CVE Board Meeting Notes

October 25, 2023 (9:00 am - 11:00 am EDT)

*       9:00-9:05        Introduction

*       9:05-10:25      Topics

           *   Working Group Updates
           *   Call for Vote: Multiple Members from the Same Organization 
(discussion on private CVE Board mailing list)

*       10:25-10:35    Open Discussion

*       10:35-10:55    Review of Action Items

*       10:55-11:00    Closing Remarks
New Action Items from Today's Meeting
New Action Item
Working Group Updates

  *   AWG
     *   Continued with CVE Services backlog curation. Initiated a 
reprioritizing of the backlog while there is a lull in ADP, which is awaiting 
decisions. ADP is currently in the demonstration environment.
     *   Website search capability is moving along; will be a big push in 
     *   Started the discussion about user registry requirements and the review 
of papers that have been produced. Pulling together proposed user stories that 
will be presented to the other working groups for concurrence. AWG is not the 
owner of the requirements, but working to move the process forward.
     *   Coordinated with QWG and SPWG about integration of JSON 5.1 into CVE 
Services. Concurrence of that integration is needed, and AWG is working on 
estimating the effort.
  *   CNACWG
     *   During the annual open nominations for CNACWG Chair, the only nominee 
was the current chair, who will serve for another year.
  *   OCWG
     *   Published a new 
 "CVE Records Keep Getting Better and Better" on the CVE blog.
     *   Currently developing a presentation about how the new and improved 
format of CVE Records will benefit consumers.
     *   Drafting a presentation on CVE for upcoming ShmooCon.
     *   Coordinating with the Roots on a podcast about their role, new partner 
recruitment, etc. Planning for the podcast is underway and recording is 
scheduled for early December.
     *   Information about the new Vulnerability Conference and Events Working 
Group (VCEWG<>) has been 
added to the CVE website. It includes a link to the 
  *   QWG
     *   QWG finalized release candidate for the CVE JSON 5.1 schema.
     *   One aspect of 5.1 integration is support for CVSS 4.0.
     *   The last QWG meeting included discussion about the link rot problem.
  *   SPWG
     *   The CNA Rules revision is a significant effort with many material 
changes. There are a couple sections left to complete, plus general editing, 
appendices, etc. After SPWG's final review, the document will be circulated in 
a formal review process (TBD) that will end with Board approval. Whether the 
process will include public review and comment is also TBD.
     *   During review updates, priority will be given to comments that include 
suggested new language.
     *   At the November 15 workshop, a revision update will be presented, 
including what to know and what major changes to expect.
     *   Now is the time to think about defining an easier and more repeatable 
process for updates in the future.
  *   TWG
     *   There has been lots of discussion, with AWG, about the technical 
details for implementation of ADPs. The issue will come to the Board eventually 
for a vote.
     *   Looking for three or four volunteers willing to participate on a panel 
at the workshop to discuss their real life experiences with RSUS and JSON 5.
  *   VCEWG
     *   The Spring conference will be at the McKimmon Center in Raleigh, NC, 
on March 25-27, 2024. We are working through the cost, meeting room rentals, 
etc. The logistics group is developing the 'save the date' email and a website 
for the event (hosted by FIRST and using their event & conference systems and 
registration). The programming group is drafting the call for papers.
Call for Vote: Multiple Members from the Same Organization

  *   Topic was brought up at the last Board meeting, and there was subsequent 
discussion on the private email list.
  *   A vote will be held on the email list; watch for an email from the 
Open Discussion

  *   JSON Schema Change
     *   Continued discussion about CVE JSON schema version and whether/how to 
represent and validate version information in CVE Records.
     *   Comments from the CVE Board:
        *   It is important to avoid breaking changes and also to avoid having 
to convert existing records for minor schema changes.
        *   Preference should be given to whatever is easier and least costly 
for CNAs to implement. Do not want to put CNAs in a position where they must 
update a lot of records for a small schema update.
        *   Regardless of what choice we make, all the retrieved records should 
always say the same thing, so that if you're a downstream consumer, you only 
need one copy of the schema. The latest copy at any point in time.
        *   We must ensure we communicate what the change means for CNAs. The 
message should include information that when you download a record from CVE 
Services, it will be valid according to the latest version of the schema and 
users should not need to maintain multiple local versions of the schema.
        *   Business requirements need to be defined and documented. Need to 
design and conduct tests to get specific information about what can break and 
the impact. A document will be created and posted to GitHub to capture the 
issue and recommendations; a link will be shared so others can review/comment.

Review of Action Items
Out of time.
Next CVE Board Meetings

*       Wednesday, November 8, 2023, 2:00pm - 4:00pm (EST)

*       Wednesday, November 22, 2023, 9:00am - 11:00am (EST)

*       Wednesday, December 6, 2:00pm - 4:00pm (EST)

*       Wednesday, December 20, 2023, 9:00am - 11:00am (EST)

*       Wednesday, January 3, 2024, 2:00pm - 4:00pm (EST)

*       Wednesday, January 17, 2024, 9:00am - 11:00am (EST)
Discussion Topics for Future Meetings

*       Sneak peek/review of annual report template SPWG is working on

*       Bulk download response from community about Reserved IDs

*       CVE Services updates and website transition progress (as needed)

*       Working Group updates (every other meeting)

*       Council of Roots update (every other meeting)

*       Researcher Working Group proposal for Board review

*       Vision Paper and Annual Report

*       Secretariat review of all CNA scope statements

*       Proposed vote to allow CNAs to assign for insecure default 

*       CVE Communications Strategy

Reply via email to