗数据并重新发布数据。他想确认没有关于人们如何发布数据的规则/准则（例如，更改日期格式）。克里斯·科芬（Chris Coffin）说，只要遵循使用条款，他就不知道任何正式准则。Kurt想知道我们是否需要在某个地方说明CVE主列表的最初格式化的规范来源位于MITER CVE网站上，但是如果从其他源查看，数据可能会稍微更改。

ACTIONS:

BOARD DECISIONS:N/A

CNA更新s

DWF (Kurt Seifried)

STATUS:Working on minting some new CNAs and one of them identified some problems he had to fix. Trying to streamline the process a bit.

问题/讨论：N/A

ACTIONS:N/A

MITRE (CVE Team)

STATUS:Had a few people request to become CNAs:

• MongoDB (CNA training with them this morning)
• ODOO（定于星期五进行培训）
• Johnson Controls asked for more information on the general process of onboarding
• 菲律宾证书
• An open sources organization was sent to DWF

讨论：N/A

ACTIONS:没有任何

JPCERT

Status: Nothing to report.

2018 Q2 Quarterly Program Review and CNA Report Card (克里斯·科芬）

DISCUSSION：讨论了一般主题，并涵盖了2个数据的一些亮点^nd2018年季度。预留但公共（RBP）CVE ID的数量减少了40％。在过去的一个季度中，平均填充的时间有些涨幅，但这是由于多个CNA居住了CVE的参赛作品。

行动：Board to review at their leisure and provide comments

Open Discussion

Regarding publicly disclosed but unpopulated CVE IDs：我们如何激励CNA来处理他们的积压？一旦发布了CVE ID，我们就有24小时规则将信息转到MITER的指导。下次他们要求ID时，也许我们可以要求他们首先向我们提供有关积压的信息。我们没有给他们另一组ID，而是要求他们从积压的情况下提供许多项目，然后我们将为他们提供相同数量的新CVE ID（即一对一的交易）。库尔特（Kurt）觉得这将引起某些CNA的非常负面的反应，但这可能是解决问题所需的。

Asked Kurt to take a look at the CVE User Registry Charter:作为第一个自动化WG项目的主席，库尔特将审查宪章，以查看是否满足他的需求。Kurt编辑了从CVE注册表到CVE用户注册表的自动化WG上的文件，该文件通常是有意义的。他将更新文档以引用该文档。

MITER支持为CVE用户注册表设置公共讨论列表吗？是的，这似乎是合理的。

Summary of Action Items

• MITRE (Chris C/Jonathan) to send out an email to the Board list to initiate the CNA Rules revision process (regarding inclusion)
• CNA Coordination group needs a chair—MITRE will begin initiating the conversations to identify a chair
• 委员会向董事会发送笔记，内容涉及删除先前确定的两个无反应的CNA
• KURT在CVE用户注册表存储库中包括项目宪章

Significant Decisions:

• MITER将为CNA创建一条消息，让他们知道RBP CVE的处理方式的政策变化。如果CNA具有一周或以上的任何RBP CVE，则必须在获得其他新CVE ID之前提交详细信息，以供以后分配。如果他们的RBP列表很大，我们可以一对一地提供新的CVE ID。换句话说，对于它们填充的每个RBP CVE，我们将为它们提供一个新的CVE ID。
• The two non-responsive CNAs will have their CNA status removed. These CNAs have not been active in the past 12 months and failed to respond to recent communication attempts.