CVE Board Meeting Minutes
January 22, 2025 (2:00 p.m. – 4:00 p.m. EST)
Agenda
* Introduction
* Topics
* Working Group Updates
* Data Enrichment into Records on the CVE List
* Operational Concerns for Secretariat/MITRE TL Root
* CVE Board Maturity and Roles
* Review of Action Items
* Closing Remarks
Topics
Working Group Updates
Automation Working Group (AWG):
* Priorities for 2025: The AWG reported (via proxy) its priorities for 2025
as discussed at its 1/7/2025 meeting include:
* Continuing to advance the CVE List Search Capability (building on the
December 11, 2024 deployment)
* Develop/Deploy a User Registry Capability
* Recommend and Deploy a Reference Archiving Solution
* Augment the CVE Bulk Download capability to ion to include Reserved
CVE ID information.
* CVE Services 2.5.1: The AWG reviewed and recommended the deployment of
CVE Services 2.5.1 (which was deployed on 1/22/2025). This release includes
minor modifications including automatic availability of new CVE IDs in the new
year and UTC for all date fields. The full release notes can be found at:
Release v2.5.1 ·
CVEProject/cve-services<https://github.com/CVEProject/cve-services/releases/tag/v2.5.1>.
* Archiving CVE Record References: The AWG reviewed two proposed solutions
for Archiving CVE Record references. A board recommendation is forthcoming.
* Reserved CVE IDs as part of the Bulk Download Capability: The AWG
reviewed a proposed solution to include Reserved CVE ID information in the CVE
Bulk Download capability. This discussion was not completed and will continue
in the next month.
CNA Organization of Peers (COOP):
The group met as scheduled providing a venue for CNA members to discuss current
topics. No major activity was reported.
AI Working Group (AIWG):
* The AIWG reported ongoing work survey on CVE assignment, a draft blog
series, and ongoing discussions on AI-related vulnerabilities. The group is
working on clarifying AI terminology and establishing guardrails for CVE
assignment.
* Survey on CVE Assignment: The AIWG conducted a survey on CVE
assignments, gathering data on members' thoughts and specific cases where CVEs
would be assigned. The survey revealed surprisingly mixed results, indicating
ongoing challenges in defining AI-related vulnerabilities.
* Clarifying AI Terminology: The group is focused on clarifying AI
terminology used in CVE guidance, including distinctions between models,
systems, architecture, and parameters.
* Establishing Guardrails: The AI Working Group is working on proposing
guardrails for CVE assignment and record publication in the AI context. This
includes developing guidance and recommendations to ensure consistent and
accurate handling of AI-related vulnerabilities.
* Draft Blog Series: The AI Working Group is working on a draft blog
series to provide updates on their progress and share insights with the broader
community. The blog will cover topics such as AI terminology, case studies, and
interpretations of CNA operational rules in the AI context.
Outreach and Communications Working Group (OCWG):
* Outreach and Communications Working Group's activities, including
publishing blogs, promoting campaigns, recording podcasts, and working on
videos were provided. The group is moving to a bi-weekly meeting schedule.
* Publishing Blogs: The group published six blogs, including two for the
CNA recognition list, a blog about keyword search, a blog about the 25th
Anniversary podcast, and Thales being a new root in the program.
* Promoting Campaigns: The group is actively promoting various
campaigns, including volunteer recognition, enriching records, and the CVE 25th
Anniversary. These campaigns are being promoted through blogs, social media
posts, and the CVE Announce newsletter.
* Recording Podcasts: The group recorded a 25th Anniversary podcast
episode and are also working on podcast topics related to root cause mapping,
in coordination with the CWE team, the upcoming CPE guide, and enriching
records with support from the MongoDB CNA.
* Working on Videos: The group is continuing their work on videos,
including the CNA video and the introduction video. They are moving to a
bi-weekly meeting schedule to focus on these projects and ensure timely
completion
Quality Working Group (QWG):
* Updates on the Quality Working Group's activities were shared, including
the imminent release of the CPE Quick Start Guide on the CVE website on January
28, updates to the QWG Charter, a survey on CVE, and presentations on package
URLs (purl) and OmniBoard. The group is also preparing for a CPE tutorial
session at an upcoming conference.
