CVE Board Meeting Notes
October 12, 2022 (2:00 pm - 4:00 pm ET)
Agenda
* 2:00-2:05 Introduction
* 2:05-3:25 Topics
o CVE Services 2.1 Soft Deploy Update
o Council of Roots Update
o Inactive Board Member Update
o Update on Workshop Planning
* 3:25-3:35 Open Discussion
* 3:35-3:55 Review of Action Items
* 3:55-4:00 Closing Remarks
New Action Items from October 12 Meeting
Action Item #
New Action Item
Responsible Party
Due
10.12.01
Related to AI 09.28.03. Send a 30-minute meeting follow-up invitation to
members for additional discussion with the Board member candidate.
Secretariat
10.12.02
Coordinate with NIST to resolve the issue with NVD.
AWG Chair
10/26/22
CVE Services 2.1 Soft Deploy Update
* The recommendation to start soft deployment was made to the Board and
approved on September 28. Soft Deployment Phase 1 started October 3 and Phase 2
is scheduled to start the week of October 24.
* Phase 1 completed October 6.
* It included Conversion of CVE JSON 4.0 historical data to JSON 5.0,
deployment of the 5.0 compliant ID reservation subsystem, and deployment of
RSUS interfaces for the Secretariat.
* The JSON 4.0 format will continue to be supported for the foreseeable
future.
* The Secretariat and the MITRE CNA of Last Resort are using the newly
deployed feature set successfully for production.
* Between Deployment Phases (October 7 - October 24):
* Reserving IDs: web form and GitHub will work as usual.
* Submitting records: must be done in JSON 4 format using webform or the
Git Hub pilot. Submitting JSON 5 records is not possible.
* Viewing records: JSON 4 records can be viewed on GitHub, and the CVE
Record repository can be downloaded at
www.cve.org/downloads<http://www.cve.org/downloads>. Rendering of upconverted
JSON 5 records can be viewed at www.cve.org<http://www.cve.org>.
* Phase 2 will provide CVE Services 2.1 and RSUS interfaces to the
broader community, but only for JSON 5 CVEs.
* A prep message will be sent to the community October 18.
* GitHub and webform cannot process JSON 5 CVEs.
* The phase-out of JSON 4 support is to be determined and is a Board
decision.
* A potential issue with data ingests by the NVD was brought up.
* It is thought that the NVD may have a limit for the "description"
field of the CVE Record, which is currently 4000 characters; however, the new
JSON 5.0 schema's maximum is 4096 characters.
* It was concluded that the CVE Program does not have the issue here,
since the working groups had socialized the new schema for some time now.
* The Board asked that the Secretariat reach out to the NVD to inform
and discuss.
* A question about whether the webform will mature to support to JSON 5.0
is a topic for the MITRE CNA of Last Resort.
* No additional Board approval is needed to proceed with Phase 2. Stay with
October 24.
Council of Roots Update
* CNA candidate pipeline status was presented.
* An overview of CVE Services 2.1 deployment status was given and
included links to the new API documentation.
* There was discussion about a CNA publishing a CVE Record for a
vulnerability that falls under another CNA's scope because the two have made an
arrangement beforehand. This can lead to confusion in the community and
questions to the Secretariat that take time to track down. The consensus was
that this needs to be made public, but no decision was made how best to do
that. This is different from the situation where a Root has a new CNA that
needs help publishing a record and the Root does it for them. In this case, an
email trail of the agreement would be sufficient, for example.
* Discussion about the CVE Services 2.1 workshop on November 2 included
topics to be presented and status of briefing material materials. Roots were
encouraged to send ideas for topics to the Secretariat. The invitation to the
workshop was sent to the CNA discussion list. It included a link to a survey to
offer topic suggestions or ask questions they would like answered.
Inactive Board Member Update
* Since the last Board meeting, the remaining two inactive members
responded by email. They expressed an intention to participate but have
questions/issues that have been passed on to current active Board members for
follow up.
Update on Workshop Planning
* Invitations have been sent. Let the Secretariat know if not received.
* Presentation materials are in development, e.g., how to get an account
for new services, how to use JSON 5.0.
* To date, 106 of 200 responses have been "accept."
* A member commented that time zone and language differences may limit
participation for some CNAs.
* A recording will be made available, and consideration is being given
to the idea of a second workshop to accommodate as many CNAs as possible.
* There was discussion about possible translation of workshop materials,
and/or holding a live Q&A session.
* A member commented that maybe the program should consider adding
communication translation capabilities to help non-English speaking CNAs. The
extent of the translation problem is not known and needs review to better
understand how and where improvements are needed.
Review of Action Items
* 09.28.01: Status changed to Complete. Board vote on soft deploy was to
proceed with October 3 start.
* 09.28.02: Status changed to Complete. Inactive members have responded; no
further action is needed.
* 09.28.03: Status changed to Complete. Doodle poll sent to schedule
date/time for Board candidate interview. Secretariat to send a 30-minute
follow-up invitation to members for any additional discussion with the
candidate.
Next CVE Board Meetings
* Wednesday, October 26, 2022, 9:00am - 11:00am (EDT)
* Wednesday, November 9, 2022, 2:00pm - 4:00pm (EST)
* Wednesday, November 23, 2022, 9:00am - 11:00am (EST)
* Wednesday, December 7, 2022, 2:00pm - 4:00pm (EST)
* Wednesday, December 21, 2022, 9:00am - 11:00am (EST)
* Wednesday, January 4, 2023, 2:00pm - 4:00pm (EST)
Discussion Topics for Future Meetings
* CVE Services 2.1 and CVE Program website transition updates (on-going)
* Summit planning updates
* Working Group updates, every other meeting
* Council of Roots meeting highlights (on-going)
* Researcher Working Group proposal for Board review
* Vision Paper and Annual Report
* Initiate Board vote for a proposed solution to allow CNAs to assign IDs
for insecure default configuration (from closed action item 03.03.02)
* Resolution on the breakout thread about the year notation in CVE IDs
(in-progress)
* Secretariat review of all CNA scope statements.
