CVE Board Meeting Notes
January 4, 2023 (2:00 pm - 4:00 pm EST)
Agenda
* 2:00-2:05 Introduction
* 2:05-3:25 Topics
o Working Group Updates
o CVE Program and Working Group Priorities for First Half of 2023
o CNA Category Type Definitions
o Roots Update
o CVE Board Satisfaction Survey Results
* 3:25-3:35 Open Discussion
* 3:35-3:55 Review of Action Items
* 3:55-4:00 Closing Remarks
New Action Items from Today's Meeting
Action Item #
New Action Item
Responsible Party
Due
01.04.01
Send email to the private Board list asking members who could not attend
today's meeting whether they approve of setting a deprecation date for download
formats of no later than the end of 2023.
Secretariat
01.04.02
Send email to the private Board list asking members to vote on whether to make
the TWG a permanent working group.
Secretariat
01.04.03
Set up a meeting with the Board and working group chairs to discuss 2023
priorities. In communications, stress the importance of attendance and urgency.
Secretariat
01.04.04
Send to the Board and working group chairs the current spreadsheet of responses
received so far about 2023 priorities.
Secretariat
01.04.05
Send out an announcement to the community that the CNACWG Liaison for 2023 has
been elected.
Secretariat
Working Group Updates
* Automation Working Group (AWG)
* 2022 summary of progress/accomplishments:
* Began transition to JSON 5 format.
* Implemented Record Submission and Upload Service (RSUS) with CVE
Services soft deploy (for early adopters and to identify any issues/bugs).
* Developed framework for ADP Pilot requirements.
* Developed requirements for JSON 5 bulk download capability.
* Remaining work needed to achieve the full automation target
architecture was also identified, i.e., JSON 5 CVE list bulk download
capability, User Registry and User Registry Authorization data store.
* JSON 5 is now the "format of record."
* JSON 4 will continue to be supported until a future date TBD. The date
to decommission the GitHub submission pilot is also TBD.
* An overview of the transitional architecture (current state) was
provided.
* CVE Services hard deploy is scheduled for Q1 2023. This will include
JSON 5 bulk download capability and implementation of remaining soft deploy bug
fixes.
* There was discussion about the importance of providing adequate lead
time to the community to prepare for the deprecation of JSON 4.
* By the time hard deploy begins, the program will have a JSON 4
deprecation date that can be shared with users so they have time to adjust
their operations.
* The Board will make the final decision for a deprecation date,
based on the recommendation from the Transition Working Group (TWG); the
Outreach and Communications Working Group (OCWG) will support messaging to the
user community.
* All 10 Board members attending this meeting were in favor of
establishing a deprecation date of "no later than the end of 2023." This was
not a quorum, so an email will be sent to the Board private list asking members
who could not attend to cast their vote.
* CNA Coordination Working Group (CNACWG)
* In 2022, started conversations with both archive.org and Library of
Congress about archiving CVE references, and perhaps doing it automatically.
That effort will continue in 2023.
* Currently working on a "how to" guide for writing a CVE submitter
robot. This is intended for CNAs that do not have strong technical backgrounds.
* Outreach and Communications Working Group (OCWG)
* Objectives for 2023 include: membership recruitment, regular podcasts,
quarterly CVE story blog, supporting community members speaking at industry
events, and helping identify target events.
* Meeting schedule is changing to monthly to try to promote more
participation.
* Website content review continues.
* Strategic Planning Working Group (SPWG)
* Finished out the year working on two documents, one of which is the
CNA Rules document.
* Currently identifying new content requirements, including in the
area of cloud-related activities or services.
* Updates or additions to rules about transferring IDs are also
needed.
* Updates will be a focus for next couple months.
* CNAs will have a chance to review.
* Keeping an eye on the European Union (EU) Cyber Resilience Act (CRA)
for potential impacts to the program.
* Transition Working Group (TWG)
* The TWG was intended to be temporary, but the recommendation was made
to make it permanent. Meetings have served as an opportunity for working group
chairs to coordinate and discuss issues, and collaborate on recommendations to
take to the Board.
