CVE Board Meeting Notes: August 16, 2023

Tue, 22 Aug 2023 13:54:38 -0700 

CVE Board Meeting Notes

August 16, 2023 (2:00 pm – 4:00 pm EDT)
Agenda

·       2:00-2:05        Introduction

·       2:05-3:25        Topics

           *   Vote Update
           *   Vulnerability Conference Working Group (VCWG) Charter Review

·       3:25-3:35        Open Discussion

·       3:35-3:55        Review of Action Items

·       3:55-4:00        Closing Remarks
New Action Items from Today’s Meeting
New Action Item
Responsible Party
Due

Draft messaging for the Spring hybrid conference (e.g., save the date, set the 
stage for the conference, value to attend, call for papers) so that VCWG can 
use in its outreach activities.
Secretariat

Vote Update

  *   An update on a recent Executive Session Board meeting vote was provided
Vulnerability Conference Working Group (VCWG) Charter Review

  *   A link to the draft charter was provided to members with the Board 
meeting agenda V2 email on August 16.
  *   Chairs are seeking Board approval so they can begin recruiting members 
and establishing timeline milestones.
  *   Question: What does the Board think about allowing membership from 
outside the CNA community? Answer: No objection to allowing wider participation.
  *   Question: Should there be a limit to membership size? Answer: No need to 
limit the number of members at this time. The chair may limit size in the 
future, if necessary. The Chair may also remove a member for unprofessional 
conduct, disruptive behavior, etc.
  *   Membership section to be updated to reflect answers to the two questions 
above.
  *   Include a link to the CVE Program Professional Code of 
Conduct<https://www.cve.org/ResourcesSupport/AllResources/ProfessionalCodeOfConduct>
 in the charter; no need to re-create the policy in the charter.
  *   The biggest part is just people rolling their sleeves up and doing 
something to move the ball forward. It will take many hands to make this 
conference happen.
  *   Question: Should the charter have a statement about “for-profit 
motivations?” For example, can someone join (or not) just to sell their wares 
to CNAs? Answer: Statement not necessary; could be helpful in communicating the 
event and value of CVE, and could provide a co-sponsorship opportunity.
  *   An update will be forwarded to the Board on the email list, with a 
request for final edits or comments. No response means acceptance. When final, 
the Secretariat will post the charter to the CVE website.
  *   Initial meeting and cadence are TBD; Co-Chairs are discussing who they 
think might be interested so that they can contact them and schedule first 
meeting.
  *   Question: Is the VCWG planning both the virtual conference and the hybrid 
(in-person and virtual) conference? Answer: Focus is the 2024 hybrid 
conference, tentatively scheduled for late March. The Secretariat will lead 
planning for the upcoming Fall 2023 virtual conference (planning needs to start 
soon; ADP pilot and JSON 5 are potential topics).
  *   Secretariat will draft messaging (e.g., save the date, set the stage for 
the conference, value to attend, call for papers) about the Spring conference 
so that VCWG can use in its outreach activities.
Open Discussion

  *   A Board member mentioned that Microsoft has published its AI Bug Bar 
(Microsoft Vulnerability Severity Classification for Artificial Intelligence 
and Machine Learning Systems<https://www.microsoft.com/en-us/msrc/aibugbar>) 
and an MSRC blog post explaining it (Updating our Vulnerability Severity 
Classification for AI Systems | MSRC Blog | Microsoft Security Response 
Center<https://msrc.microsoft.com/blog/2023/08/Updating-our-Vulnerability-Severity-Classification-for-AI-Systems/>).
  *   ADP Pilot
     *   CISA received their credentials and has begun experimentation with the 
ADP demonstration instance.
     *   The References ADP pilot expected to get rolling in mid to late 
September.
     *   Comment: The end of September is supposed to be the timeframe for 
starting production. Response: Not expecting the References pilot to last more 
than a few days, so entering production by the end of September is still 
possible.
  *   CNACWG Chair has started a research project to count how many CVE 
references link to dead domains; he will present results at the next Board 
meeting in two weeks.
Review of Action Items
None.
Next CVE Board Meetings

·       Wednesday, August 30, 2023, 9:00am – 11:00am (EDT)

·       Wednesday, September 13, 2:00pm – 4:00pm (EDT)

·       Wednesday, September 27, 2023, 9:00am – 11:00am (EDT)

·       Wednesday, October 11, 2023, 2:00pm – 4:00pm (EDT)

·       Wednesday, October 25, 2023, 9:00am – 11:00am (EDT)

·       Wednesday, November 8, 2023, 2:00pm – 4:00pm (EST)
Discussion Topics for Future Meetings

·       Sneak peak/review of annual report template SPWG is working on

·       Bulk download response from community about Reserved IDs

·       Finalize 2023 CVE Program priorities

·       CVE Services updates and website transition progress (as needed)

·       Working Group updates (every other meeting)

·       Council of Roots update (every other meeting)

·       Researcher Working Group proposal for Board review

·       Vision Paper and Annual Report

·       Secretariat review of all CNA scope statements

·       Proposed vote to allow CNAs to assign for insecure default 
configurations

·       CVE Communications Strategy

·       AI/ML vulnerabilities (August 30 meeting)

Reply via email to