CVE Board Meeting Notes

November 9, 2022 (2:00 pm - 4:00 pm EST)

*       2:00-2:05        Introduction

*       2:05-3:25        Topics

o   CVE Services Workshop Post Discussion and Survey Results

o   Identify Hardware Vendors Participating in the CVE Program (compare CWE HW 
SIG membership to CNA membership and report results)

*       3:25-3:35        Open Discussion

*       3:35-3:55        Review of Action Items

*       3:55-4:00        Closing Remarks
New Action Items from Today's Meeting
Action Item #
New Action Item
Responsible Party
Under CNA Type, create a new Open-Source Project option (separate the current 
option: Vendors and Projects).

Set up a meeting to discuss prioritization of CVE Services issues, with respect 
to References.

Develop scenario examples related to CVE vulnerabilities.
Board Member
CVE Services Workshop Post Discussion and Survey Results

  *   A survey was sent to workshop participants. Response rate was low (13 out 
of all participants), but that feedback was positive, except for one 
participant who indicated a question(s) was not addressed. One participant 
commented to have more live demos.
  *   Many questions were answered during the workshop in chat and the back 
  *   The AWG will review the current FAQs to determine what should be added.
  *   The workshop chat will be reviewed to identify user information needs 
that could be addressed in a Bulletin, FAQ, or other method.
Identify Hardware Vendors Participating in the CVE Program

  *   This action item (10.26.01) purpose was to identify hardware vendors 
participating in the CVE Program and compare them with hardware vendors 
participating in the CWE Hardware SIG Group. The action has been completed, and 
results can be used to identify HW vendor candidates for CNA recruitment.
Open Discussion

  *   Distinction between Vendor CNA and Open-Source Project CNA
     *   It was recommended that the program make a distinction between a 
vendor CNA and an open-source project CNA. Currently, CNA Type combines vendors 
and projects in a single category. If a CNA is not both, then they should not 
be listed as both. There were no objections to looking into this further 
(action item).
     *   It was mentioned that a CNA may fall under both Types, which is fine.
     *   Some CNAs may fit in multiple categories, but this discussion is about 
making sure open-source project CNAs are easily identifiable.
  *   Swagger
     *   A vulnerability was identified in Swagger (the 'Try Me' feature caches 
the user's API key in the browser). It should be identified/recorded as a CVE 
and Swagger should be notified.
  *   CVE Services 2.1 Next Steps
     *   The development team is working on issues identified during Soft 
Deployment that need to be fixed prior to Hard Deployment. There are 36 issues 
(many related to down convert capability) and they are organized into high or 
low priority.
     *   High priority issues are listed on the site, and as fixes 
are implemented, the user community will be notified.
        *   Automating reference capabilities is one of the items on the high 
priority list.
     *   There is significant interest from the user community about when the 
ADP pilot will start. There are questions about ADP policy and rules that need 
to be addressed.
        *   More work is needed to define requirements and use case scenarios 
before a time estimate can be made.
        *   Current development team focus is on the high priority issues 
identified during Soft Deployment.
        *   There will be an off-line or out-of-cycle meeting to discuss 
whether ADP capability needs to be in place prior to Hard Deployment (i.e., add 
to hard deploy priority list).
  *   Multi-factor Authentication (MFA) to CVE Services
     *   Requirements for MFA have not been defined. With program growth, this 
will become more important, so it needs to be on the roadmap of service 
updates. It is not currently on any near-term roadmap.
  *   New Working Group Idea
     *   The idea was introduced to create a working group to develop a 
'playbook' of interesting scenarios regarding CVE, especially with respect to 
cloud vulnerabilities. This may help clarify the distinction between a 
vulnerability and an issue that is not a vulnerability.
     *   Initial scenario examples will be prepared for the next Board meeting 
(action item). This will help inform whether a new working group is needed, or 
if an existing working group can do it.
Review of Action Items

  *   10.26.01 has been completed and results were shared at today's meeting.
Next CVE Board Meetings

*       Wednesday, November 30, 2022, 9:00am - 11:00am (EST)

*       Wednesday, December 7, 2022, 2:00pm - 4:00pm (EST)

*       Wednesday, December 21, 2022, 9:00am - 11:00am (EST)

*       Wednesday, January 4, 2023, 2:00pm - 4:00pm (EST)

*       Wednesday, January 18, 2023, 9:00am - 11:00am (EST)

*       Wednesday, February 1, 2023, 2:00pm - 4:00pm (EST)
Discussion Topics for Future Meetings

*       CVE scenario examples (scheduled for November 23 meeting)

*       CVE Services 2.1 deployment updates (on-going)

*       Working Group updates (every other meeting - next scheduled for 
November 23)

*       Council of Roots meeting highlights (aligned with Council of Roots 
meeting dates)

*       Researcher Working Group proposal for Board review

*       Vision Paper and Annual Report

*       Secretariat review of all CNA scope statements

*       Proposed vote to allow CNAs to assign for insecure default 

Reply via email to