* In the absence of a quorum, an email will be sent to the Board private
list for a vote on making the TWG permanent.
CVE Program and Working Group Priorities for First Half of 2023
* A request was sent to the Board and working group chairs in December for
their input on 2023 priorities. There has been limited response. A spreadsheet
of responses received so far has been started.
* In the absence of a quorum, an off-cycle meeting will be set up with the
Board and working group chairs to continue this discussion. The current
spreadsheet will also be distributed so everyone knows what has already been
submitted.
CNA Category Type Definitions
* At the last Board meeting, some changes were approved to the list of CNA
Types. At that meeting, the Board requested formal definitions for each of the
Types.
* Draft definitions were developed by the Secretariat and shown at the
Council of Roots meeting this morning. Input was:
* Consider changing Bug Bounty Program to Bug Bounty Service or Provider.
* Limited confidence in the definitions of Hosted Service and Researcher.
* The Board agreed to change:
* Bug Bounty Program type to Bug Bounty Provider.
* The description of Hosted Service to also include platform as a
service and infrastructure as a service.
* National and Industry CERT type to just CERT.
* A CNA may self-identify as multiple types if needed.
* Descriptions may be revised in the future; these initial descriptions are
a starting point.
* The program will make updates to existing Types on the program website,
and make any modifications based on CNA feedback.
Roots Update (topics from meeting on January 4)
* Roots discussed recruiting from the Critical software list and the
importance of coordination so multiple Roots are not recruiting the same vendor
* Roots plan to begin targeting national CERTs for recruitment
* Priorities for 2023: One priority mentioned was to escalate the
completion of the transition from the old program website to the new site. Two
things that need to be done first are completing link "redirects" and
completing the more robust search capability of the new site.
* CNA and Root activity metrics. One suggestion was to try to get metrics
generation and reporting integrated into CVE services, so there are not
multiple environments.
* The Secretariat is working to unify internal data sets, including
standardizing CNA "shortnames." The community will be informed of any
impactful changes, such as updates to some Partner page URLs.
CVE Board Satisfaction Survey Results
* Thirteen (13) responses were received from Board members to a short
survey.
* Most responses were positive with respect to the usefulness of Board
meetings, and the time, duration and frequency of meetings. There was some
feedback for consideration:
* Meetings are just often status briefings, too many issues that need to
be discussed.
* Some members attend and do not participate.
* Two hours is too long. We need to be more concise. The frequency and
duration needs to be driven by what needs to be addressed.
* Alternating the meeting time between morning to afternoon is only
useful if European and Asian members are taking advantage of it. Complicates
member scheduling.
* Survey will be sent out quarterly.
Open Discussion
* CNA Board Liaison: The call for nominations was sent out to CNAs on
December 1; the nomination period lasted through December 31, 2022. Only one
person, was nominated. The question was asked if it was necessary to go through
the process of holding a vote/election, given there is only one nominee. The
Board voted unanimously on the call to not hold a vote for the CNA Board
Liaison position given there is only one candidate.
Review of Action Items
Out of time.
Next CVE Board Meetings
* Wednesday, January 18, 2023, 9:00am - 11:00am (EST)
* Wednesday, February 1, 2023, 2:00pm - 4:00pm (EST)
* Wednesday, February 15, 2023, 9:00am - 11:00am (EST)
* Wednesday, March 1, 2023, 2:00pm - 4:00pm (EST)
* Wednesday, March 15, 2023, 9:00am - 11:00am (EDT)
* Wednesday, March 29, 2023, 2:00pm - 4:00pm (EDT)
Discussion Topics for Future Meetings
* CVE Services 2.1 and program website updates (on-going)
* Working Group updates (every other meeting, next is February 1, 2023)
* Council of Roots meeting highlights (next is February 1, 2023)
* Researcher Working Group proposal for Board review
* Vision Paper and Annual Report
* Secretariat review of all CNA scope statements
* Proposed vote to allow CNAs to assign for insecure default
configurations
* CVE Communications Strategy
