CVE Board Meeting Notes
May 3, 2023 (2:00 pm – 4:00 pm EDT)
Agenda
· 2:00-2:05 Introduction
· 2:05-3:25 Topics
* Working Group and Council of Roots Updates
* RSAC 2023 Update
* Summit Planning (virtual Fall 2023 / in-person Spring 2024)
* Annual Report Planning (sub WG)
· 3:25-3:35 Open Discussion
· 3:35-3:55 Review of Action Items
· 3:55-4:00 Closing Remarks
New Action Items from Today’s Meeting
Action Item #
New Action Item
Responsible Party
Due
05.03.01
Remove any onboarding video/material that reflects legacy/old practices.
Secretariat
05.03.02
Clean up the Open Action Items and establish a new numbering/ID system.
Secretariat
Working Groups and Council of Roots Updates
* Automation Working Group (AWG)
* Authorized data publishing (ADP) requirements for the ADP pilot have
been finalized based on AWG and SPWG recommendations. Stories have been placed
in the GitHub repository and development is expected to start later this week
or next week.
* Next month, plan to start working on the user registry requirements.
* After ADP pilot deployment, will continue working to resolve issues
identified for fixing after hard deploy.
* Question: Will ADPs be separate accounts from CNAs? Answer:
Organizations can be a CNA, an ADP, or both. The way the architecture is being
designed, there will be separate interfaces for the different roles.
* Tactical Working Group (TWG)
* Focused on two big rocks:
* Laying out the schedule for this year for ADP.
* Schedule for how quickly we can get people off the old way and onto
the new way of doing things and how to communicate with all the end users.
* Quality Working Group (QWG)
* A current issue for QWG is CNAs submitting empty descriptions for a
CVE, just spaces or one character. AWG has made a code correction as a
temporary fix until the schema is updated.
* Did some research into using AI like ChatGPT to ask a question, e.g.,
is the CVE description clear? ChatGPT will answer back and say yes, it's clear,
or no, it doesn't make sense. Maybe use AI to quality check CVE entries.
* WG Chairs continue to struggle with having adequate coverage for the
working group and need help in the areas of meeting moderation and
administration. Program can help in a couple ways: moderate meetings as needed;
and help with outreach for volunteers. OCWG can also help with messaging and
outreach.
* Outreach and Communications Working Group (OCWG)
* The OCWG met last month to talk about updating the CVE Program
overview video. It is a few years old with some outdated information. For
example, it needs an updated organization chart (and associated text) and
encouragement for the community to join working groups.
* Looking into different industry events as opportunities to promote
CVE. Initial list of 16-18 events. Can also help with communications for Board
members, Roots, or CNAs who may present at an event.
* Two podcasts in the pipeline. One with SPWG called “Leveraging
KEV<https://www.cisa.gov/known-exploited-vulnerabilities-catalog> for Patching
CVEs” and the other is with CISA ICS to talk about addressing misconceptions
some organizations have about becoming a CNA.
* CNA Coordination Working Group (CNACWG)
* Continue to explore ArchiveBox<https://archivebox.io/> for combating
link rot.
* Published a video about how to use
Vulnogram<https://www.youtube.com/watch?v=6LF98w8xtQ8>, and the link has been
distributed to the CNA list.
* Introduced an idea to have a short survey for new CNAs after about 30
days of announcement to get input on their onboarding experience and if there
is anything they need help with.
* Strategic Planning Working Group (SPWG)
* The CNA rules update continues, and ADP is a shared focus. A timeline
for rules completion is a topic for discussion at the SPWG meeting later today.
At some point, need to finalize so rules are not always a work-in-progress.
* Want to get to a more regular rules update cycle, but not quite set up
yet for a continuously evolving document. Part of the problem is adapting what
is currently being worked out live with the several years old rules on paper.
* Council of Roots Update
* Discussed Root pipeline status (CNA prospects/recruiting)
* Five new CNAs under MITRE TL Root
* Two new CNAs under CISA ICS
* INCIBE has a large list of prospects, waiting for approval to
contact
* JPCERT/CC has done a lot of outreach recently, going to meetings
with TWCERT/CC and KrCERT/CC, and they also attended the RSA Conference.
