CVE Board Meeting Notes
August 31, 2022 (9:00 am – 11:00 am ET)
Agenda
· 9:00-9:05 Introduction
· 9:05-10:25 Topics
o Vulnerability "Rythm Nation"
o Working Group Updates
o PSIRT SIG Technical Colloquium (September 28-29)
o CVE Board Response to the Defense Spending Bill for FY2023
o CVE Program Documentation Update
o New Root Update (Red Hat)
o Update on Outreach to Board Members
· 10:25-10:35 Open Discussion
· 10:35-10:55 Review of Action Items
· 10:55-11:00 Closing Remarks
New Action Items from Today’s Meeting
Action Item #
New Action Item
Responsible Party
Due
none
Vulnerability "Rythm Nation"
* The MITRE CNA of Last Resort (CNA-LR) assigned an ID to a vulnerability
in laptops from 2005 where if you play the Rhythm Nation video, certain hard
drives crash due to the resonance frequency causing vibration to the hard drive.
* The record violates the rules for CVE Records because it does not
identify the product and vulnerable versions.
* The decision was made to allow two weeks for the CNA-LR to research
product and version information. If no information is found, the record will be
rejected/deleted.
Working Group Updates
· Automation Working Group
* Soft deploy will have two phases. Phase 1 is planned for the week of
October 3 and will deploy JSON 5.0 schema into Production and deploy CVE
Services 2.1 (IDR endpoints will be available to CNAs, and RSUS endpoints will
be available only to the Secretariat). Phase 2 is planned for the week of
October 24 and will make RSUS endpoints available to CNAs.
* Legacy record submission methods will continue to be supported (JSON
4.0, web form, and GitHub).
* The AWG will coordinate with the Transition Working Group (TWG) to
plan “reach out” activities to IDR users to explain upcoming system changes
they need to be aware of.
· Quality Working Group
* Recent work has focused on rendering. To meet Phase 1 deployment the
week of October 3, rendering code is needed by AWG no later than Friday,
September 2. To meet Phase 2 deployment the week of October 24, rendering code
is needed by mid September.
· Transition Working Group
* Recent work has focused on coordinating with AWG on CVE Services
deployment planning, as well as preparing for the upcoming CVE Services
Workshop on November 2.
· Outreach and Communications Working Group
* The Chair of OCWG announced that, due to a significant increase in
workload they will need to step down by the end of 2022.
* An additional resource need is for someone to assist with producing
podcasts.
* Filling the Chair role may require external recruiting. The idea was
brought up that co-chairs may be helpful – e.g., one for technical matters and
another for administrative matters.
· Strategic Planning Working Group
* Recurring meetings of the SPWG are planned to restart September 14.
Initial areas of focus will be the CNA Operational Rules update, and the CVE
Program Governance and Organization document.
PSIRT SIG Technical Colloquium
* A proposal to present a talk at the September 28/29 event was submitted
for consideration. The talk would be about the modernization and future
direction of the CVE Program.
* PSIRT organizers are still reviewing proposals and a response has not
been received yet.
CVE Board Response to the Defense Spending Bill for FY2023
* The House passed a defense spending bill that states you cannot sell
software to the DoD that has any known CVEs in it. The bill is now with the
Senate. The language is thought to be unrealistic and unworkable.
* The Board agreed to draft a response to the bill and submit it to the
Senate, in hopes of influencing the final text by providing suggested
clarification.
* When complete, the response will be submitted on behalf of the Board as
an entity, not as individual members. Board members may choose to abstain from
the approval process, e.g., if they work for the government.
* The initial draft will be prepared and distributed to the Board using the
list. This needs to happen quickly, given where the bill is in its process.
CVE Program Documentation Update (Dave Morse)
· The CVE Working Group Operations Handbook v1.0, approved at the Board
meeting on August 17, was posted to the CVE website. It was also distributed to
the Board and the Working Groups.
· The CVE Governance and Organization document, and the CNA Operational
Rules update will be the initial focus areas for the SPWG start up on September
14.
New Root Update (Red Hat)
* Red Hat is expected to be announced as a new Root the week of September 5.
* Their scope is Red Hat products and open source products/projects that
choose to be under the Red Hat hierarchy.
Update on Outreach to Board Members
* One Board member resigned after being contacted to discuss participation.
* The question will be asked of the Board, using the list, whether the
member who resigned should be listed as an emeritus member or a past
contributor.
* Two Board member candidates have been contacted to gauge their interest
in joining.
Open Discussion
* Out of time
Review of Action Items
· Out of time
Next CVE Board Meetings
· Wednesday, September 14, 2022, 2:00pm – 4:00pm (ET)
· Wednesday, September 28, 2022, 9:00am – 11:00am (ET)
· Wednesday, October 12, 2022, 2:00pm – 4:00pm (ET)
· Wednesday, October 26, 2022, 9:00am – 11:00am (ET)
· Wednesday, November 9, 2022, 2:00pm – 4:00pm (ET)
Discussion Topics for Future Meetings
· CVE Services 2.1 and CVE Program website transition updates (on-going)
· Summit planning updates
· Working Group updates, every other meeting (next scheduled for
September 28)
· Council of Roots meeting highlights (on-going)
· Researcher Working Group proposal for Board review
· Vision Paper and Annual Report
· Initiate Board vote for a proposed solution to allow CNAs to assign
IDs for insecure default configuration (from closed action item 03.03.02)
· Resolution on the breakout thread about the year notation in CVE IDs
(Tod B) (in-progress)
