CVE Board Meeting Notes

October 12, 2022 (2:00 pm - 4:00 pm ET)

*       2:00-2:05        Introduction

*       2:05-3:25        Topics

o   CVE Services 2.1 Soft Deploy Update

o   Council of Roots Update

o   Inactive Board Member Update

o   Update on Workshop Planning

*       3:25-3:35        Open Discussion

*       3:35-3:55        Review of Action Items

*       3:55-4:00        Closing Remarks
New Action Items from October 12 Meeting
Action Item #
New Action Item
Responsible Party
Related to AI 09.28.03. Send a 30-minute meeting follow-up invitation to 
members for additional discussion with the Board member candidate.

Coordinate with NIST to resolve the issue with NVD.
AWG Chair
CVE Services 2.1 Soft Deploy Update

*       The recommendation to start soft deployment was made to the Board and 
approved on September 28. Soft Deployment Phase 1 started October 3 and Phase 2 
is scheduled to start the week of October 24.

*       Phase 1 completed October 6.

     *   It included Conversion of CVE JSON 4.0 historical data to JSON 5.0, 
deployment of the 5.0 compliant ID reservation subsystem, and deployment of 
RSUS interfaces for the Secretariat.
     *   The JSON 4.0 format will continue to be supported for the foreseeable 
     *   The Secretariat and the MITRE CNA of Last Resort are using the newly 
deployed feature set successfully for production.

*       Between Deployment Phases (October 7 - October 24):

     *   Reserving IDs: web form and GitHub will work as usual.
     *   Submitting records: must be done in JSON 4 format using webform or the 
Git Hub pilot. Submitting JSON 5 records is not possible.
     *   Viewing records: JSON 4 records can be viewed on GitHub, and the CVE 
Record repository can be downloaded at<>. Rendering of upconverted 
JSON 5 records can be viewed at<>.

*       Phase 2 will provide CVE Services 2.1 and RSUS interfaces to the 
broader community, but only for JSON 5 CVEs.

     *   A prep message will be sent to the community October 18.
     *   GitHub and webform cannot process JSON 5 CVEs.
     *   The phase-out of JSON 4 support is to be determined and is a Board 
  *   A potential issue with data ingests by the NVD was brought up.
     *   It is thought that the NVD may have a limit for the "description" 
field of the CVE Record, which is currently 4000 characters; however, the new 
JSON 5.0 schema's maximum is 4096 characters.
     *   It was concluded that the CVE Program does not have the issue here, 
since the working groups had socialized the new schema for some time now.
     *   The Board asked that the Secretariat reach out to the NVD to inform 
and discuss.
  *   A question about whether the webform will mature to support to JSON 5.0 
is a topic for the MITRE CNA of Last Resort.
  *   No additional Board approval is needed to proceed with Phase 2. Stay with 
October 24.
Council of Roots Update

*       CNA candidate pipeline status was presented.

*       An overview of CVE Services 2.1 deployment status was given and 
included links to the new API documentation.

*       There was discussion about a CNA publishing a CVE Record for a 
vulnerability that falls under another CNA's scope because the two have made an 
arrangement beforehand. This can lead to confusion in the community and 
questions to the Secretariat that take time to track down. The consensus was 
that this needs to be made public, but no decision was made how best to do 
that. This is different from the situation where a Root has a new CNA that 
needs help publishing a record and the Root does it for them. In this case, an 
email trail of the agreement would be sufficient, for example.

*       Discussion about the CVE Services 2.1 workshop on November 2 included 
topics to be presented and status of briefing material materials. Roots were 
encouraged to send ideas for topics to the Secretariat. The invitation to the 
workshop was sent to the CNA discussion list. It included a link to a survey to 
offer topic suggestions or ask questions they would like answered.
Inactive Board Member Update

  *   Since the last Board meeting, the remaining two inactive members 
responded by email. They expressed an intention to participate but have 
questions/issues that have been passed on to current active Board members for 
follow up.

Update on Workshop Planning

  *   Invitations have been sent. Let the Secretariat know if not received.
  *   Presentation materials are in development, e.g., how to get an account 
for new services, how to use JSON 5.0.
  *   To date, 106 of 200 responses have been "accept."
  *   A member commented that time zone and language differences may limit 
participation for some CNAs.
     *   A recording will be made available, and consideration is being given 
to the idea of a second workshop to accommodate as many CNAs as possible.
     *   There was discussion about possible translation of workshop materials, 
and/or holding a live Q&A session.
     *   A member commented that maybe the program should consider adding 
communication translation capabilities to help non-English speaking CNAs. The 
extent of the translation problem is not known and needs review to better 
understand how and where improvements are needed.
Review of Action Items

  *   09.28.01: Status changed to Complete. Board vote on soft deploy was to 
proceed with October 3 start.
  *   09.28.02: Status changed to Complete. Inactive members have responded; no 
further action is needed.
  *   09.28.03: Status changed to Complete. Doodle poll sent to schedule 
date/time for Board candidate interview. Secretariat to send a 30-minute 
follow-up invitation to members for any additional discussion with the 
Next CVE Board Meetings

*       Wednesday, October 26, 2022, 9:00am - 11:00am (EDT)

*       Wednesday, November 9, 2022, 2:00pm - 4:00pm (EST)

*       Wednesday, November 23, 2022, 9:00am - 11:00am (EST)

*       Wednesday, December 7, 2022, 2:00pm - 4:00pm (EST)

*       Wednesday, December 21, 2022, 9:00am - 11:00am (EST)

*       Wednesday, January 4, 2023, 2:00pm - 4:00pm (EST)
Discussion Topics for Future Meetings

*       CVE Services 2.1 and CVE Program website transition updates (on-going)

*       Summit planning updates

*       Working Group updates, every other meeting

*       Council of Roots meeting highlights (on-going)

*       Researcher Working Group proposal for Board review

*       Vision Paper and Annual Report

*       Initiate Board vote for a proposed solution to allow CNAs to assign IDs 
for insecure default configuration (from closed action item 03.03.02)

*       Resolution on the breakout thread about the year notation in CVE IDs 

*       Secretariat review of all CNA scope statements.

Reply via email to