CVE Board Meeting Notes

April 12, 2023 (9:00 am - 11:00 am EDT)

*       9:00-9:05        Introduction

*       9:05-10:25      Topics

           *   Relationship between Vendor CNAs and Bug Bounty CNAs: Scopes and 
           *   Update CISA ICS Scope to include U.S. Federal Enterprise
           *   Potential Impacts of Pending Twitter API Changes
           *   CVE Board Meeting during RSA

*       10:25-10:35    Open Discussion

*       10:35-10:55    Review of Action Items

*       10:55-11:00    Closing Remarks
New Action Items from Today's Meeting
Action Item #
New Action Item
Responsible Party
Reach out to Twitter to see if there is an exception to allow FFRDC/government 
to stay with a non-paid plan, even with high volume tweets.

Need to start planning for 2024 Summit.

Review priorities list and assign responsible parties.
SPWG Chair

Introductory Remarks

  *   The CVE Project Lead is out sick and there is not yet an expected date of 
  *   To keep CVE moving forward, an Acting Project Lead has been assigned. 
This person leads the Common Weakness Enumeration (CWE) project and has worked 
closely with CVE over many years.
Relationship between Vendor CNAs and Bug Bounty CNAs: Scopes and Policies

  *   A Board member noticed a URL in a disclosure policy for a CNA vendor that 
goes to a bug bounty site as opposed to the CNA's site.
  *   CNAs may leverage bug bounty services.
  *   Need clarity around who is assigning CVE IDs. Is it the CNA or the bug 
bounty organization?
  *   What do others think about the idea of assuring that CNAs have URLs that 
use the CNA's domains?
     *   If a vendor CNA outsources to a bug bounty provider, the disclosure 
policy on the bug bounty site/domain must be clear that it's the CNA's policy.
     *   A bug bounty organization cannot assign/publish CVEs unless they are 
also a CNA.
     *   The CNA Rules can help clarify the relationship between CNAs and bug 
bounty organizations. Send recommendations to the SPWG.
     *   Recommendation made to distinguish between bug bounty providers and 
Update CISA ICS Scope to include the Federal Enterprise

  *   A recent event with US federal PIV cards showed the need for a focus on 
vulnerabilities in the US federal enterprise space.
  *   Should we create a new CNA for this or expand CISA ICS scope to add 
federal enterprise? Current CISA scope is industrial control systems and 
medical devices.
  *   There were no objections to allowing CISA ICS to expand its scope to 
include federal enterprise vulnerabilities. The scope will be made clear that 
is only for US federal.
  *   The idea to rename CISA ICS to just CISA was discussed, but no decision 
was made.
Potential Impacts of Pending Twitter API Changes

  *   The CVE Program uses Twitter to share two types of information: Every 
time a CVE is published, and regular announcements like new CNAs.
  *   It is possible the CVE Program will be cut off because the current plan 
is a free one and it is unclear if there will be any notice before a cut off. 
There may be a need to transition to a paid account to stay on Twitter. There 
are also other information sharing options, e.g., Mastodon.
  *   Board input:
     *   May still have some marketing value to some users, but there are other 
options. Would not pay a lot to stay with Twitter.
     *   Reach out to Twitter to see if there is an exception for non-profit.
CVE Board Meeting during RSA

  *   The Board meeting on April 26 is the same week as RSA. Should the meeting 
be cancelled?
  *   It was agreed to move the meeting to the following week on May 3, and get 
back on the normal cycle with the May 10 meeting.
Open Discussion

  *   How is hard deploy going?
     *   Bulk download is being used, and we have received feedback on some 
issues. As of last Friday, we feel that most of those issues have been 
     *   Next big rocks for the AWG are the ADP pilot and the user registry 
  *   2023 Priorities
     *   Need to work on the data model for the user registry.
     *   Staffing allocations for the user registry effort will be made in the 
new period of performance, which should start next week.
Review of Action Items

  *   03.29.02 (JSON 4 deprecation). The secretariat is working with TWG on 
draft communication.
  *   05.11.03 (Repo rules document). Slack may be serving the purpose.
  *   07.06.01 (Update the FAQ section of Secretariat will review the 
FAQ section to make sure there is no incorrect information.
  *   06.23.01 (Program Annual Report). Need to start working on the outline 
now--set up sub WG to assist in building strawman.
Next CVE Board Meetings

*       Wednesday, May 3, 2023, 2:00pm - 4:00pm (EDT)

*       Wednesday, May 10, 2023, 9:00am - 11:00am (EDT)

*       Wednesday, May 24, 2023, 2:00pm - 4:00pm (EDT)

*       Wednesday, June 7, 2023, 9:00am - 11:00am (EDT)

*       Wednesday, June 21, 2023, 2:00pm - 4:00pm (EDT)

*       Wednesday, July 5, 2023, 9:00am - 11:00am (EDT)
Discussion Topics for Future Meetings

*       Bulk download response from community about Reserved IDs

*       Finalize 2023 CVE Program priorities

*       CVE Services updates and website transition progress (as needed)

*       Working Group updates (every other meeting, next is May 3, 2023)

*       Council of Roots meeting highlights (next is May 3, 2023)

*       Researcher Working Group proposal for Board review

*       Vision Paper and Annual Report

*       Secretariat review of all CNA scope statements

*       Proposed vote to allow CNAs to assign for insecure default 

*       CVE Communications Strategy

Reply via email to