CVE Board Meeting Notes August 31, 2022 (9:00 am – 11:00 am ET) Agenda
· 9:00-9:05 Introduction · 9:05-10:25 Topics o Vulnerability "Rythm Nation" o Working Group Updates o PSIRT SIG Technical Colloquium (September 28-29) o CVE Board Response to the Defense Spending Bill for FY2023 o CVE Program Documentation Update o New Root Update (Red Hat) o Update on Outreach to Board Members · 10:25-10:35 Open Discussion · 10:35-10:55 Review of Action Items · 10:55-11:00 Closing Remarks New Action Items from Today’s Meeting Action Item # New Action Item Responsible Party Due none Vulnerability "Rythm Nation" * The MITRE CNA of Last Resort (CNA-LR) assigned an ID to a vulnerability in laptops from 2005 where if you play the Rhythm Nation video, certain hard drives crash due to the resonance frequency causing vibration to the hard drive. * The record violates the rules for CVE Records because it does not identify the product and vulnerable versions. * The decision was made to allow two weeks for the CNA-LR to research product and version information. If no information is found, the record will be rejected/deleted. Working Group Updates · Automation Working Group * Soft deploy will have two phases. Phase 1 is planned for the week of October 3 and will deploy JSON 5.0 schema into Production and deploy CVE Services 2.1 (IDR endpoints will be available to CNAs, and RSUS endpoints will be available only to the Secretariat). Phase 2 is planned for the week of October 24 and will make RSUS endpoints available to CNAs. * Legacy record submission methods will continue to be supported (JSON 4.0, web form, and GitHub). * The AWG will coordinate with the Transition Working Group (TWG) to plan “reach out” activities to IDR users to explain upcoming system changes they need to be aware of. · Quality Working Group * Recent work has focused on rendering. To meet Phase 1 deployment the week of October 3, rendering code is needed by AWG no later than Friday, September 2. To meet Phase 2 deployment the week of October 24, rendering code is needed by mid September. · Transition Working Group * Recent work has focused on coordinating with AWG on CVE Services deployment planning, as well as preparing for the upcoming CVE Services Workshop on November 2. · Outreach and Communications Working Group * The Chair of OCWG announced that, due to a significant increase in workload they will need to step down by the end of 2022. * An additional resource need is for someone to assist with producing podcasts. * Filling the Chair role may require external recruiting. The idea was brought up that co-chairs may be helpful – e.g., one for technical matters and another for administrative matters. · Strategic Planning Working Group * Recurring meetings of the SPWG are planned to restart September 14. Initial areas of focus will be the CNA Operational Rules update, and the CVE Program Governance and Organization document. PSIRT SIG Technical Colloquium * A proposal to present a talk at the September 28/29 event was submitted for consideration. The talk would be about the modernization and future direction of the CVE Program. * PSIRT organizers are still reviewing proposals and a response has not been received yet. CVE Board Response to the Defense Spending Bill for FY2023 * The House passed a defense spending bill that states you cannot sell software to the DoD that has any known CVEs in it. The bill is now with the Senate. The language is thought to be unrealistic and unworkable. * The Board agreed to draft a response to the bill and submit it to the Senate, in hopes of influencing the final text by providing suggested clarification. * When complete, the response will be submitted on behalf of the Board as an entity, not as individual members. Board members may choose to abstain from the approval process, e.g., if they work for the government. * The initial draft will be prepared and distributed to the Board using the list. This needs to happen quickly, given where the bill is in its process. CVE Program Documentation Update (Dave Morse) · The CVE Working Group Operations Handbook v1.0, approved at the Board meeting on August 17, was posted to the CVE website. It was also distributed to the Board and the Working Groups. · The CVE Governance and Organization document, and the CNA Operational Rules update will be the initial focus areas for the SPWG start up on September 14. New Root Update (Red Hat) * Red Hat is expected to be announced as a new Root the week of September 5. * Their scope is Red Hat products and open source products/projects that choose to be under the Red Hat hierarchy. Update on Outreach to Board Members * One Board member resigned after being contacted to discuss participation. * The question will be asked of the Board, using the list, whether the member who resigned should be listed as an emeritus member or a past contributor. * Two Board member candidates have been contacted to gauge their interest in joining. Open Discussion * Out of time Review of Action Items · Out of time Next CVE Board Meetings · Wednesday, September 14, 2022, 2:00pm – 4:00pm (ET) · Wednesday, September 28, 2022, 9:00am – 11:00am (ET) · Wednesday, October 12, 2022, 2:00pm – 4:00pm (ET) · Wednesday, October 26, 2022, 9:00am – 11:00am (ET) · Wednesday, November 9, 2022, 2:00pm – 4:00pm (ET) Discussion Topics for Future Meetings · CVE Services 2.1 and CVE Program website transition updates (on-going) · Summit planning updates · Working Group updates, every other meeting (next scheduled for September 28) · Council of Roots meeting highlights (on-going) · Researcher Working Group proposal for Board review · Vision Paper and Annual Report · Initiate Board vote for a proposed solution to allow CNAs to assign IDs for insecure default configuration (from closed action item 03.03.02) · Resolution on the breakout thread about the year notation in CVE IDs (Tod B) (in-progress)