Information about http://www.first.org/cvss/cvss_meeting_minutes_111605.pdf
Agenda for the CVSS SIG meeting 1 1 / 1 6 / 2 0 0 5 M eeting: This…
Tags: ac tion, arry, asha, avin, b ryan, c ollaborate, c omments, c omp, cvss, draf, hec, irm, mentation, nton, obin, oll, onf, ongard, tions, wn,Pages: 3
Language: english
Display cached document
Page 1
Page 2
Page 3
Agenda for the CVSS SIG meeting 1 1 / 1 6 / 2 0 0 5 M eeting:
This meeting was held on Wednesday, November 16, 2005
C onf erenc e C all
Attending: P ete M ill, L u ann J ohnson, A ndrew, M ik e C au dill, J erry B ongard, S asha R omanosk y,
B arry B rook , M ik e S c hec k , G avin R eid, R obin S terz er
Agenda:
1) R oll c all
2) R ep ort statu s on ac tion items f rom p reviou s meeting on, 10/ 18 / 2005:
a. G avin. M ak e a f ormal req u est to have mailer arc hived
b. C atherine/ A nton/ M ik e S c hec k O wn B est P rac tic es doc u mentation draf t to team
p rior to nex t team meeting
c . C atherine A dd M ik e S c hec k to B est P rac tic es doc u mentation meetings
d. P ete/ A nton/ G erhard C ollaborate on sharing the sc ores within vendors They will
set u p a meeting f or nex t week to disc u ss this f u rther. The meeting has not
hap p ened. A nton will tak e this ac tion item. This is sp ec if ic to vendors.
e. G avin S end team the verbiage f or " levels/ typ e of ac tions" to be tak en by the team
f or agreement and adop tion M ik e and G avin are work ing on this. The draf t has
been sent bu t did not inc lu de C V S S sc ore. They will send the doc u ment ou t when it
is c omp leted.
f. M ik e C . P rovide c omments and f eedbac k to the team f rom his meeting with
M ic rosof t
g. C atherine C onf irm that B ryan B anta is available to tabu late the sc ores. B ryan
has written the f ront-end to save the sc ores. There are still some things missing. A
meeting will need to be sc hedu led to gather the req u irements. G avin has someone
who c an enter the data.
h. G avin F ollow u p on date, time and top ic f or I n-p erson meeting at F I R S T TC 0n
November 14 -15th in R edwood C ity, C A M any are u nable to attend in p erson.
S hou ld we have the meeting in p erson? G avin will send an email to the mailer to see
who c an attend
i. M ik e S . H ave a f riend work ing on a C V S S L ogo
3 ) C V S S S tru c tu re, S trategy and P roc ess:
a. M ethodology f or inc orp orating f eedbac k into C V S S
b. S c oring:
- None ( j u st send p ac k ets; c onnec t to 8 0/ tc p , etc )
- R egistered ( register f or f oru m, au thentic ation to servic e, no identity verif ic ation)
- A u thentic ated ( intended to have c redentials - sysadmin c reated them)
c . S c oring C omp arison
d. S c oring E x amp les A dding additional ex amp les; who do we get to add them in
e. Testing ( was sc hedu led to end on November 4 )
th
4 ) A dministrative:
a. S tatu s on grou p s sharing sc oring vu lnerabilities
b. C V S S v1. x doc u mentation statu s u p date and p rop osed c hanges
c . C V S S L ogo D o we adop t?
d. National V u lnerability D atabase C V S S S u p p ort
5) R ou ndtable: U p dates/ Needs/ Q u estions
D is c u s s ion:
1) R oll c all
2) R ep ort statu s on ac tion items f rom p reviou s meeting on, 10/ 18 / 2005:
a. G avin. M ak e a f ormal req u est to have mailer arc hived G avin f ollowed u p on the
req u est. M ik e C . indic ates that the mailing lists are being arc hived, bu t do not have a
way that they c an be searc hed. H e is look ing into a way to do this.
b. C atherine/ A nton/ M ik e S c hec k O wn B est P rac tic es doc u mentation draf t to team
p rior to nex t team meeting The doc u ment is bec oming c ritic al. G avin rec ommends
we give this ac tion item to someone else. H e will send an email ou t look ing f or
volu nteers ( ac tion item)
c . C atherine A dd M ik e S c hec k to B est P rac tic es doc u mentation meetings N/ A
d. P ete/ A nton/ G erhard C ollaborate on sharing the sc ores within vendors They will
set u p a meeting f or nex t week to disc u ss this f u rther. The meeting has not
hap p ened. A nton will tak e this ac tion item. This is sp ec if ic to vendors. No U p dates
( remove)
e. G avin S end team the verbiage f or " levels/ typ e of ac tions" to be tak en by the team
f or agreement and adop tion M ik e and G avin are work ing on this. The draf t has
been sent bu t did not inc lu de C V S S sc ore. They will send the doc u ment ou t when it
is c omp leted. M ik e S c hec k wrote u p a doc u ment that inc lu des the levels/ typ e of
ac tions along with C V S S sc oring. G avin has p roof ed the doc u ment to remove any
c omp any sp ec if ic ref erenc es and sent it ou t to the team. G avin will have it p u blished
on F I R S T ( ac tion item)
f. M ik e C . P rovide c omments and f eedbac k to the team f rom his meeting with
M ic rosof t M ik e C p rovided an u p date regarding his meeting with M ic rosof t.
