CVE Board Meeting Notes

May 24, 2023 (2:00 pm - 4:00 pm EDT)

*       2:00-2:05        Introduction

*       2:05-3:25        Topics

           *   Working Group Updates
           *   ADP Pilot
           *   Summit Planning Sub-Working Group
           *   GitHub Pilot Retirement

*       3:25-3:35        Open Discussion

*       3:35-3:55        Review of Action Items

*       3:55-4:00        Closing Remarks
New Action Items from Today's Meeting
Action Item #
New Action Item
Responsible Party
Send notification to CNAs and the Board about using for RBP 
tracking/status. Include instructions for getting access.

Review the RBP process to better understand its strengths and weaknesses.
Project Leader

Working Group Updates

  *   Automation Working Group (AWG)
     *   Current focus is on the ADP Pilot and working with SPWG to define and 
implement requirements.
     *   Also fixing the remaining CVE Services issues.
     *   Available to provide consultation to CNAs who are having technical 
trouble migrating to JSON 5. This would supplement the existing training 
materials, videos, and documentation.
  *   CNA Coordination Working Group (CNACWG)
     *   Actively archiving CVE references at<>. About halfway through.
     *   Question: There was good discussion at the Summit about the mentoring 
program. Have you seen any increase in either those wanting to mentor or those 
wanting to get help?
        *   Answer: there has been a slight uptick in folks signing up for 
mentoring, and right now nearly everyone is matched up with a mentor.
  *   Quality Working Group (QWG)
     *   Working with the AWG through a handful of issues related to the JSON 5 
record format. When ready, will do a patch release.
     *   Also talking about updates for the next minor release.
  *   Outreach and Communications Working Group
     *   Two podcasts in the pipeline:
        *   One scheduled for recording next Wednesday with CISA to address 
misconceptions some organizations have about becoming a CNA.
        *   The other is to be scheduled with the SPWG, and is about leveraging 
KEV<> for CVE.
     *   Published a blog about the Summit, designed to encourage recruitment 
and show CVE as a community and its benefits.
     *   Revisions of the introduction video about CVE are well underway.
     *   Question: Is it possible when you post blogs and other items to the 
website to send an email to the Board list so we can help promote it and spread 
the word?
        *   Answer: Yes, we can start doing that for blogs, podcasts, and 
  *   Strategic Planning Working Group (SPWG)
     *   Two recent focus areas:
        *   ADP pilot requirements (working with AWG) are in pretty good shape. 
The ADP pilot initially will focus on the references and getting references 
        *   Also working on the CNA Rules update. Getting some pushback on 
cloud rules and the definition of cloud technology.
  *   Tactical Working Group (TWG)
     *   Continued working on the schedule for getting the API endpoints in 
     *   The program has a backup plan that can be used to help CNAs in an 
emergency, e.g., large upload and Vulnogram is down.
     *   Comment about maybe moving ADP under the TWG (and away from SPWG) at 
some point after implementation gets underway.
     *   Question: For AWG, what is happening with the new website search 
        *   Answer: Requirements were solicitated, working on user stories and 
development schedule with TWG. It's the second priority after ADP pilot.
ADP Pilot

  *   CVE Services interfaces are scheduled to be released into the testing 
environment the week of June 19.
  *   Code can be viewed on the GitHub repository.
  *   Test management and design strategy are in progress.
     *   Agreement that testing should be on a complete copy of production data.
     *   Agreement that no data will move from the test environment to the 
production environment.
     *   Discussion about having three environments: a dedicated test 
environment for the user community, and internal test and production 
environments. Will look into this and report back.
     *   Agreement to notify the community that data can be wiped at any time 
and that that should be expected.
  *   The Board agreed with the recommendation to not make any changes to the 
website for the ADP pilot. How to render ADP information on the site will be 
part of ADP production planning, not pilot planning.
  *   Secretariat ADP Reference pilot is moving along nicely. Some prototype 
code has been developed, which will be publicly available.
Summit Planning Sub-Working Group

  *   Since the last meeting, the idea of the Summit sub-WG was mentioned to 
the community (at the CNACWG meeting).
  *   An active CNA is interested in leading the new group, and a Board member 
also volunteered to help lead the effort.
  *   The Working Group Operations 
 is a useful resource to get started with a new working group. An early task is 
the development of the Charter. An example will be provided.
GitHub Pilot Retirement

  *   Notified CNAs about the June 30 date to discontinue using the web request 
  *   Notified the subset (31) of CNAs that have used the GitHub submission 
pilot in the last year that the pilot will shut down after June 30. Custom 
emails (based on CNA usage) were sent with guidance on transitioning to CVE 
  *   Set up two June meetings where participants in the pilot will be asked to 
send a representative to tell us their transition plans, ask questions, etc.
  *   Program will be prepared to provide additional support after June 30 for 
any CNAs that need it. Also, CNAs can use the Slack channel to get help from 
other members of the community.
Open Discussion

  *   July 5 meeting will be cancelled due to the U.S. Independence Day holiday.
  *   RBPs
     *   Used to get monthly/quarterly notifications about RBPs. Now, everybody 
has an RBP board on, and you have to go look up your RBP status. 
Need to get RBPs back on the radar.
     *   Process was changed to make better use of program resources and give 
CNAs the flexibility to see their RBP status at any time.
     *   A notice will be sent to all CNAs and the Board about the change and 
instructions for getting access to (action).
     *   A review of the RBP process will be performed to better understand its 
strengths and weaknesses (action).
     *   Question: Are there two different scrapers, one for RBPs and one for 
References? Do they use the same technology?
        *   Answer: For References, the program uses 
DIFFBOT<>. For RBPs, we use custom scrapers. No further 
development is planned for these; there are too many website changes, and they 
cannot scale. Must rely on them until new technology is in place, and there are 
higher priorities right now.
     *   Question: Do all Board members have a account?
        *   Answer: No. A summary roll up version of the RBP data will be 
generated and provided to the Board. Longer term, Board members will be 
provided access to after the transition to the enterprise version 
June 1. It will take a few weeks after June 1 to fully integrate with our 
corporate authentication systems, and learn new features and more granular 
controls that we gain with enterprise.
Review of Action Items
Out of time.
Next CVE Board Meetings

*       Wednesday, June 7, 2023, 9:00am - 11:00am (EDT)

*       Wednesday, June 21, 2023, 2:00pm - 4:00pm (EDT)

*       Wednesday, July 19, 2023, 2:00pm - 4:00pm (EDT)

*       Wednesday, August 2, 2023, 9:00am - 11:00am (EDT)

*       Wednesday, August 16, 2023, 2:00pm - 4:00pm (EDT)
Discussion Topics for Future Meetings

*       Review draft charter for new working group (for Summit planning, Annual 
Report, and the upcoming CVE 25th anniversary)

*       Sneak peak/review of annual report template SPWG is working (June 

*       Bulk download response from community about Reserved IDs

*       Finalize 2023 CVE Program priorities

*       CVE Services updates and website transition progress (as needed)

*       Working Group updates (every other meeting, next is June 21)

*       Council of Roots meeting highlights (next is June 21)

*       Researcher Working Group proposal for Board review

*       Vision Paper and Annual Report

*       Secretariat review of all CNA scope statements

*       Proposed vote to allow CNAs to assign for insecure default 

*       CVE Communications Strategy

Reply via email to