CVE Board Meeting Minutes
December 11, 2024 (2:00 p.m. – 4:00 p.m. EST)
Agenda
* Introduction
* Topics
* Working Group Updates
* CVE Guardrails for AI Assignment
* VulnCon2025: CVE Program Presentations Discussion
* Update on Outreach to “Inactive CNAs”
* Open Discussion
* Review of Action Items
* Closing Remarks
New Action Items from Today’s Meeting
New Action Item
Responsible Party
VulnCon 2025: Discuss and coordinate conference topics through the working
groups and the CVE Board email listserv.
CVE Board
VulnCon 2025: Submit the idea of a panel discussion on cloud vulnerabilities
and no-action CVEs to VulnCon.
CVE Board
CVE Guardrails: Discuss (with CVE AI WG Chair) the timeline for the AI Working
Group to provide a report on their findings and recommendations by first board
meeting in January.
Secretariat
Topics
Quality Working Group (QWG):
* Schema Update:
* Released version 5.1.1, including the new CPE format.
* Preparing a guidance document on the CPE Applicability Array, aimed
for release in January 2025.
* Survey Progress:
* Development of a CVE Data Consumer Survey to better understand
consumer needs. It will be finalized in January for Board review.
* Open Issues:
* Actively addressing 73 open issues, prioritizing closures and
discussions for larger unresolved matters.
Automation Working Group (AWG):
* Key Deployments:
* Completed CVE Services 2.5.0 rollout, incorporating schema 5.1.1.
* Launched phase two of the keyword search capability on cve.org.
* Planning for 2025:
* Preparing for CVE Services 2.5.1 maintenance deployment in January
2025.
* Actively exploring solutions for archiving references to combat link
rot.
Outreach and Communications Working Group (OCWG):
* Video and Blog Updates:
* Published 15 workshop videos and promoted them through social media
and blogs.
* Nine blogs were published since November, covering topics like the CWE
Top 25 list and CVE keyword search.
* Onboarding Video Revisions:
* Updating CNA onboarding videos to align with CNA 4.0 rules. One is
complete, with updates underway for others.
AI Working Group (AIWG):
* Expert Presentations:
* A guest speaker presented on the Atlas project, focusing on AI risk
databases and collaboration with organizations like JCDC and NATO.
* Survey Initiative:
* Developed a survey to determine what is CVE-able in AI technology.
Feedback will be collected from the broader community.
* Cross-Silo Collaboration:
* Reviewed recent CWEs for AI-related vulnerabilities to inform CVE
policies.
* Membership Growth:
* Group expanded to 30 members, though attendance varies per meeting.
Strategic Planning Working Group (SPWG):
* No updates to report.
Tactical Working Group (TWG):
* Discussed operational topics like deploying the keyword search
functionality and writing blogs.
* Nothing significant to report as most discussions were focused on routine
updates.
CNA Organization of Peers (COOP):
* No updates to report.
Vulnerability Conference and Events Working Group (VCEWG):
* No updates to report.
________________________________
CVE Guardrails for AI Assignment
* A board member expressed the urgency of defining CVE guardrails for AI
vulnerabilities. Without clear guidelines, external organizations might shape
the scope of CVEs in AI, potentially leading to inconsistencies.
________________________________
Discussion of CVE for Cloud Vulnerabilities
Background:
* Google published a blog on No Action CVEs, modeled after Microsoft’s
similar initiative from June 2024. These CVEs document cloud vulnerabilities
that do not require user action but may still pose risks.
Discussion Points:
* Clarity for CNAs:
* Concerns about CNAs misunderstanding their obligations under this new
approach.
* Proposed Actions:
* Collaboration suggested with OCWG to create a podcast or blog to
address potential confusion.
* Proposal for a panel discussion at VulnCon2025 with representatives
from Google, Microsoft, and possibly Amazon.
________________________________
VulnCon2025: CVE Program Participation Discussion
OCWG Activities for VulnCon2025:
* Promoted awareness of VulnCon2025 through blogs and social media.
* Registration is open, and a “Save the Date” blog has been published.
Topics Proposed by the Board:
* Cloud Vulnerabilities:
* Panel discussion on transparency and best practices for handling cloud
vulnerabilities.
* False Positives:
* Open forum to discuss challenges and solutions related to false
positives in vulnerability scanning.
* CWEs and CVEs:
* Proposed talk by a CVE Board member’s team on using CWEs in internal
product testing.
Call for Papers:
* Submission deadline: January 15, 2025.
* Encouragement for early submissions to avoid last-minute overload and
improve thematic planning.
________________________________
Update on Outreach to “Inactive CNAs”
Outreach Summary:
* Secretariat contacted 124 CNAs inactive for 12 months.
* Responses revealed a range of challenges:
* Misunderstanding of responsibilities and reliance on third-party
services like bug bounties.
* Claims of having no vulnerabilities to disclose.
* Lack of familiarity with CVE services.
Next Steps:
· Proposals include making CNA outreach an annual activity.
· Secretariat to work with CNA Roots to ensure engagement and provide
necessary training.
________________________________
Open Discussion
CPE Applicability Array:
* Two Board members discussed the new CPE Applicability Array, which is
currently being used in Microsoft records (released on Patch Tuesday).
* Work on the CPE Applicability Array guidance document continues, with
plans to release it in early January.
* A Board member raised concerns about issues in CPE match items, such as
duplication and multiple version ranges. The Board acknowledged these issues
and mentioned they would be corrected soon.
Link Rot Issue:
* A Board member mentioned the issue of link rot, which was discussed in a
recent podcast with Paul Asadorian.
* The AWG’s chair confirmed that the working group is actively working on
addressing this problem and finding solutions for archiving references.
Review of Action Items
None.
Next CVE Board Meetings
* Wednesday, January 8, 2025, 9:00am – 11:00am (EST)
* Wednesday, January 22, 2025, 2:00pm – 4:00pm (EST) - Working Group Updates
* Wednesday, February 3, 2025, 9:00am – 11:00am (EST)
* Wednesday, February 19, 2025, 2:00pm – 4:00pm (EST) - Working Group
Updates
* Wednesday, March 5, 2025, 9:00am – 11:00am (EST)
Discussion Topics for Future Meetings
* End user working group write-up discussion
* CVE Services updates and website transition progress (as needed)
* Working Group updates (every other meeting)
* Researcher Working Group proposal for Board review
* Council of Roots update (every other meeting)
* Secretariat review of all CNA scope statements
* Proposed vote to allow CNAs to assign for insecure default configurations
* CVE Communications Strategy
This document includes content generated with the assistance of Microsoft Teams
Copilot, a generative AI tool. Microsoft Teams Copilot was used to generate the
initial draft of the meeting minutes and provide suggestions for summarizing
key discussion points. All AI-generated content has been reviewed and edited by
the CVE Program prior to publishing. Please report any inaccuracies or other
issues to the CVE Program.
