CVE Board Meeting Notes December 14, 2022 (2:00 pm – 4:00 pm EST) Agenda
· 2:00-2:05 Introduction · 2:05-3:25 Topics o CVE Program Summit Date o CNA Type Label Wording: Vendor, Open Source Project, Consortium o Adding .csv Format for Downloads o CVE Program and WG Priorities for First Half of 2023 o Playbook: Examples of Interesting CVE Scenarios · 3:25-3:35 Open Discussion · 3:35-3:55 Review of Action Items · 3:55-4:00 Closing Remarks New Action Items from December 14 Meeting Action Item # New Action Item Responsible Party Due 12.14.01 Develop definitions for the CNA Types for presentation to the Board, prior to making available to CNAs. Secretariat 12.14.02 Send request to all WG chairs (and other Board members) asking for input on 2023 priorities from their perspective. Secretariat 12/16/22 CVE Program Summit Date * Discussion continued from the last Board meeting about the date and location of the Summit in early 2023. * MITRE has reserved an auditorium for the event at its campus in McLean, VA, for March 22-23, 2023. The auditorium is outside of the security perimeter which will make access more convenient for visitors. There will also be an option for people to attend virtually. * Proof of COVID vaccination is required for visitors to enter MITRE facilities. A picture of the vaccination card will suffice. This information will be included in future communications. CNA Type Label Wording: Vendor, Open Source Project, Consortium * The program has labels for different CNA types. The following changes were adopted: * "Vendors and Projects" becomes "Vendor" (singular) * "Open Source Project" becomes "Open Source" * Added "Consortium" * "Vulnerability Researchers" becomes "Researcher" (singular) * Definitions will be developed for each of the CNA types and shared with the Board prior to making available to CNAs. * CNAs will be asked to review their label/type, and the label selection decision is theirs. They may select more than one type as appropriate. Adding .csv Format for Downloads * Losing the capability to download CVE Record data in .csv format is problematic for many consumers of CVE data. The Board previously decided to make downloads available in JSON 5 format only. Should .csv format be continued? * The current .csv format has 7 fields, only 4 of which are still used by the program. * There was agreement to keep the .csv format download capability for a temporary period as users continue to adjust to JSON 5. * The current format will stay the same, with explanatory note(s) added about the fields that are no longer used, and to point users to JSON 5 format for more enriched data. * The note about the unused fields will be incorporated in a way that avoids breaking anything in the user download experience. * A request for a JSON 5 to .csv format converter will be taken to the Automation Working Group (AWG), but there was Board agreement that other AWG priorities, e.g., user registry, ADP pilot should be addressed first. A converter will be available prior to discontinuing .csv download capability. CVE Program and WG Priorities for the First Half of 2023 * A request to WG chairs and other Board members will be sent this week asking for input on program priorities for next year. * Input is due in time to have a discussion at the next Board meeting on January 4, 2023. A reminder will be sent the last week of December. Playbook: Examples of Interesting CVE Scenarios * There was a meeting earlier on December 14 with two Board members and other external (to CVE) participants. * The external participants expressed that they were not happy about the rules for cloud vulnerabilities. There have been concerns about what are good practices for dealing effectively with vulnerabilities in a cloud environment. They want more transparency around where the line is for a cloud provider to assign or not assign a CVE. * The current rules are generic in how the program defines and addresses vulnerabilities, including for cloud vulnerabilities. More targeted rules or program guidance are needed to help the community identify a vulnerability in different environments, e.g., by using a decision tree. * The Board was asked what they thought the role of the CNA of Last Resort is, in the context of assigning CVEs for cloud vulnerabilities. There was no disagreement to waiting for updated rules/guidelines for vulnerability assignment before answering this. Open Discussion Out of time. Review of Action Items Out of time. Next CVE Board Meetings · Wednesday, January 4, 2023, 2:00pm – 4:00pm (EST) · Wednesday, January 18, 2023, 9:00am – 11:00am (EST) · Wednesday, February 1, 2023, 2:00pm – 4:00pm (EST) · Wednesday, February 15, 2023, 9:00am – 11:00am (EST) · Wednesday, March 1, 2023, 2:00pm – 4:00pm (EST) · Wednesday, March 15, 2023, 9:00am – 11:00am (EDT) Discussion Topics for Future Meetings · CVE Services 2.1 and program website updates (on-going) · Working Group updates (every other meeting, next is January 4, 2023) · Council of Roots meeting highlights (next is January 4, 2023) · Researcher Working Group proposal for Board review · Vision Paper and Annual Report · Secretariat review of all CNA scope statements · Proposed vote to allow CNAs to assign for insecure default configurations · CVE Communications Strategy