CVE Board Meeting Notes

February 1, 2023 (2:00 pm – 4:00 pm EST)

·       2:00-2:05        Introduction

·       2:05-3:25        Topics

o   GDPR Conclusion

o   Council of Roots Update

o   Working Groups Updates

o   CVE Program Priorities for the First Half of 2023 (cont.)

o   CVE Program Global Summit: Agenda

·       3:25-3:35        Open Discussion

·       3:35-3:55        Review of Action Items

·       3:55-4:00        Closing Remarks
New Action Items from Today’s Meeting
Action Item #
New Action Item
Responsible Party
Ask CNA community and working groups if they have concerns, or know of a use 
that would be harmed, if bulk download capability of Reserved IDs was stopped. 
If no, the capability will be stopped.
two weeks for response
Consult with AWG to discuss level of effort to turn off bulk download of 
Reserved IDs.
AWG Chair

Start inserting redirects from the old to the new website.

Update 2023 Priorities spreadsheet and send to the Board. Target finalization 
at next Board meeting.

Send request for Summit agenda ideas to the Board list. Include spreadsheet of 
ideas from today’s meeting.

GDPR Conclusion

  *   General Data Protection Regulation (GDPR) comes out of the European Union 
(EU). The CVE Program consulted the MITRE legal team to get a legal opinion 
about GitHub compliance in the context of the bulk download architecture.
  *   The GitHub architecture is good to go and the program knows what is has 
to do to comply with GDPR.
Council of Roots Update

  *   Discussed CNA recruiting and onboarding status.
  *   Asked for Root input on Summit agenda topics.
  *   Asked for input on program priorities for first half of 2023.
  *   Provided an overview of upcoming program website updates, e.g., new CNA 
  *   Discussion about Root capabilities to manage their CNA credentials for 
CVE Services, and have access to CNA information, e.g., metrics. Root 
requirements will be rolled into the overall User Registry requirements.
Working Group Updates

  *   OCWG
     *   Published the ‘Our CVE Story’ blog about why Red Hat became a root.
     *   Held a podcast production meeting with SPWG Chair.
     *   New OCWG meeting schedule to be announced soon.
  *   SPWG
     *   Continuing to work on the CNA rules update. A cloud decision tree will 
be started soon to improve rules around cloud service providers and different 
types of cloud architectures.
  *   TWG
     *   Supporting AWG with defining User Registry requirements.
     *   Discussion of forking vs not forking the Vulnogram client for program 
     *   Feedback has been received that CVE clients are not intuitive; the TWG 
will discuss and come up with solutions.
     *   Discussion about the problem type field and the weakness field in JSON 
5 records, and whether they are required or optional. Further Board discussion 
needed and results to be included in the CNA Rules update.
CVE Program Priorities for the First Half of 2023

  *   Reviewed and discussed rows 49-53 (see spreadsheet for details)
  *   Next steps: Send out updated priorities spreadsheet (create new column 
for Priority, insert references to dependencies) to the Board, target next 
Board meeting for finalizing.
CVE Program Global Summit: Agenda

  *   The program is collecting agenda items for the upcoming Summit (March 
22-23). A request was sent to the CNA list, and Roots were asked for their 
input at their meeting this morning.
  *   Some ideas were discussed; additional Board input will be requested via 
the mailing list.
Open Discussion
Out of time
Review of Action Items
Out of time
Next CVE Board Meetings

·       Wednesday, February 15, 2023, 9:00am – 11:00am (EST)

·       Wednesday, March 1, 2023, 2:00pm – 4:00pm (EST)

·       Wednesday, March 15, 2023, 9:00am – 11:00am (EDT)

·       Wednesday, March 29, 2023, 2:00pm – 4:00pm (EDT)

·       Wednesday, April 12, 2023, 9:00am – 11:00am (EDT)

·       Wednesday, April 26, 2:00pm – 4:00pm (EDT)
Discussion Topics for Future Meetings

·       Continue discussion about 2023 priorities – start down-select process

·       CVE Services updates and CVE Program website transition progress (as 

·       Working Group updates (every other meeting, next is March 1, 2023)

·       Council of Roots meeting highlights (next is March 1, 2023)

·       Researcher Working Group proposal for Board review

·       Vision Paper and Annual Report

·       Secretariat review of all CNA scope statements

·       Proposed vote to allow CNAs to assign for insecure default 

·       CVE Communications Strategy

Reply via email to