CVE Board Meeting Notes
February 1, 2023 (2:00 pm – 4:00 pm EST)
Agenda
· 2:00-2:05 Introduction
· 2:05-3:25 Topics
o GDPR Conclusion
o Council of Roots Update
o Working Groups Updates
o CVE Program Priorities for the First Half of 2023 (cont.)
o CVE Program Global Summit: Agenda
· 3:25-3:35 Open Discussion
· 3:35-3:55 Review of Action Items
· 3:55-4:00 Closing Remarks
New Action Items from Today’s Meeting
Action Item #
New Action Item
Responsible Party
Due
02.01.01
Ask CNA community and working groups if they have concerns, or know of a use
that would be harmed, if bulk download capability of Reserved IDs was stopped.
If no, the capability will be stopped.
Secretariat
two weeks for response
02.01.02
Consult with AWG to discuss level of effort to turn off bulk download of
Reserved IDs.
AWG Chair
02.01.03
Start inserting redirects from the old to the new website.
Secretariat
02.01.04
Update 2023 Priorities spreadsheet and send to the Board. Target finalization
at next Board meeting.
Secretariat
02.01.05
Send request for Summit agenda ideas to the Board list. Include spreadsheet of
ideas from today’s meeting.
Secretariat
GDPR Conclusion
* General Data Protection Regulation (GDPR) comes out of the European Union
(EU). The CVE Program consulted the MITRE legal team to get a legal opinion
about GitHub compliance in the context of the bulk download architecture.
* The GitHub architecture is good to go and the program knows what is has
to do to comply with GDPR.
Council of Roots Update
* Discussed CNA recruiting and onboarding status.
* Asked for Root input on Summit agenda topics.
* Asked for input on program priorities for first half of 2023.
* Provided an overview of upcoming program website updates, e.g., new CNA
Types.
* Discussion about Root capabilities to manage their CNA credentials for
CVE Services, and have access to CNA information, e.g., metrics. Root
requirements will be rolled into the overall User Registry requirements.
Working Group Updates
* OCWG
* Published the ‘Our CVE Story’ blog about why Red Hat became a root.
* Held a podcast production meeting with SPWG Chair.
* New OCWG meeting schedule to be announced soon.
* SPWG
* Continuing to work on the CNA rules update. A cloud decision tree will
be started soon to improve rules around cloud service providers and different
types of cloud architectures.
* TWG
* Supporting AWG with defining User Registry requirements.
* Discussion of forking vs not forking the Vulnogram client for program
use.
* Feedback has been received that CVE clients are not intuitive; the TWG
will discuss and come up with solutions.
* Discussion about the problem type field and the weakness field in JSON
5 records, and whether they are required or optional. Further Board discussion
needed and results to be included in the CNA Rules update.
CVE Program Priorities for the First Half of 2023
* Reviewed and discussed rows 49-53 (see spreadsheet for details)
* Next steps: Send out updated priorities spreadsheet (create new column
for Priority, insert references to dependencies) to the Board, target next
Board meeting for finalizing.
CVE Program Global Summit: Agenda
* The program is collecting agenda items for the upcoming Summit (March
22-23). A request was sent to the CNA list, and Roots were asked for their
input at their meeting this morning.
* Some ideas were discussed; additional Board input will be requested via
the mailing list.
Open Discussion
Out of time
Review of Action Items
Out of time
Next CVE Board Meetings
· Wednesday, February 15, 2023, 9:00am – 11:00am (EST)
· Wednesday, March 1, 2023, 2:00pm – 4:00pm (EST)
· Wednesday, March 15, 2023, 9:00am – 11:00am (EDT)
· Wednesday, March 29, 2023, 2:00pm – 4:00pm (EDT)
· Wednesday, April 12, 2023, 9:00am – 11:00am (EDT)
· Wednesday, April 26, 2:00pm – 4:00pm (EDT)
Discussion Topics for Future Meetings
· Continue discussion about 2023 priorities – start down-select process
· CVE Services updates and CVE Program website transition progress (as
needed)
· Working Group updates (every other meeting, next is March 1, 2023)
· Council of Roots meeting highlights (next is March 1, 2023)
· Researcher Working Group proposal for Board review
· Vision Paper and Annual Report
· Secretariat review of all CNA scope statements
· Proposed vote to allow CNAs to assign for insecure default
configurations
· CVE Communications Strategy
