CVE Board Meeting Notes

March 1, 2023 (2:00 pm – 4:00 pm EST)

·       2:00-2:05        Introduction

·       2:05-3:25        Topics

           *   Working Group Updates (WG Chairs)
           *   Council of Roots Update (Dave Morse)
           *   2023 Global Summit Agenda (Dave Morse)
           *   Finalize 2023 CVE Program Priorities (Dave Morse)

·       3:25-3:35        Open Discussion

·       3:35-3:55        Review of Action Items

·       3:55-4:00        Closing Remarks
New Action Items from Today’s Meeting
Action Item #
New Action Item
Responsible Party
At the summit, bring up the question “how important is CVE Record change 
history to the CNA community?”

Build a list of lightning round questions for the summit (03.01.01 is one of 
the questions).

Examine the RBP issue as related to publishing reserved CVE IDs, and brief the 
Board on conclusions.

Send draft 2023 CVE Program priorities to WG chairs and Board members asking 
for their input on rank-ordering the list of priorities.

Working Group Updates

  *   SPWG
     *   Continued work on the CNA Rules and other documents.
     *   SPWG Chair participated in a meeting in February at MITRE (McLean) for 
discussion about services, architecture, and business requirements going 
  *   CNACWG
     *   Putting together some user documentation for all the various and 
sundry client applications that use the new services API. Preparing a video of 
using Vulnogram; target completion in time for the Summit.
     *   Mentoring program is caught up – everyone signed up has a mentor. 
Build a relationship, don’t wait for an emergency.
     *   Raised community concerns around CVE Record processing in RSUS vs CPS 
and lack of clarity on internal "business rules" in systems that cause Records 
to fail. Follow up meeting to be held. Want to mature to a point where the 
required business rules are captured in our front end (RSUS), not the back end.
  *   TWG
     *   Discussing dev issues that need fleshing out.
     *   Talking about the summit; communication with CNA about using/moving to 
the new services and those that aren't and how to how to deal with those issues.
  *   QWG
     *   Asked the WG for volunteers to help with administration tasks. A 
GitHub repo is used.
     *   General discussion of work on CVE JSON schema.
     *   The team behind Google's open source vulnerability database reached 
out; they are interested in participating as an ADP. Believe the decision for 
allowing them to do a pilot should go through SPWG.
  *   OCWG
     *   Began new monthly meeting schedule in February (third Wednesday of 
every month 9:00 AM Eastern Time).
     *   Published a blog from Red Hat about how Red Hat supports open source 
vulnerabilities on the program.
     *   Recorded podcast with AWG Chair interviewing TWG Chair about 
Microsoft’s experience adopting JSON 5. Expected to be published next week.
  *   AWG
     *   Hard deploy of CVE Services to start soon. Will discuss schedule with 
TWG tomorrow.
     *   Bulk download capability is moving along very well. Expected by end of 
     *   Components of hard deploy can be implemented incrementally, when ready.
     *   Next big rocks include user registry requirements and getting the 
technical community galvanized around meeting those requirements.
Council of Roots Update

  *   Went over CNA pipeline metrics for recruiting and onboarding.
  *   Discussed CNA recruitment conflicts that can arise with a large 
multi-region company. There can be miscommunication with another part of the 
company that also wants to be a CNA. Roots should use the board to 
identify potential conflicts.
  *   OCWG presented two recently developed outreach materials: (1) handout 
postcard with CR code for conferences and other events (code gives easy access 
to the web page to apply to be a CNA), and (2) updated program trifold.
  *   AWG Chair gave an update on hard deploy.
  *   Presented results of a CNA survey (26 responses) about what top issues 
they would like discussed at the upcoming Summit. Many are already covered in 
the current draft agenda.
  *   Presented the Summit draft agenda. No changes recommended by the Roots.
2023 Global Summit Agenda

  *   Presented draft agenda, Board input requested. Suggestion made to add an 
abstract to explain what each agenda topic is about. Need to identify speakers 
for all topics.
  *   CNAs and Roots have already had an opportunity to provide input to the 
  *   CISA requested a time slot to discuss how to use CVE to improve software 
(secure by design).
  *   Next steps: finalize a specific schedule with dates/topics/times/speakers.
Finalize 2023 CVE Program Priorities

  *   Presented latest version of priorities, input requested. No new additions 
or modifications.
  *   Next steps: send current list to the Board and WG Chairs for their 
perspective on rank-ordering the priorities (action item).
     *   AWG Chair perspective: next big rocks are User Registry and ADP.
Open Discussion

  *   General discussion on the CVE JSON schema and whether protocols (e.g., 
SBOM or PURL) are supported as specific fields or more generally in a flexible 
nature.  Also, whether product or component identifiers are maturing to support 
a future automation of CNA Scope review for matching products and avoiding 
scope conflicts.
Review of Action Items

  *   01.18.02 – Closed. CNACWG Chair asked the question at 2 meetings, and the 
response was ‘yes, this is important (see new action item 03.01.01 to discuss 
at summit).
  *   02.01.02 – Responsible Party changed from AWG to AWG Chair. Secretariat 
will have an internal meeting to discuss, and brief the Board at a later 
  *   02.01.03 – it’s a manual process…so some of the directories will be 
service-side. More to report at next meeting.
  *   02.15.01 – 26 responses so far.
Next CVE Board Meetings

·       Wednesday, March 15, 2023, 9:00am – 11:00am (EDT)

·       Wednesday, March 29, 2023, 2:00pm – 4:00pm (EDT)

·       Wednesday, April 12, 2023, 9:00am – 11:00am (EDT)

·       Wednesday, April 26, 2023, 2:00pm – 4:00pm (EDT)

·       Wednesday, May 10, 2023, 9:00am – 11:00am (EDT)

·       Wednesday, May 24, 2023, 2:00pm – 4:00pm (EDT)
Discussion Topics for Future Meetings

·       Bulk download response from community about Reserved IDs

·       Finalize 2023 CVE Program priorities

·       CVE Services updates and website transition progress (as needed)

·       Working Group updates (every other meeting, next is March 29, 2023)

·       Council of Roots meeting highlights (next is March 29, 2023)

·       Researcher Working Group proposal for Board review

·       Vision Paper and Annual Report

·       Secretariat review of all CNA scope statements

·       Proposed vote to allow CNAs to assign for insecure default 

·       CVE Communications Strategy

Reply via email to