CVE Board Meeting Notes

March 29, 2023 (2:00 pm - 4:00 pm EDT)

*       2:00-2:05        Introduction

*       2:05-3:25        Topics

           *   Council of Roots Update
           *   Working Group Updates
           *   Summit Takeaways
           *   KEV Data Addition to the Corpus
           *   CVE Program Registry Effort
           *   Hard Deploy Update
           *   TWG Official Name Change
           *   Clarification: When JSON 4.0 "Submission" Should be Discontinued
           *   CVE Records Transfer from Submitters to Newly Onboarded CNAs

*       3:25-3:35        Open Discussion

*       3:35-3:55        Review of Action Items

*       3:55-4:00        Closing Remarks
New Action Items from Today's Meeting
Action Item #
New Action Item
Responsible Party
Check with Summit presenters and ask if they're okay having their presentations 
shared publicly.

Notify users that JSON 4 submissions will be deprecated in 90 days.

Council of Roots Update

  *   Good attendance at the March 29 meeting.
  *   Positive feedback received about the summit with some suggestions for 
future summits.
  *   Red Hat, CISA ICS and MITRE have announced new CNAs in the last 30 days.
  *   MITRE and CISA ICS working together for onboarding NCSC Finland (CERT)
Working Group Updates

  *   CNA Coordination Working Group (CNACWG)
     *   No meeting last week, attended summit.
     *   CNA Mentor Program is rebooted.
  *   Strategic Planning Working Group (SPWG)
     *   Most of the work right now is on cloud-related updates to the CNA 
     *   Have started to assist with the record elements we need for the user 
  *   Tactical Working Group (TWG)
     *   Working group name has changed (see TWG Official Name Change topic).
     *   A next effort is to reduce the list of folks using JSON 4 submission.
  *   Quality Working Group (QWG)
     *   Identified a bug in the JSON 5 schema that allows a typo in certain 
     *   Working on the fix and have notified the two affected CNAs. Minor 
  *   Automation Working Group (AWG)
     *   Hard deploy has occurred; recent activity has been about closing out 
final issues.
     *   Next big rocks: Authorized Data Publisher (ADP) pilot, User Registry.
  *   Outreach and Communications Working Group (OCWG)
     *   At the March 29 meeting, talked about feedback from the summit, who is 
going to RSA and other conferences, and updates on podcasts and blogs.
     *   Question: Is it okay to use the "State of the Program" presentation 
content from the summit in a podcast for broader public distribution? Answer: 
No objections.
     *   Question: Can we share full videos (from the summit) with CNA's and 
board members? Answer: Probably not a problem, but the program will check with 
presenters first (action item).
Summit Takeaways (Open Comment)

  *   Hybrid attendance format was not optimal.
  *   Would have liked more time to hear from the community/participants, not 
  *   Do not overburden one presenter with too many agenda topics.
  *   There was a session that presented a new way of looking at CVE. Need more 
sessions like that, i.e., more than just status and direction/guidance. How is 
CVE being used?
  *   Begin planning of Summit earlier to better support preparation.
  *   Need more discussion about how CVE is being used in organizations.
  *   Think about breakout sessions and having separate tracks to help people 
who are new versus the more advanced users.
  *   Have a prepared list of questions or 'discussion starters' to stimulate 
  *   Logistics could have been better, e.g., not enough microphones, a lot of 
passing around.
  *   Important to start looking at how we apply CVE for the downstream 
vulnerability management community.
  *   Consider co-locating the next summit with the FIRST conference to make it 
easier for broader in-person participation.
  *   Expect to have a few ADPs by the next summit - that should be a topic.
  *   More break time for opportunity to network for in-person attendees.
KEV Data Addition to the Corpus

  *   Issues with the CRA doing exploited vulnerabilities. It's the same kind 
of thing that KEV is doing. Trying to put it into law.
  *   Explore the idea of incorporating 
KEV<> data into CVE.
CVE Program Registry Effort

  *   Held a meeting February 21 to review the user registry CONOPS and 
documentation from 2018 and verify we are still on the right path. Concepts are 
still in line, but some changes to the documents will be made. A follow-on 
meeting held after the summit to get into more specifics went well.
  *   Intent is to establish the record elements for what's turning into a CVE 
Program data repository (not just user registry). There is no schema yet.
  *   Suggestion made to add logos as a data element.
  *   Get registry defined well enough that AWG can implement.
  *   User registry portion will tie in with authentication services.
Hard Deploy Update

  *   The CVE Services hard deploy milestone was met earlier today.
  *   Bulk download capability is now available to downstream users. Available 
in zip file format.
  *   Some minor issues are being worked.
 has been updated to reflect new download capability.
  *   Talking with the TWG tomorrow about bulletin 15 to the CNAs announcing 
hard deploy and what that means. Will also be announced on Slack.
TWG Official Name Change

  *   There were no objections to the proposal to change the name of the 
Transition Working Group to the Tactical Working Group.
  *   The TWG will have an operational focus.
  *   Charter development is underway.
Clarification: When Should JSON 4.0 "Submission" be Discontinued

  *   A question came up at the summit about when submission of JSON 4 records 
will be discontinued (downloads will be discontinued by the end of 2023 - 
already announced).
  *   A small number (69) of users are using Git Hub for JSON 4 submissions. 
Send out targeted notice that JSON 4 submissions will not be accepted after 90 
days (action item).
  *   Revise training and onboarding materials to remove references to JSON 4 
CVE Records Transfer from Submitters to Newly Onboarded CNAs

  *   There has been a long standing program practice to not transfer existing 
CVEs to new CNAs. Should we change that practice?
  *   Consensus was to not change. The CNA can make a request for a CVE 
transfer on a case by case basis. A transfer can be made when appropriate.
Open Discussion

  *   Seem to be propagating the text "and not in another CNA's scope" 
constantly. It should not be a default; it should only be added to scopes where 
appropriate, such as when a CNA is doing research into vulnerabilities beyond 
their own products. No objections.
Review of Action Items

  *   06.23.01 (2022 Annual Report). There was agreement to close this action 
item and try again for the 2023 Annual Report. Suggestion was made to start 
planning content and layout earlier. Example shared: Intel 2021 Product 
Next CVE Board Meetings

*       Wednesday, April 12, 2023, 9:00am - 11:00am (EDT)

*       Wednesday, April 26, 2023, 2:00pm - 4:00pm (EDT)

*       Wednesday, May 10, 2023, 9:00am - 11:00am (EDT)

*       Wednesday, May 24, 2023, 2:00pm - 4:00pm (EDT)

*       Wednesday, June 7, 2023, 9:00am - 11:00am (EDT)

*       Wednesday, June 21, 2023, 2:00pm - 4:00pm (EDT)
Discussion Topics for Future Meetings

*       Bulk download response from community about Reserved IDs

*       Finalize 2023 CVE Program priorities

*       CVE Services updates and website transition progress (as needed)

*       Working Group updates (every other meeting, next is April 26, 2023)

*       Council of Roots meeting highlights (next is April 26, 2023)

*       Researcher Working Group proposal for Board review

*       Vision Paper and Annual Report

*       Secretariat review of all CNA scope statements

*       Proposed vote to allow CNAs to assign for insecure default 

*       CVE Communications Strategy

Reply via email to