CVE Board Meeting Notes
October 25, 2023 (9:00 am - 11:00 am EDT)
Agenda
* 9:00-9:05 Introduction
* 9:05-10:25 Topics
* Working Group Updates
* Call for Vote: Multiple Members from the Same Organization
(discussion on private CVE Board mailing list)
* 10:25-10:35 Open Discussion
* 10:35-10:55 Review of Action Items
* 10:55-11:00 Closing Remarks
New Action Items from Today's Meeting
New Action Item
N/A
Working Group Updates
* AWG
* Continued with CVE Services backlog curation. Initiated a
reprioritizing of the backlog while there is a lull in ADP, which is awaiting
decisions. ADP is currently in the demonstration environment.
* Website search capability is moving along; will be a big push in
November.
* Started the discussion about user registry requirements and the review
of papers that have been produced. Pulling together proposed user stories that
will be presented to the other working groups for concurrence. AWG is not the
owner of the requirements, but working to move the process forward.
* Coordinated with QWG and SPWG about integration of JSON 5.1 into CVE
Services. Concurrence of that integration is needed, and AWG is working on
estimating the effort.
* CNACWG
* During the annual open nominations for CNACWG Chair, the only nominee
was the current chair, who will serve for another year.
* OCWG
* Published a new
article<https://www.cve.org/Media/News/item/blog/2023/10/17/CVE-Records-Keep-Getting-Better>
"CVE Records Keep Getting Better and Better" on the CVE blog.
* Currently developing a presentation about how the new and improved
format of CVE Records will benefit consumers.
* Drafting a presentation on CVE for upcoming ShmooCon.
* Coordinating with the Roots on a podcast about their role, new partner
recruitment, etc. Planning for the podcast is underway and recording is
scheduled for early December.
* Information about the new Vulnerability Conference and Events Working
Group (VCEWG<https://www.cve.org/ProgramOrganization/WorkingGroups>) has been
added to the CVE website. It includes a link to the
charter<https://www.cve.org/Resources/Roles/WorkingGroups/VCEWG/VCEWG-Charter.pdf>.
* QWG
* QWG finalized release candidate for the CVE JSON 5.1 schema.
* One aspect of 5.1 integration is support for CVSS 4.0.
* The last QWG meeting included discussion about the link rot problem.
* SPWG
* The CNA Rules revision is a significant effort with many material
changes. There are a couple sections left to complete, plus general editing,
appendices, etc. After SPWG's final review, the document will be circulated in
a formal review process (TBD) that will end with Board approval. Whether the
process will include public review and comment is also TBD.
* During review updates, priority will be given to comments that include
suggested new language.
* At the November 15 workshop, a revision update will be presented,
including what to know and what major changes to expect.
* Now is the time to think about defining an easier and more repeatable
process for updates in the future.
* TWG
* There has been lots of discussion, with AWG, about the technical
details for implementation of ADPs. The issue will come to the Board eventually
for a vote.
* Looking for three or four volunteers willing to participate on a panel
at the workshop to discuss their real life experiences with RSUS and JSON 5.
* VCEWG
* The Spring conference will be at the McKimmon Center in Raleigh, NC,
on March 25-27, 2024. We are working through the cost, meeting room rentals,
etc. The logistics group is developing the 'save the date' email and a website
for the event (hosted by FIRST and using their event & conference systems and
registration). The programming group is drafting the call for papers.
Call for Vote: Multiple Members from the Same Organization
* Topic was brought up at the last Board meeting, and there was subsequent
discussion on the private email list.
* A vote will be held on the email list; watch for an email from the
Secretariat.
Open Discussion
* JSON Schema Change
* Continued discussion about CVE JSON schema version and whether/how to
represent and validate version information in CVE Records.
* Comments from the CVE Board:
* It is important to avoid breaking changes and also to avoid having
to convert existing records for minor schema changes.
* Preference should be given to whatever is easier and least costly
for CNAs to implement. Do not want to put CNAs in a position where they must
update a lot of records for a small schema update.
* Regardless of what choice we make, all the retrieved records should
always say the same thing, so that if you're a downstream consumer, you only
need one copy of the schema. The latest copy at any point in time.
* We must ensure we communicate what the change means for CNAs. The
message should include information that when you download a record from CVE
Services, it will be valid according to the latest version of the schema and
users should not need to maintain multiple local versions of the schema.
* Business requirements need to be defined and documented. Need to
design and conduct tests to get specific information about what can break and
the impact. A document will be created and posted to GitHub to capture the
issue and recommendations; a link will be shared so others can review/comment.
Review of Action Items
Out of time.
Next CVE Board Meetings
* Wednesday, November 8, 2023, 2:00pm - 4:00pm (EST)
* Wednesday, November 22, 2023, 9:00am - 11:00am (EST)
* Wednesday, December 6, 2:00pm - 4:00pm (EST)
* Wednesday, December 20, 2023, 9:00am - 11:00am (EST)
* Wednesday, January 3, 2024, 2:00pm - 4:00pm (EST)
* Wednesday, January 17, 2024, 9:00am - 11:00am (EST)
Discussion Topics for Future Meetings
* Sneak peek/review of annual report template SPWG is working on
* Bulk download response from community about Reserved IDs
* CVE Services updates and website transition progress (as needed)
* Working Group updates (every other meeting)
* Council of Roots update (every other meeting)
* Researcher Working Group proposal for Board review
* Vision Paper and Annual Report
* Secretariat review of all CNA scope statements
* Proposed vote to allow CNAs to assign for insecure default
configurations
* CVE Communications Strategy
