CVE Board Meeting Notes
June 21, 2023 (2:00 pm - 4:00 pm EDT)
Agenda
* 2:00-2:05 Introduction
* 2:05-3:25 Topics
* Working Group Updates
* Council of Roots Update
* Communicating the Deprecation of Legacy Download Formats
* 3:25-3:35 Open Discussion
* 3:35-3:55 Review of Action Items
* 3:55-4:00 Closing Remarks
New Action Items from Today's Meeting
Action Item #
New Action Item
Responsible Party
Due
Identify/collect existing ADP documentation, and post (or provide links) to
GitHub where everyone can access.
Secretariat
Write up CVE record update guidance. The writeup will be distributed to the
Board for review/vote using the list.
Secretariat
Collect MITRE Top Level Root record dispute data and publish on the CVE website
metrics section.
Secretariat
Use the Board list to hold a vote on going forward with the deprecation
plan/schedule. Allow a one week response time.
Secretariat
6/26/23
Develop a pull request template for CVE Program GitHub Pilot submissions
deprecation warning.
Secretariat
Working Group Updates
* AWG
* ADP Pilot has been released into the initial testing environment (AWG
community testing). Scheduled for four weeks. Next will be to move the
interfaces for ADP Pilot into CVE Services 2.2 in the July timeframe.
* Have also been working with the website development team on the search
capability. Discussing what technology should be used. Creating an architecture
to present to the community in the next month.
* Issued a bulk download fix this month.
* The AWG action item, to make a reserved CVE available to the public in
a consistent way across all the technology, has been started. Have come up with
an architecture to do this. Estimate eight weeks development time to make that
capability available.
* Question: What is the decision about allowing the deletion of ADP
containers?
* Answer: AWG and SPWG have discussed in depth, and the opinion is to
not allow the deletion of ADP containers during the pilot, and revisit later
based on results. For now, updates will be allowed, but not deletion.
* Comment: Seems to be a lot of confusion in the community about ADP, e.g.,
its role in the program and the privileges that come with being an ADP.
* Comment: If you are unable to participate in all ADP discussions, but
want to understand and weigh in, would like an easy way to find related
documentation about proof of concept, decisions made/rationale, etc. The pilot
architecture and schedule can be shared. And other information such as user
stories and requirements, and an overview brief of what ADP is can also be
shared. Action item to identify/collect existing ADP documentation, and post
(or provide links) to GitHub where everyone can access.
* SPWG
* Making progress on the CNA rules update. Hope to have something by the
end of August. Slow process, essentially rewriting the rules from scratch. In
the future, want to have a process that allows more continuous updates as
needed, and does not rely on a big bang update.
* Also have been assisting AWG with ADP Pilot requirements.
* CNACWG
* Have been reminding members about the June 30 deadline and not getting
pushback.
* There was a question at a recent meeting asking how we can make life
better for non-English speaking CNAs. Onboarding and training are difficult in
these cases. This could become a bigger problem as the international community
of CNAs grows.
* QWG
* Our focus right now is on a patch update for the JSON 5.0 record
format. A link<https://github.com/CVEProject/cve-schema/milestone/4> to the
current remaining issues was provided. Some of what we're doing is tightening
up some areas in the schema where we allowed additional data to be provided
that shouldn't have been. It's very important to not break anything with
existing records. Hopefully release sometime in July.
* Next focus will be on 5.1 related issues.
* TWG
* A discussion topic at the last meeting was about CNAs updating
records. The program needs to provide guidance about dos and don'ts on this
subject, e.g., it's okay to add more information, but it's not okay to delete
anything or change descriptions. No changes will be allowed to pre-2016
records. Action item to write the record update guidance (Secretariat). The
writeup will be distributed to the Board for review/vote using the list.
* Question: What happens to records by CNAs who are no longer around?
* Answer: They revert back to the Root (this needs to be in the CNA
rules).
* Another topic that came up was the clunkiness around transferring IDs
and/or transferring records. We're going to get that straight in the CNA rules.
* Summit Planning Sub-Working Group
* The two co-chairs met and had a good conversation. We started
discussing the schedule (pushing for March) and development of a charter (plan
to have ready for Board review at next meeting).
* Would like to co-locate with another event and attract a broader
vulnerability management community. Exploring location options and sponsors.
* Also working on recruiting for the sub-working group.
Council of Roots Update
* A record dispute was discussed at the meeting this morning. This was the
first instance of an issue being escalated to the Council of Roots. A
researcher identified a "vulnerability" and the CNA disagreed. It was escalated
to the Root who also disagreed, so the final step was the Council. This is all
before a CVE Record has been published, so the current dispute policy will be
modified to include disputes around assignments. The Council accepted and
agreed with the decisions of both the CNA and the Root and therefore those
decisions stand.
* Question: Have we ever published information about the number of disputes
and the number settled in favor of the vendor or researcher?
* Answer: No, but it can be done, at least for the MITRE Top Level Root.
Action item to collect the data and publish on the CVE website metrics section.
* The Roots are working with their CNAs to move them to the new services.
Communicating the Deprecation of Legacy Download Formats
* A reference will be added to the legacy format records alerting people
that the legacy formats are being deprecated, and also about the wind down
period and shut off date.
* In the CSV file, there is old legacy text which will be removed and
replaced with a deprecation warning.
* The wind down period lasts from January through June 2024. Over that
period, the update frequency will decrease in increments (daily to weekly to
monthly, etc.). After June 30, 2024, there will be no more updates. This is a
deliberate approach to ensure tooling doesn't get broken in the process.
* Comment: We are deprecating JSON 4 which has been in place a long time,
so there is a lot of tooling around that format. We want to make sure we do no
harm to users in the shutdown. Keep up with communications and also pay
attention to the number of monthly downloads March through June to make sure
June 30 cutoff still makes sense (e.g., NVD readiness).
* Comment: Love the plan, it is real and gives people a long time line to
get ready.
* Action for the Secretariat to execute a vote using the Board list on
going forward with the deprecation plan/schedule. Allow a one week response.
Open Discussion
* GitHub Submission Pilot will be deprecated on June 30. Read-only will be
turned off at the end of 2024. After that, pull requests will not be processed.
Action to develop a
Template<https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/creating-a-pull-request-template-for-your-repository>
for pull request to warn submitters that CVE Record won't be created.
Review of Action Items
Out of time.
Next CVE Board Meetings
* Wednesday, July 19, 2023, 2:00pm - 4:00pm (EDT)
* Wednesday, August 2, 2023, 9:00am - 11:00am (EDT)
* Wednesday, August 16, 2023, 2:00pm - 4:00pm (EDT)
* Wednesday, August 30, 2023, 9:00am - 11:00am (EDT)
* Wednesday, September 13, 2:00pm - 4:00pm (EDT)
Discussion Topics for Future Meetings
* Review draft charter for new working group (for Summit planning, Annual
Report, and the upcoming CVE 25th anniversary)
* Sneak peak/review of annual report template SPWG is working (June
timeframe)
* Bulk download response from community about Reserved IDs
* Finalize 2023 CVE Program priorities
* CVE Services updates and website transition progress (as needed)
* Working Group updates (next is July 19)
* Council of Roots update (next is July 19)
* Researcher Working Group proposal for Board review
* Vision Paper and Annual Report
* Secretariat review of all CNA scope statements
* Proposed vote to allow CNAs to assign for insecure default
configurations
* CVE Communications Strategy
