CVE Board Meeting Notes
October 11, 2023 (2:00 pm – 4:00 pm EDT)
Agenda
· 2:00-2:05 Introduction
· 2:05-3:25 Topics
* Voting: Multiple Members from Same Organization
* Fall Virtual Workshop Agenda
* Board Meeting Survey Results
· 3:25-3:35 Open Discussion
· 3:35-3:55 Review of Action Items
· 3:55-4:00 Closing Remarks
New Action Items from October 11 Meeting
New Action Item
Responsible Party
Send email to the Board list to vote on whether to keep the rule “one
organization, one vote” for Board members. Allow one to two weeks for
discussion before the voting period begins.
Secretariat
Send email to the Board list to summarize the ADP container issue so that
members can weigh in on the topic prior to the initiation of a vote.
Secretariat
Voting: Multiple Members from Same Organization
* Recently, a couple of Board members brought up that the rule of “one
organization, one vote” may not be needed. This rule was put into place to
minimize undue influence from a particular organization(s) with multiple
members.
* Current rules allow for an exception on a case-by-case basis (only used
once). What do Board members think about the rule and whether it should be
changed? A sample of comments are below:
* An employment change may effectively eliminate a member’s vote.
* There have been very few close votes, so there are not many instances
where this rule has even come into play. Keep rule as is or eliminate.
* Maybe reverse the rule so every member gets a vote, but an exception
can be made in cases where there is the possibility of undue influence.
* I like the rule as written. Continue to allow exceptions as needed.
* Serves as a healthy constraint against too much influence.
* Consider a cut off, say 3 or 4 members from the same organization,
after which no more votes.
* If it is not broken, do not fix it.
* Discussion and an informal vote indicated an approximate 50/50 split
between keeping as is and eliminating/modifying the rule. The Secretariat will
send an email summarizing the issue to the Board list to initiate an online
discussion before an official vote (action item). One to two weeks will be
allowed for discussion before the voting period begins.
* It was noted that the CNACWG Chair is always a voting member, regardless
of organization affiliation.
Fall Virtual Workshop Agenda
* The draft agenda for the November 15 virtual-only workshop was presented.
Let the Secretariat know if you have comments or additions.
* CVE Services will be a topic (e.g., download capability, deprecation
date), but a deep dive with demos will be scheduled for a later date.
* The workshop will include a panel discussion with CNAs sharing their JSON
5 experiences. One CNA has tentatively agreed to participate, and others will
be recruited.
* Participants will be asked what changes they want in future CVE Record
schema updates.
* Corpus hygiene will be a topic and include, for example, the importance
of cleaning up RBPs, and not accidentally deleting references. Will also
include link rot discussion.
Board Meeting Survey Results
* Most respondents think the meetings are useful. There was discussion
about ways to encourage more involvement in Board discussions. Comments
included:
* Strike a balance; sometimes there are too many voices.
* Moderator can cut off anyone monopolizing the discussion.
* Use the “raise your hand” feature more often to provide members less
inclined to speak to have a way to share their opinion.
* Consider calling on members who haven’t provided input in a while.
* A large majority (88%) of respondents think the two-hour meeting duration
is the right amount.
* A large majority (94%) of respondents think the meeting tempo (every two
weeks) is good.
* A slight majority disagree with the statement “I like having staggered
meeting times.” Last survey, the results were reversed; a slight majority
agreed with the statement. Hard to find a good answer that will please everyone.
* Under the open-ended question “how can we improve the board meetings” a
suggestion was made to reach out to other cybersecurity organizations for
collaboration and guest participation at the meetings. An offline meeting will
be scheduled by the Secretariat to further discuss next steps to make this
suggestion actionable. A comment was made to also consider inviting CNAs to
meetings.
Open Discussion
There is not yet a consensus around how to implement ADPs in production. The
Secretariat will summarize this issue and send it out in an email to the Board
list for discussion (action item).
Review of Action Items
Out of time.
Next CVE Board Meetings
· Wednesday, October 25, 2023, 9:00am – 11:00am (EDT)
· Wednesday, November 8, 2023, 2:00pm – 4:00pm (EST)
· Wednesday, November 22, 2023, 9:00am – 11:00am (EST)
· Wednesday, December 6, 2:00pm – 4:00pm (EST)
· Wednesday, December 20, 2023, 9:00am – 11:00am (EST)
· Wednesday, January 3, 2024, 2:00pm – 4:00pm (EST)
Discussion Topics for Future Meetings
· Sneak peek/review of annual report template SPWG is working on
· Bulk download response from community about Reserved IDs
· Finalize 2023 CVE Program priorities
· CVE Services updates and website transition progress (as needed)
· Working Group updates (every other meeting)
· Council of Roots update (every other meeting)
· Researcher Working Group proposal for Board review
· Vision Paper and Annual Report
· Secretariat review of all CNA scope statements
· Proposed vote to allow CNAs to assign for insecure default
configurations
· CVE Communications Strategy
