CVE Board Meeting Minutes
March 19, 2025 (2:00 p.m. – 4:00 p.m. EST)
Agenda
* Introduction
* Topics
* Working Group Updates
* RBP/Inactivity Outreach Update
* CNA Activity: CVE Record Publishing
* Review of Action Items
* Closing Remarks
New Action Items from Today’s Meeting
New Action Item
Responsible Party
Guidance Documents for Roots for outreach on RBPs, Inactive CNAs
Secretariat
Review Of Proposal CNA Recruitment/Onboarding Document
Board
Topics
Working Group Updates
Automation Working Group (AWG):
* The AWG reported an April release timeframe for the next version of
CVE.org search, which builds on the December deployment, adding the capability
to process special characters. A wildcard capability will be added in the
release in the summer.
* Development of the user registry has begun with seven planned development
sprints, with community testing slated for early June.
* A subgroup under the AWG prototyping a reference archive capability was
highlighted, with four members of the AWG participating.
CNA Organization of Peers (COOP):
* COOP continues to provide a forum for CNA mentoring. Highlighted new CNA
participation in the Pacific Time Zone meeting.
Outreach and Communications Working Group (OCWG):
* OCWG updated on their activities, including publishing blogs, promoting
campaigns, recording podcasts, and working on videos.
* The group has ongoing campaigns for VulnCon 2025 and the CNA Enrichment
Recognition List with blogs and social media posts.
* The CVE Data Usage and Satisfaction Survey was promoted in two separate
blogs and weekly social media posts.
* In total, eight blogs were published last month on topics including Red
Hat’s new status as a CNA-LR, the program report for Q4, 2024, and the second
in the CVE AI blog series.
* They are planning a CVE AI and a Working Groups podcast after Vulncon.
* Scripts are in review for updating the “How to Become a CNA” video.
CVE AI Working Group (CVEAI WG):
* The CVEAI WG reported that feedback from the AI blog post was very
limited, but broader commentary were positive. Comments on deployments and
integrations of AI models were generally well received, and the framing of AI
and its relationship with CVE resonated well.
* The group is currently focusing on how to provide additional guidance to
the community on CVE assignments under current CVE rules.
* The group is discussing two new topics: “model scheming” or unintended
behavior, and model backdooring.
Quality Working Group (QWG):
* The QWG reported 113 responses to the CVE Data Usage and Satisfaction
Survey so far. Results are distributed every Friday to Board members.
Discussion planned in meeting after VulnCon 2025.
* A presentation was given at the last QWG meeting proposing the addition
of Purl and OMNIBor to the CVE Record format.
* The QWG awaits a finalized dispute policy resolution document from the
SPWG to implement changes in the backend.
Strategic Planning Working Group (SPWG):
* The SPWG reported that the CVE Record dispute policy document is nearing
final review. All comments are currently adjudicated and SPWG members were
asked to look for any last-minute issues. Recommendations will be made to the
Board once the document is finalized. Recommendations are expected to include
updates to the CVE glossary.
* The CNA operational rules document is currently under review, as a minor
version update, which is expected to include clarification of End-of-Life (EOL).
Tactical Working Group (TWG):
* The TWG is planning a post-VulnCon 2025 in-person meeting for Board
members. The first half of the meeting will be dedicated to a VulnCon hotwash
and CVE survey data, and the second half will focus on programmatic topics such
as infrastructure timeline in 2025, data quality, enrichment initiatives, and
AI in CVE.
Vulnerability Conference and Events Working Group (VCEWG):
* VCEWG provided updates on preparations for CVE’s presence at VulnCon 2025
including sponsorships, registrations, submissions, and the review process that
the VCEWG is responsible for.
________________________________
CNA Activity: RBP/Inactivity Outreach Update
* The Board was provided an update on the management of Reserved But Public
(RBP) CVE IDs and outreach efforts for potentially inactive CNAs.
* The presentation highlighted significant progress in reducing the number
of known RBPs from about 699 to 23 through targeted outreach, marking a
transition to a maintenance phase focused on monitoring and addressing new RBPs
as they arise.
* The inactive CNA outreach effort was outlined, describing the phased
approach to contacting CNAs that have not published CVEs within expected
timeframes and adjusting outreach strategies based on their responses.
* A discussion among Board members occurred about federating
responsibilities to Roots.
* Action items from the discussion included the need to document processes
and guidelines to aid Roots in managing CVE publication timeliness and CNA
inactivity effectively.
________________________________
CNA Activity: CVE Record Publishing
The Board focused on refining the criteria for CNA onboarding and activity
management through a collaboratively edited document shared via Google Docs.
This document aims to establish a structured framework for evaluating new CNAs,
ensuring they demonstrate readiness and maintain active participation in the
CVE program. Key discussion points hinged on setting clear expectations for CNA
readiness, onboarding, and compliance. The importance of publishing CVEs was
emphasized. CNAs must participate in the Program consistently to retain their
status as CNA.
Future iterations of this guidance will be transferred to the Roots for
implementation. A revised version incorporating Board feedback will be
presented at the next meeting.
________________________________
The Board meeting was concluded after no other Open Discussion items were
volunteered.
Open Discussion
None.
Review of Action Items
None.
This document includes content generated with the assistance of Microsoft Teams
Copilot, a generative AI tool. Microsoft Teams Copilot was used to generate the
initial draft of the meeting minutes and provide suggestions for summarizing
key discussion points. All AI-generated content has been reviewed and edited by
the CVE Program prior to publishing. Please report any inaccuracies or other
issues to the CVE Program.
