CVE Board Meeting Notes

August 31, 2022 (9:00 am – 11:00 am ET)
Agenda

·         9:00-9:05         Introduction

·         9:05-10:25       Topics

o   Vulnerability "Rythm Nation"

o   Working Group Updates

o   PSIRT SIG Technical Colloquium (September 28-29)

o   CVE Board Response to the Defense Spending Bill for FY2023

o   CVE Program Documentation Update

o   New Root Update (Red Hat)

o   Update on Outreach to Board Members

·         10:25-10:35     Open Discussion

·         10:35-10:55     Review of Action Items

·         10:55-11:00     Closing Remarks
New Action Items from Today’s Meeting
Action Item #
New Action Item
Responsible Party
Due

none


Vulnerability "Rythm Nation"

  *   The MITRE CNA of Last Resort (CNA-LR) assigned an ID to a vulnerability 
in laptops from 2005 where if you play the Rhythm Nation video, certain hard 
drives crash due to the resonance frequency causing vibration to the hard drive.
  *   The record violates the rules for CVE Records because it does not 
identify the product and vulnerable versions.
  *   The decision was made to allow two weeks for the CNA-LR to research 
product and version information. If no information is found, the record will be 
rejected/deleted.
Working Group Updates

·         Automation Working Group

     *   Soft deploy will have two phases. Phase 1 is planned for the week of 
October 3 and will deploy JSON 5.0 schema into Production and deploy CVE 
Services 2.1 (IDR endpoints will be available to CNAs, and RSUS endpoints will 
be available only to the Secretariat). Phase 2 is planned for the week of 
October 24 and will make RSUS endpoints available to CNAs.
     *   Legacy record submission methods will continue to be supported (JSON 
4.0, web form, and GitHub).
     *   The AWG will coordinate with the Transition Working Group (TWG) to 
plan “reach out” activities to IDR users to explain upcoming system changes 
they need to be aware of.

·         Quality Working Group

     *   Recent work has focused on rendering. To meet Phase 1 deployment the 
week of October 3, rendering code is needed by AWG no later than Friday, 
September 2. To meet Phase 2 deployment the week of October 24, rendering code 
is needed by mid September.

·         Transition Working Group

     *   Recent work has focused on coordinating with AWG on CVE Services 
deployment planning, as well as preparing for the upcoming CVE Services 
Workshop on November 2.

·         Outreach and Communications Working Group

     *   The Chair of OCWG announced that, due to a significant increase in 
workload they will need to step down by the end of 2022.
     *   An additional resource need is for someone to assist with producing 
podcasts.
     *   Filling the Chair role may require external recruiting. The idea was 
brought up that co-chairs may be helpful – e.g., one for technical matters and 
another for administrative matters.

·         Strategic Planning Working Group

     *   Recurring meetings of the SPWG are planned to restart September 14. 
Initial areas of focus will be the CNA Operational Rules update, and the CVE 
Program Governance and Organization document.
PSIRT SIG Technical Colloquium

  *   A proposal to present a talk at the September 28/29 event was submitted 
for consideration. The talk would be about the modernization and future 
direction of the CVE Program.
  *   PSIRT organizers are still reviewing proposals and a response has not 
been received yet.
CVE Board Response to the Defense Spending Bill for FY2023

  *   The House passed a defense spending bill that states you cannot sell 
software to the DoD that has any known CVEs in it. The bill is now with the 
Senate. The language is thought to be unrealistic and unworkable.
  *   The Board agreed to draft a response to the bill and submit it to the 
Senate, in hopes of influencing the final text by providing suggested 
clarification.
  *   When complete, the response will be submitted on behalf of the Board as 
an entity, not as individual members. Board members may choose to abstain from 
the approval process, e.g., if they work for the government.
  *   The initial draft will be prepared and distributed to the Board using the 
list. This needs to happen quickly, given where the bill is in its process.
CVE Program Documentation Update (Dave Morse)

·         The CVE Working Group Operations Handbook v1.0, approved at the Board 
meeting on August 17, was posted to the CVE website. It was also distributed to 
the Board and the Working Groups.

·         The CVE Governance and Organization document, and the CNA Operational 
Rules update will be the initial focus areas for the SPWG start up on September 
14.
New Root Update (Red Hat)

  *   Red Hat is expected to be announced as a new Root the week of September 5.
  *   Their scope is Red Hat products and open source products/projects that 
choose to be under the Red Hat hierarchy.
Update on Outreach to Board Members

  *   One Board member resigned after being contacted to discuss participation.
  *   The question will be asked of the Board, using the list, whether the 
member who resigned should be listed as an emeritus member or a past 
contributor.
  *   Two Board member candidates have been contacted to gauge their interest 
in joining.
Open Discussion

  *   Out of time
Review of Action Items

·         Out of time
Next CVE Board Meetings

·         Wednesday, September 14, 2022, 2:00pm – 4:00pm (ET)

·         Wednesday, September 28, 2022, 9:00am – 11:00am (ET)

·         Wednesday, October 12, 2022, 2:00pm – 4:00pm (ET)

·         Wednesday, October 26, 2022, 9:00am – 11:00am (ET)

·         Wednesday, November 9, 2022, 2:00pm – 4:00pm (ET)
Discussion Topics for Future Meetings

·         CVE Services 2.1 and CVE Program website transition updates (on-going)

·         Summit planning updates

·         Working Group updates, every other meeting (next scheduled for 
September 28)

·         Council of Roots meeting highlights (on-going)

·         Researcher Working Group proposal for Board review

·         Vision Paper and Annual Report

·         Initiate Board vote for a proposed solution to allow CNAs to assign 
IDs for insecure default configuration (from closed action item 03.03.02)

·         Resolution on the breakout thread about the year notation in CVE IDs 
(Tod B) (in-progress)

Reply via email to