CVE Board Meeting Notes June 21, 2023 (2:00 pm - 4:00 pm EDT)
Agenda * 2:00-2:05 Introduction * 2:05-3:25 Topics * Working Group Updates * Council of Roots Update * Communicating the Deprecation of Legacy Download Formats * 3:25-3:35 Open Discussion * 3:35-3:55 Review of Action Items * 3:55-4:00 Closing Remarks New Action Items from Today's Meeting Action Item # New Action Item Responsible Party Due Identify/collect existing ADP documentation, and post (or provide links) to GitHub where everyone can access. Secretariat Write up CVE record update guidance. The writeup will be distributed to the Board for review/vote using the list. Secretariat Collect MITRE Top Level Root record dispute data and publish on the CVE website metrics section. Secretariat Use the Board list to hold a vote on going forward with the deprecation plan/schedule. Allow a one week response time. Secretariat 6/26/23 Develop a pull request template for CVE Program GitHub Pilot submissions deprecation warning. Secretariat Working Group Updates * AWG * ADP Pilot has been released into the initial testing environment (AWG community testing). Scheduled for four weeks. Next will be to move the interfaces for ADP Pilot into CVE Services 2.2 in the July timeframe. * Have also been working with the website development team on the search capability. Discussing what technology should be used. Creating an architecture to present to the community in the next month. * Issued a bulk download fix this month. * The AWG action item, to make a reserved CVE available to the public in a consistent way across all the technology, has been started. Have come up with an architecture to do this. Estimate eight weeks development time to make that capability available. * Question: What is the decision about allowing the deletion of ADP containers? * Answer: AWG and SPWG have discussed in depth, and the opinion is to not allow the deletion of ADP containers during the pilot, and revisit later based on results. For now, updates will be allowed, but not deletion. * Comment: Seems to be a lot of confusion in the community about ADP, e.g., its role in the program and the privileges that come with being an ADP. * Comment: If you are unable to participate in all ADP discussions, but want to understand and weigh in, would like an easy way to find related documentation about proof of concept, decisions made/rationale, etc. The pilot architecture and schedule can be shared. And other information such as user stories and requirements, and an overview brief of what ADP is can also be shared. Action item to identify/collect existing ADP documentation, and post (or provide links) to GitHub where everyone can access. * SPWG * Making progress on the CNA rules update. Hope to have something by the end of August. Slow process, essentially rewriting the rules from scratch. In the future, want to have a process that allows more continuous updates as needed, and does not rely on a big bang update. * Also have been assisting AWG with ADP Pilot requirements. * CNACWG * Have been reminding members about the June 30 deadline and not getting pushback. * There was a question at a recent meeting asking how we can make life better for non-English speaking CNAs. Onboarding and training are difficult in these cases. This could become a bigger problem as the international community of CNAs grows. * QWG * Our focus right now is on a patch update for the JSON 5.0 record format. A link<https://github.com/CVEProject/cve-schema/milestone/4> to the current remaining issues was provided. Some of what we're doing is tightening up some areas in the schema where we allowed additional data to be provided that shouldn't have been. It's very important to not break anything with existing records. Hopefully release sometime in July. * Next focus will be on 5.1 related issues. * TWG * A discussion topic at the last meeting was about CNAs updating records. The program needs to provide guidance about dos and don'ts on this subject, e.g., it's okay to add more information, but it's not okay to delete anything or change descriptions. No changes will be allowed to pre-2016 records. Action item to write the record update guidance (Secretariat). The writeup will be distributed to the Board for review/vote using the list. * Question: What happens to records by CNAs who are no longer around? * Answer: They revert back to the Root (this needs to be in the CNA rules). * Another topic that came up was the clunkiness around transferring IDs and/or transferring records. We're going to get that straight in the CNA rules. * Summit Planning Sub-Working Group * The two co-chairs met and had a good conversation. We started discussing the schedule (pushing for March) and development of a charter (plan to have ready for Board review at next meeting). * Would like to co-locate with another event and attract a broader vulnerability management community. Exploring location options and sponsors. * Also working on recruiting for the sub-working group. Council of Roots Update * A record dispute was discussed at the meeting this morning. This was the first instance of an issue being escalated to the Council of Roots. A researcher identified a "vulnerability" and the CNA disagreed. It was escalated to the Root who also disagreed, so the final step was the Council. This is all before a CVE Record has been published, so the current dispute policy will be modified to include disputes around assignments. The Council accepted and agreed with the decisions of both the CNA and the Root and therefore those decisions stand. * Question: Have we ever published information about the number of disputes and the number settled in favor of the vendor or researcher? * Answer: No, but it can be done, at least for the MITRE Top Level Root. Action item to collect the data and publish on the CVE website metrics section. * The Roots are working with their CNAs to move them to the new services. Communicating the Deprecation of Legacy Download Formats * A reference will be added to the legacy format records alerting people that the legacy formats are being deprecated, and also about the wind down period and shut off date. * In the CSV file, there is old legacy text which will be removed and replaced with a deprecation warning. * The wind down period lasts from January through June 2024. Over that period, the update frequency will decrease in increments (daily to weekly to monthly, etc.). After June 30, 2024, there will be no more updates. This is a deliberate approach to ensure tooling doesn't get broken in the process. * Comment: We are deprecating JSON 4 which has been in place a long time, so there is a lot of tooling around that format. We want to make sure we do no harm to users in the shutdown. Keep up with communications and also pay attention to the number of monthly downloads March through June to make sure June 30 cutoff still makes sense (e.g., NVD readiness). * Comment: Love the plan, it is real and gives people a long time line to get ready. * Action for the Secretariat to execute a vote using the Board list on going forward with the deprecation plan/schedule. Allow a one week response. Open Discussion * GitHub Submission Pilot will be deprecated on June 30. Read-only will be turned off at the end of 2024. After that, pull requests will not be processed. Action to develop a Template<https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/creating-a-pull-request-template-for-your-repository> for pull request to warn submitters that CVE Record won't be created. Review of Action Items Out of time. Next CVE Board Meetings * Wednesday, July 19, 2023, 2:00pm - 4:00pm (EDT) * Wednesday, August 2, 2023, 9:00am - 11:00am (EDT) * Wednesday, August 16, 2023, 2:00pm - 4:00pm (EDT) * Wednesday, August 30, 2023, 9:00am - 11:00am (EDT) * Wednesday, September 13, 2:00pm - 4:00pm (EDT) Discussion Topics for Future Meetings * Review draft charter for new working group (for Summit planning, Annual Report, and the upcoming CVE 25th anniversary) * Sneak peak/review of annual report template SPWG is working (June timeframe) * Bulk download response from community about Reserved IDs * Finalize 2023 CVE Program priorities * CVE Services updates and website transition progress (as needed) * Working Group updates (next is July 19) * Council of Roots update (next is July 19) * Researcher Working Group proposal for Board review * Vision Paper and Annual Report * Secretariat review of all CNA scope statements * Proposed vote to allow CNAs to assign for insecure default configurations * CVE Communications Strategy