CVE Board Meeting Notes
November 9, 2022 (2:00 pm - 4:00 pm EST)
Agenda
* 2:00-2:05 Introduction
* 2:05-3:25 Topics
o CVE Services Workshop Post Discussion and Survey Results
o Identify Hardware Vendors Participating in the CVE Program (compare CWE HW
SIG membership to CNA membership and report results)
* 3:25-3:35 Open Discussion
* 3:35-3:55 Review of Action Items
* 3:55-4:00 Closing Remarks
New Action Items from Today's Meeting
Action Item #
New Action Item
Responsible Party
Due
11.09.01
Under CNA Type, create a new Open-Source Project option (separate the current
option: Vendors and Projects).
Secretariat
11.09.02
Set up a meeting to discuss prioritization of CVE Services issues, with respect
to References.
AWG
11.09.03
Develop scenario examples related to CVE vulnerabilities.
Board Member
11/30/22
CVE Services Workshop Post Discussion and Survey Results
* A survey was sent to workshop participants. Response rate was low (13 out
of all participants), but that feedback was positive, except for one
participant who indicated a question(s) was not addressed. One participant
commented to have more live demos.
* Many questions were answered during the workshop in chat and the back
channel.
* The AWG will review the current FAQs to determine what should be added.
* The workshop chat will be reviewed to identify user information needs
that could be addressed in a Bulletin, FAQ, or other method.
Identify Hardware Vendors Participating in the CVE Program
* This action item (10.26.01) purpose was to identify hardware vendors
participating in the CVE Program and compare them with hardware vendors
participating in the CWE Hardware SIG Group. The action has been completed, and
results can be used to identify HW vendor candidates for CNA recruitment.
Open Discussion
* Distinction between Vendor CNA and Open-Source Project CNA
* It was recommended that the program make a distinction between a
vendor CNA and an open-source project CNA. Currently, CNA Type combines vendors
and projects in a single category. If a CNA is not both, then they should not
be listed as both. There were no objections to looking into this further
(action item).
* It was mentioned that a CNA may fall under both Types, which is fine.
* Some CNAs may fit in multiple categories, but this discussion is about
making sure open-source project CNAs are easily identifiable.
* Swagger
* A vulnerability was identified in Swagger (the 'Try Me' feature caches
the user's API key in the browser). It should be identified/recorded as a CVE
and Swagger should be notified.
* CVE Services 2.1 Next Steps
* The development team is working on issues identified during Soft
Deployment that need to be fixed prior to Hard Deployment. There are 36 issues
(many related to down convert capability) and they are organized into high or
low priority.
* High priority issues are listed on the GitHub.io site, and as fixes
are implemented, the user community will be notified.
* Automating reference capabilities is one of the items on the high
priority list.
* There is significant interest from the user community about when the
ADP pilot will start. There are questions about ADP policy and rules that need
to be addressed.
* More work is needed to define requirements and use case scenarios
before a time estimate can be made.
* Current development team focus is on the high priority issues
identified during Soft Deployment.
* There will be an off-line or out-of-cycle meeting to discuss
whether ADP capability needs to be in place prior to Hard Deployment (i.e., add
to hard deploy priority list).
* Multi-factor Authentication (MFA) to CVE Services
* Requirements for MFA have not been defined. With program growth, this
will become more important, so it needs to be on the roadmap of service
updates. It is not currently on any near-term roadmap.
* New Working Group Idea
* The idea was introduced to create a working group to develop a
'playbook' of interesting scenarios regarding CVE, especially with respect to
cloud vulnerabilities. This may help clarify the distinction between a
vulnerability and an issue that is not a vulnerability.
* Initial scenario examples will be prepared for the next Board meeting
(action item). This will help inform whether a new working group is needed, or
if an existing working group can do it.
Review of Action Items
* 10.26.01 has been completed and results were shared at today's meeting.
Next CVE Board Meetings
* Wednesday, November 30, 2022, 9:00am - 11:00am (EST)
* Wednesday, December 7, 2022, 2:00pm - 4:00pm (EST)
* Wednesday, December 21, 2022, 9:00am - 11:00am (EST)
* Wednesday, January 4, 2023, 2:00pm - 4:00pm (EST)
* Wednesday, January 18, 2023, 9:00am - 11:00am (EST)
* Wednesday, February 1, 2023, 2:00pm - 4:00pm (EST)
Discussion Topics for Future Meetings
* CVE scenario examples (scheduled for November 23 meeting)
* CVE Services 2.1 deployment updates (on-going)
* Working Group updates (every other meeting - next scheduled for
November 23)
* Council of Roots meeting highlights (aligned with Council of Roots
meeting dates)
* Researcher Working Group proposal for Board review
* Vision Paper and Annual Report
* Secretariat review of all CNA scope statements
* Proposed vote to allow CNAs to assign for insecure default
configurations