* QWG Charter Updates: The QWG is working on updates to their charter,
incorporating suggestions from members to better define their goals and
outcomes. The updated charter will provide clearer guidance for the group's
activities.
* CVE Survey: The QWG created an informational document and a survey to
gather feedback. The survey includes questions designed to understand user
needs and preferences, and the results will inform future improvements.
* Presentations on PURL and OmniBoard: The QWG hosted presentations on
purl and OmniBoard, providing insights into these formats and their potential
applications. The group is considering how these formats could be integrated
into the CVE record format.
* Vulncon 2025 CPE Tutorial Session: QWG is preparing for a CPE tutorial
session at VulnCon, which will include a 2-hour workshop. The QWG also plans to
present on the past, present, and future of the CVE record format at VulnCon.
The session aims to educate attendees on CPE and its role in the CVE program.
* Schema Record Format Issues: The QWG is meeting weekly to discuss
schema record format issues. They reported that they have almost completed the
first pass, with sixty issues still open.
* JSON Schema project asked if CVE wanted to be listed as an adopter of
the long-form diagram.
Strategic Planning Working Group (SPWG):
* The Board was briefed on the SPWG's work. The focus was on the draft
procedure for disputing a CVE record, which is near completion and ready for
the Board to review possibly after the SPWG’s next meeting, on January 29.
* Potential Documents: The SPWG mentioned other possible undrafted
documents, such as CVE Program policy and procedures for disputing CVE records,
CNA rules violation, CNA responsiveness, CNA scope issues, and challenges to
CVE rules.
Tactical Working Group (TWG):
* The Board discussed the TWG’s progress on various topics, including the
CPE Quick Start Guide, the legacy website transition, and the 25th anniversary
video, which is being produced with the assistance of the MITRE Corporate
Communications Team.
Vulnerability Conference and Events Working Group (VCEWG):
* The Board was provided updates on preparations for CVE’s presence at
VulnCon 2025 including sponsorships, registrations, submissions, and the review
process that the VCEWG is responsible for. The group is working on organizing
CVE’s presence at VulnCon 2025 and addressing potential themes.
* CVE Agenda for VulnCon: VCEWG anticipated producing an agenda by the
middle of February.
* Themes and for CVE Program Participation at VulnCon: A number of
themes were discussed, including CNA spotlights, award ceremonies for CNAs, and
a CVE 25th anniversary booth.
________________________________
Absorption of Historical Data Enrichment into Records on the CVE List
* The Board discussed the issue of CVE Record completeness and the
potential for incorporating historical data from downstream partners.
* A proposal for the CVE program to engage with partners on collaborative
data enrichment was discussed.
________________________________
Operational Concerns for Secretariat/MITRE TL Root
* Deferred to next meeting due to time.
________________________________
CVE Board Maturity and Roles
________________________________
* Deferred to next meeting due to time.
Open Discussion
Review of Action Items
None.
Next CVE Board Meetings
* Wednesday, February 3, 2025, 9:00am – 11:00am (EST)
* Wednesday, February 19, 2025, 2:00pm – 4:00pm (EST) - Working Group
Updates
* Wednesday, March 5, 2025, 9:00am – 11:00am (EST)
* Wednesday, March 19, 2025, 2:00pm – 4:00pm (EST) - Working Group Updates
* Wednesday, April 2, 2025, 9:00am – 11:00am (EST)
Discussion Topics for Future Meetings
* End user working group write-up discussion
* CVE Services updates and website transition progress (as needed)
* Working Group updates (every other meeting)
* Researcher Working Group proposal for Board review
* Council of Roots update (every other meeting)
* Secretariat review of all CNA scope statements
* Proposed vote to allow CNAs to assign for insecure default configurations
* CVE Communications Strategy
This document includes content generated with the assistance of Microsoft Teams
Copilot, a generative AI tool. Microsoft Teams Copilot was used to generate the
initial draft of the meeting minutes and provide suggestions for summarizing
key discussion points. All AI-generated content has been reviewed and edited by
the CVE Program prior to publishing. Please report any inaccuracies or other
issues to the CVE Program.
