CVE Board Meeting Notes November 30, 2022 (9:00 am - 11:00 am EST) Agenda
* 9:00-9:05 Introduction * 9:05-10:25 Topics o Working Group Updates o CVE Annual Report o CVE Summit * 10:25-10:35 Open Discussion * 10:35-10:55 Review of Action Items * 10:55-11:00 Closing Remarks New Action Items from Today's Meeting Action Item # New Action Item Responsible Party Due 11.30.01 Reach out to Archive.org and Library of Congress to explore the possibility of using them for archival of old CVE references. CNACWG Chair 11.30.02 Send request to Working Group chairs to prepare a list of their 2023 priorities for discussion at the 12/14/22 meeting. Secretariat 11.30.03 Prepare list of WG 2023 priorities for discussion at 12/14/22 meeting. WG chairs 12/14/22 Working Group Updates * Outreach and Communications Working Group (OCWG) * It was mentioned that the CVE Working Group Operations Handbook mentions a temporary co-chair but does not provide for a permanent co-chair. SPWG will look into adding language to the Handbook. * Other items: * November 2 Workshop videos have been prepared and posted<https://www.youtube.com/playlist?list=PLWfD9RQVdJ6etGbopVxE5Nb-8TzjY5cl9>. * The OCWG recorded a podcast on November 29 about vulnerability disclosure. * Working with Red Hat, a Communications Plan was developed to help Red Hat communicate their new role as a Root, and address the issue of being a Root, potentially for competitors, and how to overcome objections. * Automation Working Group (AWG) * Current focus is addressing 36 CVE Services items/issues postponed to the completion of Soft Deployment. Six issue fixes are in the testing instance. * Incremental releases will be used to deploy fixes for the 36 items. There will be review and approval by the Board prior to each release, and there may be an initial release by the end of 2022. * The list of issues is available on the GitHub.io site<https://cveproject.github.io/automation-cve-services-known-issues>. Most of the issues are down conversion issues. * The CVE website was updated to support JSON 5.0 rendering as part of its lookup capability. How to render affected fields is complex and difficult, given some of the edge cases about how you can express affected versions. An updated solution may be deployed as early as the end of next week. * Going forward, a big effort will be bulk download capability. Development is just getting started. There is a meeting scheduled on December 1 with NIST NVD to engage with them as a major consumer of the CVE List to get their feedback on the requirements and to let them know about the architecture. * Transition Working Group (TWG) * Since the Workshop, recent activity that is front and center is to make sure there is a transition plan to help manage the movement of references from the body of the CVE structure into an ADP container. * Another area is helping the CNA community that potentially want to replace their JSON 5 upconverted data with better data and not lose those references. * Strategic Planning Working Group (SPWG) * Currently working on the CNA Rules update. Recent comments are being incorporated and progress is being made. There are topics for further discussion around what makes sense in the updated automated environment. * The Governance document is also being worked, although it has been back channeled at this point until the Rules update is further along. * The meeting time may be changed to accommodate additional participants. Members were invited to email the Chair with their preferred time(s). * CNA Coordination Working Group * Last meeting discussion included JSON 4 to 5 transition. There was also favorable input about the CVE Services Workshop on November 2. * A participant at the meeting said he has been converting and has an in-house Windows-based process that uses the new JSON template. The member committed to publishing the "how to" so others can use it as a process/model if they want. * A question came up in the meeting about the program's responsibility to make sure references submitted on the day of release are still useful 5-10 years down the line. Where should they be archived? * Triggerarchive.org, Library of Congress, and Archive.org were mentioned as possible candidates for the program's archival of old references. * Better rules may be needed about what counts as a reference. * More discussion is needed, and maybe a new Archival working group. * CNACWG Chair took the action to reach out to Archive.org and Library of Congress to explore the possibility of using them for archival of old references. CVE Annual Report * Members were asked if they have available resources to help with design/layout. The Intel report was mentioned as a potential model. A Board member said that both he and another Board member have offered to help in the past and can look into their respective resources. * Members were asked when the report should be ready for publication. There was no disagreement to an early February 2023 publication date. Content can start being generated now, and late year content can be generated in January 2023. * The report is external facing. Members were asked for their ideas about content/topics to include. Ideas were: * Past year production and new CNAs, trend/growth over time * Future program plans/areas of focus * New services information * Information about what the program is doing in the open-source world, and in the cloud world, along with interesting case studies/examples CVE Summit * Secretariat has reserved an auditorium at MITRE in McLean for March 22-23, 2023, for the Summit, but the members were asked if anyone would prefer to host the event. * One Board member said she is still trying to get a decision at her organization. * Other input was favorable toward keeping it at MITRE. * It was decided to revisit the topic at the next Board meeting(s); a decision in December is preferred. Open Discussion * A question was asked about the Board meeting schedule around the upcoming holidays. It was decided to have one meeting in December (on the 14th) and, at the December meeting, discuss the need for a meeting on January 4, 2023. * A Board member asked what are the next program priorities, now that CVE Services 2.1 deployment is well underway? He has prepared a list of ideas on GitHub here<https://github.com/CVEProject/Board-Discussions/issues>. Feedback is welcome. WG Chairs were asked to prepare a list of priorities for discussion at the Board meeting on December 14. Art will also be prepared to present his ideas, if time. Review of Action Items * 10.26.02: Not started. Will check with Program Coordination team. * 11.09.01: CVE Program Coordination team is working on identifying all Open Source Projects in the CNA list; once this is done, the list will be updated on the website. * 11.09.02: Need to understand the timeline for when ADP container will be set up, and the level of effort for short term, medium term and long term. * 11.09.03: To be discussed at 12/14/22 Board meeting. Next CVE Board Meetings * Wednesday, December 14, 2022, 2:00pm - 4:00pm (EST) * Wednesday, January 4, 2023, 2:00pm - 4:00pm (EST) * Wednesday, January 18, 2023, 9:00am - 11:00am (EST) * Wednesday, February 1, 2023, 2:00pm - 4:00pm (EST) * Wednesday, February 15, 2023, 9:00am - 11:00am (EST) Discussion Topics for Future Meetings * Program priorities for 2023 (December 14 meeting) * CVE scenario examples (December 14 meeting) * Reschedule January 4, 2023, meeting? (December 14 meeting) * CVE Services 2.1 deployment updates (on-going) * Working Group updates (every other meeting) * Council of Roots meeting highlights * Researcher Working Group proposal for Board review * Vision Paper and Annual Report * Secretariat review of all CNA scope statements * Proposed vote to allow CNAs to assign for insecure default configurations