CVE Board Meeting Notes January 4, 2023 (2:00 pm - 4:00 pm EST) Agenda
* 2:00-2:05 Introduction * 2:05-3:25 Topics o Working Group Updates o CVE Program and Working Group Priorities for First Half of 2023 o CNA Category Type Definitions o Roots Update o CVE Board Satisfaction Survey Results * 3:25-3:35 Open Discussion * 3:35-3:55 Review of Action Items * 3:55-4:00 Closing Remarks New Action Items from Today's Meeting Action Item # New Action Item Responsible Party Due 01.04.01 Send email to the private Board list asking members who could not attend today's meeting whether they approve of setting a deprecation date for download formats of no later than the end of 2023. Secretariat 01.04.02 Send email to the private Board list asking members to vote on whether to make the TWG a permanent working group. Secretariat 01.04.03 Set up a meeting with the Board and working group chairs to discuss 2023 priorities. In communications, stress the importance of attendance and urgency. Secretariat 01.04.04 Send to the Board and working group chairs the current spreadsheet of responses received so far about 2023 priorities. Secretariat 01.04.05 Send out an announcement to the community that the CNACWG Liaison for 2023 has been elected. Secretariat Working Group Updates * Automation Working Group (AWG) * 2022 summary of progress/accomplishments: * Began transition to JSON 5 format. * Implemented Record Submission and Upload Service (RSUS) with CVE Services soft deploy (for early adopters and to identify any issues/bugs). * Developed framework for ADP Pilot requirements. * Developed requirements for JSON 5 bulk download capability. * Remaining work needed to achieve the full automation target architecture was also identified, i.e., JSON 5 CVE list bulk download capability, User Registry and User Registry Authorization data store. * JSON 5 is now the "format of record." * JSON 4 will continue to be supported until a future date TBD. The date to decommission the GitHub submission pilot is also TBD. * An overview of the transitional architecture (current state) was provided. * CVE Services hard deploy is scheduled for Q1 2023. This will include JSON 5 bulk download capability and implementation of remaining soft deploy bug fixes. * There was discussion about the importance of providing adequate lead time to the community to prepare for the deprecation of JSON 4. * By the time hard deploy begins, the program will have a JSON 4 deprecation date that can be shared with users so they have time to adjust their operations. * The Board will make the final decision for a deprecation date, based on the recommendation from the Transition Working Group (TWG); the Outreach and Communications Working Group (OCWG) will support messaging to the user community. * All 10 Board members attending this meeting were in favor of establishing a deprecation date of "no later than the end of 2023." This was not a quorum, so an email will be sent to the Board private list asking members who could not attend to cast their vote. * CNA Coordination Working Group (CNACWG) * In 2022, started conversations with both archive.org and Library of Congress about archiving CVE references, and perhaps doing it automatically. That effort will continue in 2023. * Currently working on a "how to" guide for writing a CVE submitter robot. This is intended for CNAs that do not have strong technical backgrounds. * Outreach and Communications Working Group (OCWG) * Objectives for 2023 include: membership recruitment, regular podcasts, quarterly CVE story blog, supporting community members speaking at industry events, and helping identify target events. * Meeting schedule is changing to monthly to try to promote more participation. * Website content review continues. * Strategic Planning Working Group (SPWG) * Finished out the year working on two documents, one of which is the CNA Rules document. * Currently identifying new content requirements, including in the area of cloud-related activities or services. * Updates or additions to rules about transferring IDs are also needed. * Updates will be a focus for next couple months. * CNAs will have a chance to review. * Keeping an eye on the European Union (EU) Cyber Resilience Act (CRA) for potential impacts to the program. * Transition Working Group (TWG) * The TWG was intended to be temporary, but the recommendation was made to make it permanent. Meetings have served as an opportunity for working group chairs to coordinate and discuss issues, and collaborate on recommendations to take to the Board. * In the absence of a quorum, an email will be sent to the Board private list for a vote on making the TWG permanent. CVE Program and Working Group Priorities for First Half of 2023 * A request was sent to the Board and working group chairs in December for their input on 2023 priorities. There has been limited response. A spreadsheet of responses received so far has been started. * In the absence of a quorum, an off-cycle meeting will be set up with the Board and working group chairs to continue this discussion. The current spreadsheet will also be distributed so everyone knows what has already been submitted. CNA Category Type Definitions * At the last Board meeting, some changes were approved to the list of CNA Types. At that meeting, the Board requested formal definitions for each of the Types. * Draft definitions were developed by the Secretariat and shown at the Council of Roots meeting this morning. Input was: * Consider changing Bug Bounty Program to Bug Bounty Service or Provider. * Limited confidence in the definitions of Hosted Service and Researcher. * The Board agreed to change: * Bug Bounty Program type to Bug Bounty Provider. * The description of Hosted Service to also include platform as a service and infrastructure as a service. * National and Industry CERT type to just CERT. * A CNA may self-identify as multiple types if needed. * Descriptions may be revised in the future; these initial descriptions are a starting point. * The program will make updates to existing Types on the program website, and make any modifications based on CNA feedback. Roots Update (topics from meeting on January 4) * Roots discussed recruiting from the Critical software list and the importance of coordination so multiple Roots are not recruiting the same vendor * Roots plan to begin targeting national CERTs for recruitment * Priorities for 2023: One priority mentioned was to escalate the completion of the transition from the old program website to the new site. Two things that need to be done first are completing link "redirects" and completing the more robust search capability of the new site. * CNA and Root activity metrics. One suggestion was to try to get metrics generation and reporting integrated into CVE services, so there are not multiple environments. * The Secretariat is working to unify internal data sets, including standardizing CNA "shortnames." The community will be informed of any impactful changes, such as updates to some Partner page URLs. CVE Board Satisfaction Survey Results * Thirteen (13) responses were received from Board members to a short survey. * Most responses were positive with respect to the usefulness of Board meetings, and the time, duration and frequency of meetings. There was some feedback for consideration: * Meetings are just often status briefings, too many issues that need to be discussed. * Some members attend and do not participate. * Two hours is too long. We need to be more concise. The frequency and duration needs to be driven by what needs to be addressed. * Alternating the meeting time between morning to afternoon is only useful if European and Asian members are taking advantage of it. Complicates member scheduling. * Survey will be sent out quarterly. Open Discussion * CNA Board Liaison: The call for nominations was sent out to CNAs on December 1; the nomination period lasted through December 31, 2022. Only one person, was nominated. The question was asked if it was necessary to go through the process of holding a vote/election, given there is only one nominee. The Board voted unanimously on the call to not hold a vote for the CNA Board Liaison position given there is only one candidate. Review of Action Items Out of time. Next CVE Board Meetings * Wednesday, January 18, 2023, 9:00am - 11:00am (EST) * Wednesday, February 1, 2023, 2:00pm - 4:00pm (EST) * Wednesday, February 15, 2023, 9:00am - 11:00am (EST) * Wednesday, March 1, 2023, 2:00pm - 4:00pm (EST) * Wednesday, March 15, 2023, 9:00am - 11:00am (EDT) * Wednesday, March 29, 2023, 2:00pm - 4:00pm (EDT) Discussion Topics for Future Meetings * CVE Services 2.1 and program website updates (on-going) * Working Group updates (every other meeting, next is February 1, 2023) * Council of Roots meeting highlights (next is February 1, 2023) * Researcher Working Group proposal for Board review * Vision Paper and Annual Report * Secretariat review of all CNA scope statements * Proposed vote to allow CNAs to assign for insecure default configurations * CVE Communications Strategy