CVE Board Meeting Notes

November 30, 2022 (9:00 am - 11:00 am EST)

*       9:00-9:05        Introduction

*       9:05-10:25      Topics

o   Working Group Updates

o   CVE Annual Report

o   CVE Summit

*       10:25-10:35    Open Discussion

*       10:35-10:55    Review of Action Items

*       10:55-11:00    Closing Remarks
New Action Items from Today's Meeting
Action Item #
New Action Item
Responsible Party
Reach out to and Library of Congress to explore the possibility of 
using them for archival of old CVE references.

Send request to Working Group chairs to prepare a list of their 2023 priorities 
for discussion at the 12/14/22 meeting.

Prepare list of WG 2023 priorities for discussion at 12/14/22 meeting.
WG chairs
Working Group Updates

  *   Outreach and Communications Working Group (OCWG)
     *   It was mentioned that the CVE Working Group Operations Handbook 
mentions a temporary co-chair but does not provide for a permanent co-chair. 
SPWG will look into adding language to the Handbook.
     *   Other items:
        *   November 2 Workshop videos have been prepared and 
        *   The OCWG recorded a podcast on November 29 about vulnerability 
        *   Working with Red Hat, a Communications Plan was developed to help 
Red Hat communicate their new role as a Root, and address the issue of being a 
Root, potentially for competitors, and how to overcome objections.
  *   Automation Working Group (AWG)
     *   Current focus is addressing 36 CVE Services items/issues postponed to 
the completion of Soft Deployment. Six issue fixes are in the testing instance.
     *   Incremental releases will be used to deploy fixes for the 36 items. 
There will be review and approval by the Board prior to each release, and there 
may be an initial release by the end of 2022.
     *   The list of issues is available on the 
site<>. Most 
of the issues are down conversion issues.
     *   The CVE website was updated to support JSON 5.0 rendering as part of 
its lookup capability. How to render affected fields is complex and difficult, 
given some of the edge cases about how you can express affected versions. An 
updated solution may be deployed as early as the end of next week.
     *   Going forward, a big effort will be bulk download capability. 
Development is just getting started. There is a meeting scheduled on December 1 
with NIST NVD to engage with them as a major consumer of the CVE List to get 
their feedback on the requirements and to let them know about the architecture.
  *   Transition Working Group (TWG)
     *   Since the Workshop, recent activity that is front and center is to 
make sure there is a transition plan to help manage the movement of references 
from the body of the CVE structure into an ADP container.
     *   Another area is helping the CNA community that potentially want to 
replace their JSON 5 upconverted data with better data and not lose those 
  *   Strategic Planning Working Group (SPWG)
     *   Currently working on the CNA Rules update. Recent comments are being 
incorporated and progress is being made. There are topics for further 
discussion around what makes sense in the updated automated environment.
     *   The Governance document is also being worked, although it has been 
back channeled at this point until the Rules update is further along.
     *   The meeting time may be changed to accommodate additional 
participants. Members were invited to email the Chair with their preferred 
  *   CNA Coordination Working Group
     *   Last meeting discussion included JSON 4 to 5 transition. There was 
also favorable input about the CVE Services Workshop on November 2.
     *   A participant at the meeting said he has been converting and has an 
in-house Windows-based process that uses the new JSON template. The member 
committed to publishing the "how to" so others can use it as a process/model if 
they want.
     *   A question came up in the meeting about the program's responsibility 
to make sure references submitted on the day of release are still useful 5-10 
years down the line. Where should they be archived?
     *, Library of Congress, and were 
mentioned as possible candidates for the program's archival of old references.
     *   Better rules may be needed about what counts as a reference.
     *   More discussion is needed, and maybe a new Archival working group.
     *   CNACWG Chair took the action to reach out to and Library 
of Congress to explore the possibility of using them for archival of old 
CVE Annual Report

  *   Members were asked if they have available resources to help with 
design/layout. The Intel report was mentioned as a potential model. A Board 
member said that both he and another Board member have offered to help in the 
past and can look into their respective resources.
  *   Members were asked when the report should be ready for publication. There 
was no disagreement to an early February 2023 publication date. Content can 
start being generated now, and late year content can be generated in January 
  *   The report is external facing. Members were asked for their ideas about 
content/topics to include. Ideas were:
     *   Past year production and new CNAs, trend/growth over time
     *   Future program plans/areas of focus
     *   New services information
     *   Information about what the program is doing in the open-source world, 
and in the cloud world, along with interesting case studies/examples
CVE Summit

  *   Secretariat has reserved an auditorium at MITRE in McLean for March 
22-23, 2023, for the Summit, but the members were asked if anyone would prefer 
to host the event.
  *   One Board member said she is still trying to get a decision at her 
  *   Other input was favorable toward keeping it at MITRE.
  *   It was decided to revisit the topic at the next Board meeting(s); a 
decision in December is preferred.
Open Discussion

  *   A question was asked about the Board meeting schedule around the upcoming 
holidays. It was decided to have one meeting in December (on the 14th) and, at 
the December meeting, discuss the need for a meeting on January 4, 2023.
  *   A Board member asked what are the next program priorities, now that CVE 
Services 2.1 deployment is well underway? He has prepared a list of ideas on 
GitHub here<>. Feedback 
is welcome. WG Chairs were asked to prepare a list of priorities for discussion 
at the Board meeting on December 14. Art will also be prepared to present his 
ideas, if time.
Review of Action Items

  *   10.26.02: Not started. Will check with Program Coordination team.
  *   11.09.01: CVE Program Coordination team is working on identifying all 
Open Source Projects in the CNA list; once this is done, the list will be 
updated on the website.
  *   11.09.02: Need to understand the timeline for when ADP container will be 
set up, and the level of effort for short term, medium term and long term.
  *   11.09.03: To be discussed at 12/14/22 Board meeting.
Next CVE Board Meetings

*       Wednesday, December 14, 2022, 2:00pm - 4:00pm (EST)

*       Wednesday, January 4, 2023, 2:00pm - 4:00pm (EST)

*       Wednesday, January 18, 2023, 9:00am - 11:00am (EST)

*       Wednesday, February 1, 2023, 2:00pm - 4:00pm (EST)

*       Wednesday, February 15, 2023, 9:00am - 11:00am (EST)
Discussion Topics for Future Meetings

*       Program priorities for 2023 (December 14 meeting)

*       CVE scenario examples (December 14 meeting)

*       Reschedule January 4, 2023, meeting? (December 14 meeting)

*       CVE Services 2.1 deployment updates (on-going)

*       Working Group updates (every other meeting)

*       Council of Roots meeting highlights

*       Researcher Working Group proposal for Board review

*       Vision Paper and Annual Report

*       Secretariat review of all CNA scope statements

*       Proposed vote to allow CNAs to assign for insecure default 

Reply via email to