CVE Board Meeting Notes
March 1, 2023 (2:00 pm – 4:00 pm EST)
Agenda
· 2:00-2:05 Introduction
· 2:05-3:25 Topics
* Working Group Updates (WG Chairs)
* Council of Roots Update (Dave Morse)
* 2023 Global Summit Agenda (Dave Morse)
* Finalize 2023 CVE Program Priorities (Dave Morse)
· 3:25-3:35 Open Discussion
· 3:35-3:55 Review of Action Items
· 3:55-4:00 Closing Remarks
New Action Items from Today’s Meeting
Action Item #
New Action Item
Responsible Party
Due
03.01.01
At the summit, bring up the question “how important is CVE Record change
history to the CNA community?”
CNACWG Chair
03.01.02
Build a list of lightning round questions for the summit (03.01.01 is one of
the questions).
CNACWG Chair
03.01.03
Examine the RBP issue as related to publishing reserved CVE IDs, and brief the
Board on conclusions.
Secretariat
03.01.04
Send draft 2023 CVE Program priorities to WG chairs and Board members asking
for their input on rank-ordering the list of priorities.
Secretariat
Working Group Updates
* SPWG
* Continued work on the CNA Rules and other documents.
* SPWG Chair participated in a meeting in February at MITRE (McLean) for
discussion about services, architecture, and business requirements going
forward.
* CNACWG
* Putting together some user documentation for all the various and
sundry client applications that use the new services API. Preparing a video of
using Vulnogram; target completion in time for the Summit.
* Mentoring program is caught up – everyone signed up has a mentor.
Build a relationship, don’t wait for an emergency.
* Raised community concerns around CVE Record processing in RSUS vs CPS
and lack of clarity on internal "business rules" in systems that cause Records
to fail. Follow up meeting to be held. Want to mature to a point where the
required business rules are captured in our front end (RSUS), not the back end.
* TWG
* Discussing dev issues that need fleshing out.
* Talking about the summit; communication with CNA about using/moving to
the new services and those that aren't and how to how to deal with those issues.
* QWG
* Asked the WG for volunteers to help with administration tasks. A
GitHub repo is used.
* General discussion of work on CVE JSON schema.
* The team behind Google's open source vulnerability database reached
out; they are interested in participating as an ADP. Believe the decision for
allowing them to do a pilot should go through SPWG.
* OCWG
* Began new monthly meeting schedule in February (third Wednesday of
every month 9:00 AM Eastern Time).
* Published a blog from Red Hat about how Red Hat supports open source
vulnerabilities on the program.
* Recorded podcast with AWG Chair interviewing TWG Chair about
Microsoft’s experience adopting JSON 5. Expected to be published next week.
* AWG
* Hard deploy of CVE Services to start soon. Will discuss schedule with
TWG tomorrow.
* Bulk download capability is moving along very well. Expected by end of
month.
* Components of hard deploy can be implemented incrementally, when ready.
* Next big rocks include user registry requirements and getting the
technical community galvanized around meeting those requirements.
Council of Roots Update
* Went over CNA pipeline metrics for recruiting and onboarding.
* Discussed CNA recruitment conflicts that can arise with a large
multi-region company. There can be miscommunication with another part of the
company that also wants to be a CNA. Roots should use the Monday.com board to
identify potential conflicts.
* OCWG presented two recently developed outreach materials: (1) handout
postcard with CR code for conferences and other events (code gives easy access
to the web page to apply to be a CNA), and (2) updated program trifold.
* AWG Chair gave an update on hard deploy.
* Presented results of a CNA survey (26 responses) about what top issues
they would like discussed at the upcoming Summit. Many are already covered in
the current draft agenda.
* Presented the Summit draft agenda. No changes recommended by the Roots.
2023 Global Summit Agenda
* Presented draft agenda, Board input requested. Suggestion made to add an
abstract to explain what each agenda topic is about. Need to identify speakers
for all topics.
* CNAs and Roots have already had an opportunity to provide input to the
agenda.
* CISA requested a time slot to discuss how to use CVE to improve software
(secure by design).
* Next steps: finalize a specific schedule with dates/topics/times/speakers.
Finalize 2023 CVE Program Priorities
* Presented latest version of priorities, input requested. No new additions
or modifications.
* Next steps: send current list to the Board and WG Chairs for their
perspective on rank-ordering the priorities (action item).
* AWG Chair perspective: next big rocks are User Registry and ADP.
Open Discussion
* General discussion on the CVE JSON schema and whether protocols (e.g.,
SBOM or PURL) are supported as specific fields or more generally in a flexible
nature. Also, whether product or component identifiers are maturing to support
a future automation of CNA Scope review for matching products and avoiding
scope conflicts.
Review of Action Items
* 01.18.02 – Closed. CNACWG Chair asked the question at 2 meetings, and the
response was ‘yes, this is important (see new action item 03.01.01 to discuss
at summit).
* 02.01.02 – Responsible Party changed from AWG to AWG Chair. Secretariat
will have an internal meeting to discuss, and brief the Board at a later
meeting.
* 02.01.03 – it’s a manual process…so some of the directories will be
service-side. More to report at next meeting.
* 02.15.01 – 26 responses so far.
Next CVE Board Meetings
· Wednesday, March 15, 2023, 9:00am – 11:00am (EDT)
· Wednesday, March 29, 2023, 2:00pm – 4:00pm (EDT)
· Wednesday, April 12, 2023, 9:00am – 11:00am (EDT)
· Wednesday, April 26, 2023, 2:00pm – 4:00pm (EDT)
· Wednesday, May 10, 2023, 9:00am – 11:00am (EDT)
· Wednesday, May 24, 2023, 2:00pm – 4:00pm (EDT)
Discussion Topics for Future Meetings
· Bulk download response from community about Reserved IDs
· Finalize 2023 CVE Program priorities
· CVE Services updates and website transition progress (as needed)
· Working Group updates (every other meeting, next is March 29, 2023)
· Council of Roots meeting highlights (next is March 29, 2023)
· Researcher Working Group proposal for Board review
· Vision Paper and Annual Report
· Secretariat review of all CNA scope statements
· Proposed vote to allow CNAs to assign for insecure default
configurations
· CVE Communications Strategy
