CVE Board Meeting Notes
April 12, 2023 (9:00 am - 11:00 am EDT)
Agenda
* 9:00-9:05 Introduction
* 9:05-10:25 Topics
* Relationship between Vendor CNAs and Bug Bounty CNAs: Scopes and
Policies
* Update CISA ICS Scope to include U.S. Federal Enterprise
* Potential Impacts of Pending Twitter API Changes
* CVE Board Meeting during RSA
* 10:25-10:35 Open Discussion
* 10:35-10:55 Review of Action Items
* 10:55-11:00 Closing Remarks
New Action Items from Today's Meeting
Action Item #
New Action Item
Responsible Party
Due
04.12.01
Reach out to Twitter to see if there is an exception to allow FFRDC/government
to stay with a non-paid plan, even with high volume tweets.
Secretariat
04.12.02
Need to start planning for 2024 Summit.
Secretariat
04.12.03
Review priorities list and assign responsible parties.
SPWG Chair
Introductory Remarks
* The CVE Project Lead is out sick and there is not yet an expected date of
return.
* To keep CVE moving forward, an Acting Project Lead has been assigned.
This person leads the Common Weakness Enumeration (CWE) project and has worked
closely with CVE over many years.
Relationship between Vendor CNAs and Bug Bounty CNAs: Scopes and Policies
* A Board member noticed a URL in a disclosure policy for a CNA vendor that
goes to a bug bounty site as opposed to the CNA's site.
* CNAs may leverage bug bounty services.
* Need clarity around who is assigning CVE IDs. Is it the CNA or the bug
bounty organization?
* What do others think about the idea of assuring that CNAs have URLs that
use the CNA's domains?
* If a vendor CNA outsources to a bug bounty provider, the disclosure
policy on the bug bounty site/domain must be clear that it's the CNA's policy.
* A bug bounty organization cannot assign/publish CVEs unless they are
also a CNA.
* The CNA Rules can help clarify the relationship between CNAs and bug
bounty organizations. Send recommendations to the SPWG.
* Recommendation made to distinguish between bug bounty providers and
non-providers.
Update CISA ICS Scope to include the Federal Enterprise
* A recent event with US federal PIV cards showed the need for a focus on
vulnerabilities in the US federal enterprise space.
* Should we create a new CNA for this or expand CISA ICS scope to add
federal enterprise? Current CISA scope is industrial control systems and
medical devices.
* There were no objections to allowing CISA ICS to expand its scope to
include federal enterprise vulnerabilities. The scope will be made clear that
is only for US federal.
* The idea to rename CISA ICS to just CISA was discussed, but no decision
was made.
Potential Impacts of Pending Twitter API Changes
* The CVE Program uses Twitter to share two types of information: Every
time a CVE is published, and regular announcements like new CNAs.
* It is possible the CVE Program will be cut off because the current plan
is a free one and it is unclear if there will be any notice before a cut off.
There may be a need to transition to a paid account to stay on Twitter. There
are also other information sharing options, e.g., Mastodon.
* Board input:
* May still have some marketing value to some users, but there are other
options. Would not pay a lot to stay with Twitter.
* Reach out to Twitter to see if there is an exception for non-profit.
CVE Board Meeting during RSA
* The Board meeting on April 26 is the same week as RSA. Should the meeting
be cancelled?
* It was agreed to move the meeting to the following week on May 3, and get
back on the normal cycle with the May 10 meeting.
Open Discussion
* How is hard deploy going?
* Bulk download is being used, and we have received feedback on some
issues. As of last Friday, we feel that most of those issues have been
addressed.
* Next big rocks for the AWG are the ADP pilot and the user registry
requirements.
* 2023 Priorities
* Need to work on the data model for the user registry.
* Staffing allocations for the user registry effort will be made in the
new period of performance, which should start next week.
Review of Action Items
* 03.29.02 (JSON 4 deprecation). The secretariat is working with TWG on
draft communication.
* 05.11.03 (Repo rules document). Slack may be serving the purpose.
* 07.06.01 (Update the FAQ section of cve.org). Secretariat will review the
FAQ section to make sure there is no incorrect information.
* 06.23.01 (Program Annual Report). Need to start working on the outline
now--set up sub WG to assist in building strawman.
Next CVE Board Meetings
* Wednesday, May 3, 2023, 2:00pm - 4:00pm (EDT)
* Wednesday, May 10, 2023, 9:00am - 11:00am (EDT)
* Wednesday, May 24, 2023, 2:00pm - 4:00pm (EDT)
* Wednesday, June 7, 2023, 9:00am - 11:00am (EDT)
* Wednesday, June 21, 2023, 2:00pm - 4:00pm (EDT)
* Wednesday, July 5, 2023, 9:00am - 11:00am (EDT)
Discussion Topics for Future Meetings
* Bulk download response from community about Reserved IDs
* Finalize 2023 CVE Program priorities
* CVE Services updates and website transition progress (as needed)
* Working Group updates (every other meeting, next is May 3, 2023)
* Council of Roots meeting highlights (next is May 3, 2023)
* Researcher Working Group proposal for Board review
* Vision Paper and Annual Report
* Secretariat review of all CNA scope statements
* Proposed vote to allow CNAs to assign for insecure default
configurations
* CVE Communications Strategy
