CVE Board Meeting Notes March 15, 2023 (9:00 am – 11:00 am EDT) Agenda
· 9:00-9:05 Introduction · 9:05-10:25 Topics * Modification of Historical Records * CVE Services Status re: Hard Deploy * Summit: Final Details (e.g., agenda, messaging) · 10:25-10:35 Open Discussion · 10:35-10:55 Review of Action Items · 10:55-11:00 Closing Remarks New Action Items from Today’s Meeting Action Item # New Action Item Responsible Party Due n/a Modification of Historical Records * During soft deploy, CNAs have been encouraged to review their records to ensure the up conversion of their data from JSON 4 to JSON 5 was correct. It was not intended to be an opportunity to make significant data content changes. * It has been noticed that some CNAs have used it as an opportunity to make bulk changes unrelated to up conversion issues. These changes to historical data may not be in the best interest of the community. * The Board was asked for their direction/next steps. There was consensus by the Board to not allow bulk changes to historical data until ADP container is in place; if needed, CNAs can coordinate with the Secretariat. The AWG Chair will draft guidance/release notes/FAQ for the upcoming Summit to get this message out to the community. * Other comments: * CNAs only own the container; the program owns the record. * Suggestion to maintain historical data changes/versions. May be a future capability. * Maybe designate core fields (e.g., description) as not changeable without program involvement, and allow others to be editable by the CNA. CVE Services Status re: Hard Deploy * Proposal: Announce hard deploy on March 28, based on AWG and TWG assessment. Handle down convert issues on a case-by-case basis. Make hard deploy statement at the Summit next week, March 22 and 23. * Soft deploy review: * Bulk download capability deployed. * CNAs started to submit JSON 5 CVE records. * Used as opportunity to identity and fix bugs in prep for hard deploy. * Where are we today? * Bulk download capability is working well. Going forward, will be on GitHub. * There are no more remaining high or low priority issues. Some other minor issues are being worked, but are not show-stoppers for hard deploy. * Downconvert from J5 to J4 format is error-prone, lots of “edge cases.” Continuing to fix, but may get to a point where no longer practical to fix every case. * JSON 4 format will be retired no later than the end of 2023. Support will continue up to then (JSON 4 updates may lag), and the user community will continue to be updated about its retirement, so they have time to transition. * The TWG will lead engagement with the community to encourage JSON 5 adoption, especially for tool vendors who are the majority of the vulnerability management community. * There was Board consensus to announce March 28 hard deploy at the Summit next week. Summit: Final Details (e.g., agenda, messaging) * Need to know today if planning to attend the Summit in person. Proof of Covid vaccination (2 shot standard series) or waiver is needed. * Agenda has been distributed. * Slides for the agenda topics are due ASAP, today or tomorrow preferred, but no later than Monday, March 20. * An “After Action” meeting will be held March 23 at the close of the Summit. This is to discuss action items and key take-aways. * Add a separate meeting Friday, March 24 for "Architecture Roadmap.” This is unrelated to the Summit, but some attendees will still be in the area. Open Discussion * Out of time. Review of Action Items * Out of time. Next CVE Board Meetings · Wednesday, March 29, 2023, 2:00pm – 4:00pm (EDT) · Wednesday, April 12, 2023, 9:00am – 11:00am (EDT) · Wednesday, April 26, 2023, 2:00pm – 4:00pm (EDT) · Wednesday, May 10, 2023, 9:00am – 11:00am (EDT) · Wednesday, May 24, 2023, 2:00pm – 4:00pm (EDT) · Wednesday, June 7, 2023, 9:00am – 11:00am (EDT) Discussion Topics for Future Meetings · Bulk download response from community about Reserved IDs · Finalize 2023 CVE Program priorities · CVE Services updates and website transition progress (as needed) · Working Group updates (every other meeting, next is March 29, 2023) · Council of Roots meeting highlights (next is March 29, 2023) · Researcher Working Group proposal for Board review · Vision Paper and Annual Report · Secretariat review of all CNA scope statements · Proposed vote to allow CNAs to assign for insecure default configurations · CVE Communications Strategy