* Reminded Roots that becoming a Root requires a track record of being a
CNA. There was discussion whether that needs to be a requirement, or if it
creates inertia, e.g., a Root candidate might have CNA-experienced staff, even
if the Root has not been a CNA. Would need some education process for Roots
about CNAs during onboarding if we do not ask them to be a CNA first.
* Short discussion regarding CISA ICS Top Level Root scope and name
change. Nothing additional since last Board discussion; waiting on CISA ICS
revised scope and structure writeup.
* Question: maybe a month or so ago it came up that some of the
onboarding documentation was still encouraging legacy practices. What is being
done to update? Answer: Some of the legacy material just needs to be tossed
where it points to something that is no longer reality. For MITRE Top Level
Root, we do not talk about JSON 4 anymore, only JSON 5. We have also asked
other Roots to do the same.
* Action item: remove any onboarding video/material that reflects
legacy/old practices.
RSAC 2023 Update
* CVE hosted a booth at RSAC; some CNA partners came by and they were given
a partner pin to wear during the conference.
* Collected some solid leads for follow up; expect to get 10 to 20 new CNAs
as a result.
Summit Planning (virtual Fall 2023 / in-person Spring 2024)
* Critical item that we need to start planning early.
* Some Board members have mentioned wanting to coordinate with other
events, like the FIRST PSIRT SIG Technical Colloquium.
* A virtual attendance option is preferred for those who cannot attend in
person.
* Board thoughts on a formalized body to start thinking about this:
* Get people to understand the time frame for the summit to help with
planning.
* Hold two events: A fall virtual summit should be more about how the
CNA does its job in the highest quality way, so more technical. A spring hybrid
summit (in person and virtual) should be more about where the program has been
in the last year, what the program is going to do next, and how CVE data is
used in real life. Not just status reporting.
* In the ramp up to the next in person summit, start soliciting speakers
from organizations that are using CVE data, so they can share their experience.
* There was consensus to form a new temporary working group to focus on
Summit planning, the Annual Report, and the upcoming CVE 25th anniversary.
Finding volunteers is a challenge.
* How can we ask the CNAs to step up and be part of the planning
process? One idea is a call for papers (CFP) to the CNA mailing list.
* Co-locating with another event/conference would be preferred.
Annual Report Planning (sub WG)
* This activity will roll into the new working group when it is formed.
* We have an example/template from Intel with good examples of the types of
things that might be useful.
* The SPWG has started writing about three or four pages of the sort of
things that will fit in the template. Want to get an established template that
can be reused each year. Can share with the group when the template is more
complete (June timeframe).
Open Discussion
* The next Board meeting will be in three weeks (May 24).
Review of Action Items
* The action items list needs a cleanup and a new numbering system (new
action). Some items are quite old.
Next CVE Board Meetings
· Wednesday, May 24, 2023, 2:00pm – 4:00pm (EDT)
· Wednesday, June 7, 2023, 9:00am – 11:00am (EDT)
· Wednesday, June 21, 2023, 2:00pm – 4:00pm (EDT)
· Wednesday, July 5, 2023, 9:00am – 11:00am (EDT)
· Wednesday, July 19, 2023, 2:00pm – 4:00pm (EDT)
· Wednesday, August 2, 2023, 9:00am – 11:00am (EDT)
Discussion Topics for Future Meetings
· Review draft charter for new working group
· Sneak peak/review of annual report template SPWG is working (June
timeframe)
· Bulk download response from community about Reserved IDs
· Finalize 2023 CVE Program priorities
· CVE Services updates and website transition progress (as needed)
· Working Group updates (every other meeting, next is May 24, 2023)
· Council of Roots meeting highlights (next is May 24, 2023)
· Researcher Working Group proposal for Board review
· Vision Paper and Annual Report
· Secretariat review of all CNA scope statements
· Proposed vote to allow CNAs to assign for insecure default
configurations
· CVE Communications Strategy
