CVE Board Meeting Notes October 12, 2022 (2:00 pm - 4:00 pm ET) Agenda
* 2:00-2:05 Introduction * 2:05-3:25 Topics o CVE Services 2.1 Soft Deploy Update o Council of Roots Update o Inactive Board Member Update o Update on Workshop Planning * 3:25-3:35 Open Discussion * 3:35-3:55 Review of Action Items * 3:55-4:00 Closing Remarks New Action Items from October 12 Meeting Action Item # New Action Item Responsible Party Due 10.12.01 Related to AI 09.28.03. Send a 30-minute meeting follow-up invitation to members for additional discussion with the Board member candidate. Secretariat 10.12.02 Coordinate with NIST to resolve the issue with NVD. AWG Chair 10/26/22 CVE Services 2.1 Soft Deploy Update * The recommendation to start soft deployment was made to the Board and approved on September 28. Soft Deployment Phase 1 started October 3 and Phase 2 is scheduled to start the week of October 24. * Phase 1 completed October 6. * It included Conversion of CVE JSON 4.0 historical data to JSON 5.0, deployment of the 5.0 compliant ID reservation subsystem, and deployment of RSUS interfaces for the Secretariat. * The JSON 4.0 format will continue to be supported for the foreseeable future. * The Secretariat and the MITRE CNA of Last Resort are using the newly deployed feature set successfully for production. * Between Deployment Phases (October 7 - October 24): * Reserving IDs: web form and GitHub will work as usual. * Submitting records: must be done in JSON 4 format using webform or the Git Hub pilot. Submitting JSON 5 records is not possible. * Viewing records: JSON 4 records can be viewed on GitHub, and the CVE Record repository can be downloaded at www.cve.org/downloads<http://www.cve.org/downloads>. Rendering of upconverted JSON 5 records can be viewed at www.cve.org<http://www.cve.org>. * Phase 2 will provide CVE Services 2.1 and RSUS interfaces to the broader community, but only for JSON 5 CVEs. * A prep message will be sent to the community October 18. * GitHub and webform cannot process JSON 5 CVEs. * The phase-out of JSON 4 support is to be determined and is a Board decision. * A potential issue with data ingests by the NVD was brought up. * It is thought that the NVD may have a limit for the "description" field of the CVE Record, which is currently 4000 characters; however, the new JSON 5.0 schema's maximum is 4096 characters. * It was concluded that the CVE Program does not have the issue here, since the working groups had socialized the new schema for some time now. * The Board asked that the Secretariat reach out to the NVD to inform and discuss. * A question about whether the webform will mature to support to JSON 5.0 is a topic for the MITRE CNA of Last Resort. * No additional Board approval is needed to proceed with Phase 2. Stay with October 24. Council of Roots Update * CNA candidate pipeline status was presented. * An overview of CVE Services 2.1 deployment status was given and included links to the new API documentation. * There was discussion about a CNA publishing a CVE Record for a vulnerability that falls under another CNA's scope because the two have made an arrangement beforehand. This can lead to confusion in the community and questions to the Secretariat that take time to track down. The consensus was that this needs to be made public, but no decision was made how best to do that. This is different from the situation where a Root has a new CNA that needs help publishing a record and the Root does it for them. In this case, an email trail of the agreement would be sufficient, for example. * Discussion about the CVE Services 2.1 workshop on November 2 included topics to be presented and status of briefing material materials. Roots were encouraged to send ideas for topics to the Secretariat. The invitation to the workshop was sent to the CNA discussion list. It included a link to a survey to offer topic suggestions or ask questions they would like answered. Inactive Board Member Update * Since the last Board meeting, the remaining two inactive members responded by email. They expressed an intention to participate but have questions/issues that have been passed on to current active Board members for follow up. Update on Workshop Planning * Invitations have been sent. Let the Secretariat know if not received. * Presentation materials are in development, e.g., how to get an account for new services, how to use JSON 5.0. * To date, 106 of 200 responses have been "accept." * A member commented that time zone and language differences may limit participation for some CNAs. * A recording will be made available, and consideration is being given to the idea of a second workshop to accommodate as many CNAs as possible. * There was discussion about possible translation of workshop materials, and/or holding a live Q&A session. * A member commented that maybe the program should consider adding communication translation capabilities to help non-English speaking CNAs. The extent of the translation problem is not known and needs review to better understand how and where improvements are needed. Review of Action Items * 09.28.01: Status changed to Complete. Board vote on soft deploy was to proceed with October 3 start. * 09.28.02: Status changed to Complete. Inactive members have responded; no further action is needed. * 09.28.03: Status changed to Complete. Doodle poll sent to schedule date/time for Board candidate interview. Secretariat to send a 30-minute follow-up invitation to members for any additional discussion with the candidate. Next CVE Board Meetings * Wednesday, October 26, 2022, 9:00am - 11:00am (EDT) * Wednesday, November 9, 2022, 2:00pm - 4:00pm (EST) * Wednesday, November 23, 2022, 9:00am - 11:00am (EST) * Wednesday, December 7, 2022, 2:00pm - 4:00pm (EST) * Wednesday, December 21, 2022, 9:00am - 11:00am (EST) * Wednesday, January 4, 2023, 2:00pm - 4:00pm (EST) Discussion Topics for Future Meetings * CVE Services 2.1 and CVE Program website transition updates (on-going) * Summit planning updates * Working Group updates, every other meeting * Council of Roots meeting highlights (on-going) * Researcher Working Group proposal for Board review * Vision Paper and Annual Report * Initiate Board vote for a proposed solution to allow CNAs to assign IDs for insecure default configuration (from closed action item 03.03.02) * Resolution on the breakout thread about the year notation in CVE IDs (in-progress) * Secretariat review of all CNA scope statements.