CVE Board Meeting Notes
November 30, 2022 (9:00 am - 11:00 am EST)
Agenda
* 9:00-9:05 Introduction
* 9:05-10:25 Topics
o Working Group Updates
o CVE Annual Report
o CVE Summit
* 10:25-10:35 Open Discussion
* 10:35-10:55 Review of Action Items
* 10:55-11:00 Closing Remarks
New Action Items from Today's Meeting
Action Item #
New Action Item
Responsible Party
Due
11.30.01
Reach out to Archive.org and Library of Congress to explore the possibility of
using them for archival of old CVE references.
CNACWG Chair
11.30.02
Send request to Working Group chairs to prepare a list of their 2023 priorities
for discussion at the 12/14/22 meeting.
Secretariat
11.30.03
Prepare list of WG 2023 priorities for discussion at 12/14/22 meeting.
WG chairs
12/14/22
Working Group Updates
* Outreach and Communications Working Group (OCWG)
* It was mentioned that the CVE Working Group Operations Handbook
mentions a temporary co-chair but does not provide for a permanent co-chair.
SPWG will look into adding language to the Handbook.
* Other items:
* November 2 Workshop videos have been prepared and
posted<https://www.youtube.com/playlist?list=PLWfD9RQVdJ6etGbopVxE5Nb-8TzjY5cl9>.
* The OCWG recorded a podcast on November 29 about vulnerability
disclosure.
* Working with Red Hat, a Communications Plan was developed to help
Red Hat communicate their new role as a Root, and address the issue of being a
Root, potentially for competitors, and how to overcome objections.
* Automation Working Group (AWG)
* Current focus is addressing 36 CVE Services items/issues postponed to
the completion of Soft Deployment. Six issue fixes are in the testing instance.
* Incremental releases will be used to deploy fixes for the 36 items.
There will be review and approval by the Board prior to each release, and there
may be an initial release by the end of 2022.
* The list of issues is available on the GitHub.io
site<https://cveproject.github.io/automation-cve-services-known-issues>. Most
of the issues are down conversion issues.
* The CVE website was updated to support JSON 5.0 rendering as part of
its lookup capability. How to render affected fields is complex and difficult,
given some of the edge cases about how you can express affected versions. An
updated solution may be deployed as early as the end of next week.
* Going forward, a big effort will be bulk download capability.
Development is just getting started. There is a meeting scheduled on December 1
with NIST NVD to engage with them as a major consumer of the CVE List to get
their feedback on the requirements and to let them know about the architecture.
* Transition Working Group (TWG)
* Since the Workshop, recent activity that is front and center is to
make sure there is a transition plan to help manage the movement of references
from the body of the CVE structure into an ADP container.
* Another area is helping the CNA community that potentially want to
replace their JSON 5 upconverted data with better data and not lose those
references.
* Strategic Planning Working Group (SPWG)
* Currently working on the CNA Rules update. Recent comments are being
incorporated and progress is being made. There are topics for further
discussion around what makes sense in the updated automated environment.
* The Governance document is also being worked, although it has been
back channeled at this point until the Rules update is further along.
* The meeting time may be changed to accommodate additional
participants. Members were invited to email the Chair with their preferred
time(s).
* CNA Coordination Working Group
* Last meeting discussion included JSON 4 to 5 transition. There was
also favorable input about the CVE Services Workshop on November 2.
* A participant at the meeting said he has been converting and has an
in-house Windows-based process that uses the new JSON template. The member
committed to publishing the "how to" so others can use it as a process/model if
they want.
* A question came up in the meeting about the program's responsibility
to make sure references submitted on the day of release are still useful 5-10
years down the line. Where should they be archived?
* Triggerarchive.org, Library of Congress, and Archive.org were
mentioned as possible candidates for the program's archival of old references.
* Better rules may be needed about what counts as a reference.
* More discussion is needed, and maybe a new Archival working group.
* CNACWG Chair took the action to reach out to Archive.org and Library
of Congress to explore the possibility of using them for archival of old
references.
CVE Annual Report
* Members were asked if they have available resources to help with
design/layout. The Intel report was mentioned as a potential model. A Board
member said that both he and another Board member have offered to help in the
past and can look into their respective resources.
* Members were asked when the report should be ready for publication. There
was no disagreement to an early February 2023 publication date. Content can
start being generated now, and late year content can be generated in January
2023.
* The report is external facing. Members were asked for their ideas about
content/topics to include. Ideas were:
* Past year production and new CNAs, trend/growth over time
* Future program plans/areas of focus
* New services information
* Information about what the program is doing in the open-source world,
and in the cloud world, along with interesting case studies/examples
CVE Summit
* Secretariat has reserved an auditorium at MITRE in McLean for March
22-23, 2023, for the Summit, but the members were asked if anyone would prefer
to host the event.
* One Board member said she is still trying to get a decision at her
organization.
* Other input was favorable toward keeping it at MITRE.
* It was decided to revisit the topic at the next Board meeting(s); a
decision in December is preferred.
Open Discussion
* A question was asked about the Board meeting schedule around the upcoming
holidays. It was decided to have one meeting in December (on the 14th) and, at
the December meeting, discuss the need for a meeting on January 4, 2023.
* A Board member asked what are the next program priorities, now that CVE
Services 2.1 deployment is well underway? He has prepared a list of ideas on
GitHub here<https://github.com/CVEProject/Board-Discussions/issues>. Feedback
is welcome. WG Chairs were asked to prepare a list of priorities for discussion
at the Board meeting on December 14. Art will also be prepared to present his
ideas, if time.
Review of Action Items
* 10.26.02: Not started. Will check with Program Coordination team.
* 11.09.01: CVE Program Coordination team is working on identifying all
Open Source Projects in the CNA list; once this is done, the list will be
updated on the website.
* 11.09.02: Need to understand the timeline for when ADP container will be
set up, and the level of effort for short term, medium term and long term.
* 11.09.03: To be discussed at 12/14/22 Board meeting.
Next CVE Board Meetings
* Wednesday, December 14, 2022, 2:00pm - 4:00pm (EST)
* Wednesday, January 4, 2023, 2:00pm - 4:00pm (EST)
* Wednesday, January 18, 2023, 9:00am - 11:00am (EST)
* Wednesday, February 1, 2023, 2:00pm - 4:00pm (EST)
* Wednesday, February 15, 2023, 9:00am - 11:00am (EST)
Discussion Topics for Future Meetings
* Program priorities for 2023 (December 14 meeting)
* CVE scenario examples (December 14 meeting)
* Reschedule January 4, 2023, meeting? (December 14 meeting)
* CVE Services 2.1 deployment updates (on-going)
* Working Group updates (every other meeting)
* Council of Roots meeting highlights
* Researcher Working Group proposal for Board review
* Vision Paper and Annual Report
* Secretariat review of all CNA scope statements
* Proposed vote to allow CNAs to assign for insecure default
configurations