M ic rosof t is going to start to p artic ip ate with the team. A lso they are going to c ollec t
c omments and p rovide to u s. M ic rosof t has c onc erns abou t adding the C V S S sc ores
to their advisories. They need to be added to the mailer. M ik e will p rovide the email
addresses.
g. C atherine C onf irm that B ryan B anta is available to tabu late the sc ores. B ryan
has written the f ront-end to save the sc ores. There are still some things missing. A
meeting will need to be sc hedu led to gather the req u irements. G avin has someone
who c an enter the data. No u p date
h. G avin F ollow u p on date, time and top ic f or I n-p erson meeting at F I R S T TC 0n
November 14 -15th in R edwood C ity, C A M any are u nable to attend in p erson.
S hou ld we have the meeting in p erson? G avin will send an email to the mailer to see
who c an attend I n p erson meeting c anc elled.
i. M ik e S . H ave a f riend work ing on a C V S S L ogo The logo is ok ay. The c olors
seemed to be washed ou t and maybe something c an be done with C V S S by u sing
f onts. Team agreed that it shou ld be work ed on more.
3 ) C V S S S tru c tu re, S trategy and P roc ess:
a. M ethodology f or inc orp orating f eedbac k into C V S S
- C ap tu re the energy of this grou p with week ly or bi-week ly c hange p rop osals.
L ead time f or the p rop osed c hange and imp lementation to be two week s. I s
this enou gh time to look at the p rop osal and agree?
- H esitant to c hange any sc oring. K eep the p ast vu lnerabilities sc ored to the
C V S S it is based on. The sc oring has been work ing ou t.
- A dop t a new way of trac k ing c hanges. Work ou t a stru c tu re to be p u blished.
U se a real ex amp le
- Team to look over the email A ndrew sent on this su bj ec t
b. S c oring:
- None ( j u st send p ac k ets; c onnec t to 8 0/ tc p , etc )
- R egistered ( register f or f oru m, au thentic ation to servic e, no identity verif ic ation)
- A u thentic ated ( intended to have c redentials - sysadmin c reated them)
i. P ete made a req u est when doing manu al sc oring to do a
c omp arison with the sc ores done by NI S T.
ii. We are not doing the sc oring on a regu lar basis.
R ec ommend c hanging it f rom 5 a week to 1 a week .
iii. P ete will send one f rom the NI S T list a week .
iv. Team to sc ore the one vu lnerability. I f any issu es
enc ou ntered with the sc oring; doc u ment and ex p lain the issu e to be
disc u ssed by team
c . S c oring C omp arison S ee 3 b
d. S c oring E x amp les A dding additional ex amp les; who do we get to add them in
S ee 3 b
e. Testing ( was sc hedu led to end on November 4 ) Testing will c ontinu e u ntil the
th
team f eels enou gh inf ormation has been gathered.
4 ) A dministrative:
a. S tatu s on grou p s sharing sc oring vu lnerabilities No u p dates
b. C V S S v1. x doc u mentation statu s u p date and p rop osed c hanges No U p dates
c . C V S S L ogo D o we adop t? S ee 2i
d. National V u lnerability D atabase C V S S S u p p ort Wou ld lik e to go p u blic with this
af ter Thank sgiving H oliday. G avin will help P ete with the p ress annou nc ement.
G avin will also do c hec k s on the sc ores and p rovide f eedbac k .
5) R ou ndtable: U p dates/ Needs/ Q u estions
Ac tion Items :
1) M ik e C L ook into searc h c ap abilities on the M ailer
2) G avin S end email to get a volu nteer f or the " O wn B est P rac tic es doc u mentation"
3 ) G avin P u blish " levels/ typ e of ac tions" doc u ment to F I R S T site.
4 ) M ik e C . P rovide email addresses f or M ic rosof t to be added to mailer.
5) C atherine C onf irm that B ryan B anta is available to tabu late the sc ores. B ryan has
written the f ront-end to save the sc ores. There are still some things missing. A meeting
will need to be sc hedu led to gather the req u irements. G avin has someone who c an enter
the data.
6) M ik e S . / Team C ontinu e work on a C V S S L ogo
7 ) G avin/ A ndrew - M ethodology f or inc orp orating f eedbac k into C V S S ( adop t new way to
trac k c hanges)
8 ) P ete S end one vu lnerability a week to team to be sc ored
9 ) G avin/ P ete Work on p ress annou nc ement
10) G avin D o c hec k s NI S T sc oring and p rovide f eedbac k to P ete