CVE Board Meeting Notes

January 4, 2023 (2:00 pm - 4:00 pm EST)

*       2:00-2:05        Introduction

*       2:05-3:25        Topics

o   Working Group Updates

o   CVE Program and Working Group Priorities for First Half of 2023

o   CNA Category Type Definitions

o   Roots Update

o   CVE Board Satisfaction Survey Results

*       3:25-3:35        Open Discussion

*       3:35-3:55        Review of Action Items

*       3:55-4:00        Closing Remarks
New Action Items from Today's Meeting
Action Item #
New Action Item
Responsible Party
Send email to the private Board list asking members who could not attend 
today's meeting whether they approve of setting a deprecation date for download 
formats of no later than the end of 2023.

Send email to the private Board list asking members to vote on whether to make 
the TWG a permanent working group.

Set up a meeting with the Board and working group chairs to discuss 2023 
priorities. In communications, stress the importance of attendance and urgency.

Send to the Board and working group chairs the current spreadsheet of responses 
received so far about 2023 priorities.

Send out an announcement to the community that the CNACWG Liaison for 2023 has 
been elected.

Working Group Updates

  *   Automation Working Group (AWG)
     *   2022 summary of progress/accomplishments:
        *   Began transition to JSON 5 format.
        *   Implemented Record Submission and Upload Service (RSUS) with CVE 
Services soft deploy (for early adopters and to identify any issues/bugs).
        *   Developed framework for ADP Pilot requirements.
        *   Developed requirements for JSON 5 bulk download capability.
     *   Remaining work needed to achieve the full automation target 
architecture was also identified, i.e., JSON 5 CVE list bulk download 
capability, User Registry and User Registry Authorization data store.
     *   JSON 5 is now the "format of record."
     *   JSON 4 will continue to be supported until a future date TBD. The date 
to decommission the GitHub submission pilot is also TBD.
     *   An overview of the transitional architecture (current state) was 
     *   CVE Services hard deploy is scheduled for Q1 2023. This will include 
JSON 5 bulk download capability and implementation of remaining soft deploy bug 
     *   There was discussion about the importance of providing adequate lead 
time to the community to prepare for the deprecation of JSON 4.
        *   By the time hard deploy begins, the program will have a JSON 4 
deprecation date that can be shared with users so they have time to adjust 
their operations.
        *   The Board will make the final decision for a deprecation date, 
based on the recommendation from the Transition Working Group (TWG); the 
Outreach and Communications Working Group (OCWG) will support messaging to the 
user community.
        *   All 10 Board members attending this meeting were in favor of 
establishing a deprecation date of "no later than the end of 2023." This was 
not a quorum, so an email will be sent to the Board private list asking members 
who could not attend to cast their vote.
  *   CNA Coordination Working Group (CNACWG)
     *   In 2022, started conversations with both and Library of 
Congress about archiving CVE references, and perhaps doing it automatically. 
That effort will continue in 2023.
     *   Currently working on a "how to" guide for writing a CVE submitter 
robot. This is intended for CNAs that do not have strong technical backgrounds.
  *   Outreach and Communications Working Group (OCWG)
     *   Objectives for 2023 include: membership recruitment, regular podcasts, 
quarterly CVE story blog, supporting community members speaking at industry 
events, and helping identify target events.
     *   Meeting schedule is changing to monthly to try to promote more 
     *   Website content review continues.
  *   Strategic Planning Working Group (SPWG)
     *   Finished out the year working on two documents, one of which is the 
CNA Rules document.
        *   Currently identifying new content requirements, including in the 
area of cloud-related activities or services.
        *   Updates or additions to rules about transferring IDs are also 
        *   Updates will be a focus for next couple months.
        *   CNAs will have a chance to review.
     *   Keeping an eye on the European Union (EU) Cyber Resilience Act (CRA) 
for potential impacts to the program.
  *   Transition Working Group (TWG)
     *   The TWG was intended to be temporary, but the recommendation was made 
to make it permanent. Meetings have served as an opportunity for working group 
chairs to coordinate and discuss issues, and collaborate on recommendations to 
take to the Board.
     *   In the absence of a quorum, an email will be sent to the Board private 
list for a vote on making the TWG permanent.
CVE Program and Working Group Priorities for First Half of 2023

