CVE Board Meeting Notes

June 21, 2023 (2:00 pm - 4:00 pm EDT)


*       2:00-2:05        Introduction

*       2:05-3:25        Topics

           *   Working Group Updates
           *   Council of Roots Update
           *   Communicating the Deprecation of Legacy Download Formats

*       3:25-3:35        Open Discussion

*       3:35-3:55        Review of Action Items

*       3:55-4:00        Closing Remarks
New Action Items from Today's Meeting
Action Item #
New Action Item
Responsible Party

Identify/collect existing ADP documentation, and post (or provide links) to 
GitHub where everyone can access.

Write up CVE record update guidance. The writeup will be distributed to the 
Board for review/vote using the list.

Collect MITRE Top Level Root record dispute data and publish on the CVE website 
metrics section.

Use the Board list to hold a vote on going forward with the deprecation 
plan/schedule. Allow a one week response time.

Develop a pull request template for CVE Program GitHub Pilot submissions 
deprecation warning.

Working Group Updates

  *   AWG
     *   ADP Pilot has been released into the initial testing environment (AWG 
community testing). Scheduled for four weeks. Next will be to move the 
interfaces for ADP Pilot into CVE Services 2.2 in the July timeframe.
     *   Have also been working with the website development team on the search 
capability. Discussing what technology should be used. Creating an architecture 
to present to the community in the next month.
     *   Issued a bulk download fix this month.
     *   The AWG action item, to make a reserved CVE available to the public in 
a consistent way across all the technology, has been started. Have come up with 
an architecture to do this. Estimate eight weeks development time to make that 
capability available.
     *   Question: What is the decision about allowing the deletion of ADP 

     *   Answer: AWG and SPWG have discussed in depth, and the opinion is to 
not allow the deletion of ADP containers during the pilot, and revisit later 
based on results. For now, updates will be allowed, but not deletion.

  *   Comment: Seems to be a lot of confusion in the community about ADP, e.g., 
its role in the program and the privileges that come with being an ADP.
  *   Comment: If you are unable to participate in all ADP discussions, but 
want to understand and weigh in, would like an easy way to find related 
documentation about proof of concept, decisions made/rationale, etc. The pilot 
architecture and schedule can be shared. And other information such as user 
stories and requirements, and an overview brief of what ADP is can also be 
shared. Action item to identify/collect existing ADP documentation, and post 
(or provide links) to GitHub where everyone can access.

  *   SPWG
     *   Making progress on the CNA rules update. Hope to have something by the 
end of August. Slow process, essentially rewriting the rules from scratch. In 
the future, want to have a process that allows more continuous updates as 
needed, and does not rely on a big bang update.
     *   Also have been assisting AWG with ADP Pilot requirements.
  *   CNACWG
     *   Have been reminding members about the June 30 deadline and not getting 
     *   There was a question at a recent meeting asking how we can make life 
better for non-English speaking CNAs. Onboarding and training are difficult in 
these cases. This could become a bigger problem as the international community 
of CNAs grows.
  *   QWG
     *   Our focus right now is on a patch update for the JSON 5.0 record 
format. A link<> to the 
current remaining issues was provided. Some of what we're doing is tightening 
up some areas in the schema where we allowed additional data to be provided 
that shouldn't have been. It's very important to not break anything with 
existing records. Hopefully release sometime in July.
     *   Next focus will be on 5.1 related issues.
  *   TWG
     *   A discussion topic at the last meeting was about CNAs updating 
records. The program needs to provide guidance about dos and don'ts on this 
subject, e.g., it's okay to add more information, but it's not okay to delete 
anything or change descriptions. No changes will be allowed to pre-2016 
records. Action item to write the record update guidance (Secretariat). The 
writeup will be distributed to the Board for review/vote using the list.
     *   Question: What happens to records by CNAs who are no longer around?
        *   Answer: They revert back to the Root (this needs to be in the CNA 
     *   Another topic that came up was the clunkiness around transferring IDs 
and/or transferring records. We're going to get that straight in the CNA rules.
  *   Summit Planning Sub-Working Group
     *   The two co-chairs met and had a good conversation. We started 
discussing the schedule (pushing for March) and development of a charter (plan 
to have ready for Board review at next meeting).
     *   Would like to co-locate with another event and attract a broader 
vulnerability management community. Exploring location options and sponsors.
     *   Also working on recruiting for the sub-working group.
Council of Roots Update

  *   A record dispute was discussed at the meeting this morning. This was the 
first instance of an issue being escalated to the Council of Roots. A 
researcher identified a "vulnerability" and the CNA disagreed. It was escalated 
to the Root who also disagreed, so the final step was the Council. This is all 
before a CVE Record has been published, so the current dispute policy will be 
modified to include disputes around assignments. The Council accepted and 
agreed with the decisions of both the CNA and the Root and therefore those 
decisions stand.
  *   Question: Have we ever published information about the number of disputes 
and the number settled in favor of the vendor or researcher?
     *   Answer: No, but it can be done, at least for the MITRE Top Level Root. 
Action item to collect the data and publish on the CVE website metrics section.
  *   The Roots are working with their CNAs to move them to the new services.
Communicating the Deprecation of Legacy Download Formats

  *   A reference will be added to the legacy format records alerting people 
that the legacy formats are being deprecated, and also about the wind down 
period and shut off date.
  *   In the CSV file, there is old legacy text which will be removed and 
replaced with a deprecation warning.
  *   The wind down period lasts from January through June 2024. Over that 
period, the update frequency will decrease in increments (daily to weekly to 
monthly, etc.). After June 30, 2024, there will be no more updates. This is a 
deliberate approach to ensure tooling doesn't get broken in the process.
  *   Comment: We are deprecating JSON 4 which has been in place a long time, 
so there is a lot of tooling around that format. We want to make sure we do no 
harm to users in the shutdown. Keep up with communications and also pay 
attention to the number of monthly downloads March through June to make sure 
June 30 cutoff still makes sense (e.g., NVD readiness).
  *   Comment: Love the plan, it is real and gives people a long time line to 
get ready.
  *   Action for the Secretariat to execute a vote using the Board list on 
going forward with the deprecation plan/schedule. Allow a one week response.
Open Discussion

  *   GitHub Submission Pilot will be deprecated on June 30. Read-only will be 
turned off at the end of 2024. After that, pull requests will not be processed. 
Action to develop a 
 for pull request to warn submitters that CVE Record won't be created.
Review of Action Items
Out of time.
Next CVE Board Meetings

*       Wednesday, July 19, 2023, 2:00pm - 4:00pm (EDT)

*       Wednesday, August 2, 2023, 9:00am - 11:00am (EDT)

*       Wednesday, August 16, 2023, 2:00pm - 4:00pm (EDT)

*       Wednesday, August 30, 2023, 9:00am - 11:00am (EDT)

*       Wednesday, September 13, 2:00pm - 4:00pm (EDT)
Discussion Topics for Future Meetings

*       Review draft charter for new working group (for Summit planning, Annual 
Report, and the upcoming CVE 25th anniversary)

*       Sneak peak/review of annual report template SPWG is working (June 

*       Bulk download response from community about Reserved IDs

*       Finalize 2023 CVE Program priorities

*       CVE Services updates and website transition progress (as needed)

*       Working Group updates (next is July 19)

*       Council of Roots update (next is July 19)

*       Researcher Working Group proposal for Board review

*       Vision Paper and Annual Report

*       Secretariat review of all CNA scope statements

*       Proposed vote to allow CNAs to assign for insecure default 

*       CVE Communications Strategy

Reply via email to