CVE Board Meeting Notes August 16, 2023 (2:00 pm – 4:00 pm EDT) Agenda
· 2:00-2:05 Introduction · 2:05-3:25 Topics * Vote Update * Vulnerability Conference Working Group (VCWG) Charter Review · 3:25-3:35 Open Discussion · 3:35-3:55 Review of Action Items · 3:55-4:00 Closing Remarks New Action Items from Today’s Meeting New Action Item Responsible Party Due Draft messaging for the Spring hybrid conference (e.g., save the date, set the stage for the conference, value to attend, call for papers) so that VCWG can use in its outreach activities. Secretariat Vote Update * An update on a recent Executive Session Board meeting vote was provided Vulnerability Conference Working Group (VCWG) Charter Review * A link to the draft charter was provided to members with the Board meeting agenda V2 email on August 16. * Chairs are seeking Board approval so they can begin recruiting members and establishing timeline milestones. * Question: What does the Board think about allowing membership from outside the CNA community? Answer: No objection to allowing wider participation. * Question: Should there be a limit to membership size? Answer: No need to limit the number of members at this time. The chair may limit size in the future, if necessary. The Chair may also remove a member for unprofessional conduct, disruptive behavior, etc. * Membership section to be updated to reflect answers to the two questions above. * Include a link to the CVE Program Professional Code of Conduct<https://www.cve.org/ResourcesSupport/AllResources/ProfessionalCodeOfConduct> in the charter; no need to re-create the policy in the charter. * The biggest part is just people rolling their sleeves up and doing something to move the ball forward. It will take many hands to make this conference happen. * Question: Should the charter have a statement about “for-profit motivations?” For example, can someone join (or not) just to sell their wares to CNAs? Answer: Statement not necessary; could be helpful in communicating the event and value of CVE, and could provide a co-sponsorship opportunity. * An update will be forwarded to the Board on the email list, with a request for final edits or comments. No response means acceptance. When final, the Secretariat will post the charter to the CVE website. * Initial meeting and cadence are TBD; Co-Chairs are discussing who they think might be interested so that they can contact them and schedule first meeting. * Question: Is the VCWG planning both the virtual conference and the hybrid (in-person and virtual) conference? Answer: Focus is the 2024 hybrid conference, tentatively scheduled for late March. The Secretariat will lead planning for the upcoming Fall 2023 virtual conference (planning needs to start soon; ADP pilot and JSON 5 are potential topics). * Secretariat will draft messaging (e.g., save the date, set the stage for the conference, value to attend, call for papers) about the Spring conference so that VCWG can use in its outreach activities. Open Discussion * A Board member mentioned that Microsoft has published its AI Bug Bar (Microsoft Vulnerability Severity Classification for Artificial Intelligence and Machine Learning Systems<https://www.microsoft.com/en-us/msrc/aibugbar>) and an MSRC blog post explaining it (Updating our Vulnerability Severity Classification for AI Systems | MSRC Blog | Microsoft Security Response Center<https://msrc.microsoft.com/blog/2023/08/Updating-our-Vulnerability-Severity-Classification-for-AI-Systems/>). * ADP Pilot * CISA received their credentials and has begun experimentation with the ADP demonstration instance. * The References ADP pilot expected to get rolling in mid to late September. * Comment: The end of September is supposed to be the timeframe for starting production. Response: Not expecting the References pilot to last more than a few days, so entering production by the end of September is still possible. * CNACWG Chair has started a research project to count how many CVE references link to dead domains; he will present results at the next Board meeting in two weeks. Review of Action Items None. Next CVE Board Meetings · Wednesday, August 30, 2023, 9:00am – 11:00am (EDT) · Wednesday, September 13, 2:00pm – 4:00pm (EDT) · Wednesday, September 27, 2023, 9:00am – 11:00am (EDT) · Wednesday, October 11, 2023, 2:00pm – 4:00pm (EDT) · Wednesday, October 25, 2023, 9:00am – 11:00am (EDT) · Wednesday, November 8, 2023, 2:00pm – 4:00pm (EST) Discussion Topics for Future Meetings · Sneak peak/review of annual report template SPWG is working on · Bulk download response from community about Reserved IDs · Finalize 2023 CVE Program priorities · CVE Services updates and website transition progress (as needed) · Working Group updates (every other meeting) · Council of Roots update (every other meeting) · Researcher Working Group proposal for Board review · Vision Paper and Annual Report · Secretariat review of all CNA scope statements · Proposed vote to allow CNAs to assign for insecure default configurations · CVE Communications Strategy · AI/ML vulnerabilities (August 30 meeting)