  *   A request was sent to the Board and working group chairs in December for 
their input on 2023 priorities. There has been limited response. A spreadsheet 
of responses received so far has been started.
  *   In the absence of a quorum, an off-cycle meeting will be set up with the 
Board and working group chairs to continue this discussion. The current 
spreadsheet will also be distributed so everyone knows what has already been 
CNA Category Type Definitions

  *   At the last Board meeting, some changes were approved to the list of CNA 
Types. At that meeting, the Board requested formal definitions for each of the 
  *   Draft definitions were developed by the Secretariat and shown at the 
Council of Roots meeting this morning. Input was:
     *   Consider changing Bug Bounty Program to Bug Bounty Service or Provider.
     *   Limited confidence in the definitions of Hosted Service and Researcher.
  *   The Board agreed to change:
     *   Bug Bounty Program type to Bug Bounty Provider.
     *   The description of Hosted Service to also include platform as a 
service and infrastructure as a service.
     *   National and Industry CERT type to just CERT.
  *   A CNA may self-identify as multiple types if needed.
  *   Descriptions may be revised in the future; these initial descriptions are 
a starting point.
  *   The program will make updates to existing Types on the program website, 
and make any modifications based on CNA feedback.
Roots Update (topics from meeting on January 4)

  *   Roots discussed recruiting from the Critical software list and the 
importance of coordination so multiple Roots are not recruiting the same vendor
  *   Roots plan to begin targeting national CERTs for recruitment
  *   Priorities for 2023: One priority mentioned was to escalate the 
completion of the transition from the old program website to the new site. Two 
things that need to be done first are completing link "redirects" and 
completing the more robust search capability of the new site.
  *   CNA and Root activity metrics. One suggestion was to try to get metrics 
generation and reporting integrated into CVE services, so there are not 
multiple environments.
  *   The Secretariat is working to unify internal data sets, including 
standardizing CNA "shortnames."  The community will be informed of any 
impactful changes, such as updates to some Partner page URLs.
CVE Board Satisfaction Survey Results

  *   Thirteen (13) responses were received from Board members to a short 
  *   Most responses were positive with respect to the usefulness of Board 
meetings, and the time, duration and frequency of meetings. There was some 
feedback for consideration:
     *   Meetings are just often status briefings, too many issues that need to 
be discussed.
     *   Some members attend and do not participate.
     *   Two hours is too long. We need to be more concise. The frequency and 
duration needs to be driven by what needs to be addressed.
     *   Alternating the meeting time between morning to afternoon is only 
useful if European and Asian members are taking advantage of it. Complicates 
member scheduling.
  *   Survey will be sent out quarterly.
Open Discussion

  *   CNA Board Liaison: The call for nominations was sent out to CNAs on 
December 1; the nomination period lasted through December 31, 2022. Only one 
person, was nominated. The question was asked if it was necessary to go through 
the process of holding a vote/election, given there is only one nominee. The 
Board voted unanimously on the call to not hold a vote for the CNA Board 
Liaison position given there is only one candidate.
Review of Action Items
Out of time.
Next CVE Board Meetings

*       Wednesday, January 18, 2023, 9:00am - 11:00am (EST)

*       Wednesday, February 1, 2023, 2:00pm - 4:00pm (EST)

*       Wednesday, February 15, 2023, 9:00am - 11:00am (EST)

*       Wednesday, March 1, 2023, 2:00pm - 4:00pm (EST)

*       Wednesday, March 15, 2023, 9:00am - 11:00am (EDT)

*       Wednesday, March 29, 2023, 2:00pm - 4:00pm (EDT)
Discussion Topics for Future Meetings

*       CVE Services 2.1 and program website updates (on-going)

*       Working Group updates (every other meeting, next is February 1, 2023)

*       Council of Roots meeting highlights (next is February 1, 2023)

*       Researcher Working Group proposal for Board review

*       Vision Paper and Annual Report

*       Secretariat review of all CNA scope statements

*       Proposed vote to allow CNAs to assign for insecure default 

*       CVE Communications Strategy

Reply via email to