Re: [EXTERNAL] Re: CVE Board Meeting Summary: January 18, 2023

2023-01-25 Thread Art Manion 


While it wasn't directly part of the discussion, this may be related:

   https://github.com/CVEProject/automation-working-group/issues/116

   https://github.com/CVEProject/cve-website/issues/1224

So keeping track of/logging all changes, but also adding owning_cna to the 
JSON, which requires some work on the services/backend.

  - Art


On 2023-01-25 10:14, Lisa Olson wrote:

> Someone can correct me if I’m wrong but the conversation, as I recall, was 
> around storing change history with regards to GDPR considerations.  MITRE 
> lawyers are digging into the implications and Madison Oliver is also doing 
> some research on behalf of Github and GDPR.
>
> Lisa
>
> *From:* Tod Beardsley 
> *Sent:* Tuesday, January 24, 2023 5:39 PM
> *To:* Art Manion 
> *Cc:* Landfield, Kent ; CVE Program Secretariat 
> ; CVE Editorial Board Discussion 
> 
> *Subject:* [EXTERNAL] Re: CVE Board Meeting Summary: January 18, 2023
>
> I would expect so, Art. Is this a controversial issue? I assume there's some 
> context and nuance here.
>
> And yes, I'm fully prepared to take my absentee lumps, Kent. 8am Wednesdays 
> are no longer really great for me for calls (though it looks like I can join 
> on the bottom half pretty often).
>
> On Tue, Jan 24, 2023 at 3:58 PM Art Manion  <mailto:zman...@protonmail.com>> wrote:
>
> On 2023-01-24 16:48, Kent Landfield wrote:
>
>  > Reach out to the CNA community to gauge how important CVE Record 
> Change History is to them.
>
> Opinion:  CVE Record change history should be fully public and 
> transparent.
>
> While partially a separate question, this could be provided through a git 
> repo of JSON files.
>
>    - Art
>
>
> NOTICE OF CONFIDENTIALITY: At Rapid7, the privacy of our customers, partners, 
> and employees is paramount. If you received this email in error, please 
> notify the sender and delete it from your inbox right away. Learn how Rapid7 
> handles privacy at rapid7.com/privacy-policy 
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.rapid7.com%2Fprivacy-policy%2F=05%7C01%7Celolson%40microsoft.com%7C413e2d62ceef4da0e60408dafe750bf5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638102075930256490%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=0DPf%2Fwiu%2BVgdm5Hejq8%2FEIu8ySPke9UG1IVsCvdegQc%3D=0>.
>  To opt-out of Rapid7 marketing emails, please click here
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Finformation.rapid7.com%2Fcommunication-preferences.html=05%7C01%7Celolson%40microsoft.com%7C413e2d62ceef4da0e60408dafe750bf5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638102075930256490%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=aBOPWqomt%2Bq7knWrErTbPejHUPKeeI9gyW7piB%2BXjAk%3D=0>
>  or email priv...@rapid7.com <mailto:priv...@rapid7.com>.
>

Re: [EXTERNAL] Re: CVE Board Meeting Summary: January 18, 2023

2023-01-25 Thread Chris Levendis 
I’ll have an update at the TWG tomorrow morning regarding GDPR.

C

Chris Levendis
The MITRE Corporation
cleven...@mitre.org
(703) 298-8593

Get Outlook for iOS<https://aka.ms/o0ukef>

From: Lisa Olson 
Sent: Wednesday, January 25, 2023 10:14:43 AM
To: Beardsley, Tod ; Manion, Art 

Cc: Landfield, Kent ; CVE Program Secretariat 
; CVE Editorial Board Discussion 

Subject: RE: [EXTERNAL] Re: CVE Board Meeting Summary: January 18, 2023


Hi Tod,

Someone can correct me if I’m wrong but the conversation, as I recall, was 
around storing change history with regards to GDPR considerations.  MITRE 
lawyers are digging into the implications and Madison Oliver is also doing some 
research on behalf of Github and GDPR.

Lisa



From: Tod Beardsley 
Sent: Tuesday, January 24, 2023 5:39 PM
To: Art Manion 
Cc: Landfield, Kent ; CVE Program Secretariat 
; CVE Editorial Board Discussion 

Subject: [EXTERNAL] Re: CVE Board Meeting Summary: January 18, 2023



I would expect so, Art. Is this a controversial issue? I assume there's some 
context and nuance here.



And yes, I'm fully prepared to take my absentee lumps, Kent. 8am Wednesdays are 
no longer really great for me for calls (though it looks like I can join on the 
bottom half pretty often).



On Tue, Jan 24, 2023 at 3:58 PM Art Manion 
mailto:zman...@protonmail.com>> wrote:

On 2023-01-24 16:48, Kent Landfield wrote:

> Reach out to the CNA community to gauge how important CVE Record Change 
> History is to them.

Opinion:  CVE Record change history should be fully public and transparent.

While partially a separate question, this could be provided through a git repo 
of JSON files.

  - Art


NOTICE OF CONFIDENTIALITY: At Rapid7, the privacy of our customers, partners, 
and employees is paramount. If you received this email in error, please notify 
the sender and delete it from your inbox right away. Learn how Rapid7 handles 
privacy at 
rapid7.com/privacy-policy<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.rapid7.com%2Fprivacy-policy%2F=05%7C01%7Celolson%40microsoft.com%7C413e2d62ceef4da0e60408dafe750bf5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638102075930256490%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=0DPf%2Fwiu%2BVgdm5Hejq8%2FEIu8ySPke9UG1IVsCvdegQc%3D=0>.
 To opt-out of Rapid7 marketing emails, please click 
here<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Finformation.rapid7.com%2Fcommunication-preferences.html=05%7C01%7Celolson%40microsoft.com%7C413e2d62ceef4da0e60408dafe750bf5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638102075930256490%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=aBOPWqomt%2Bq7knWrErTbPejHUPKeeI9gyW7piB%2BXjAk%3D=0>
 or email priv...@rapid7.com<mailto:priv...@rapid7.com>.

RE: [EXTERNAL] Re: CVE Board Meeting Summary: January 18, 2023

2023-01-25 Thread Lisa Olson 
Hi Tod,
Someone can correct me if I'm wrong but the conversation, as I recall, was 
around storing change history with regards to GDPR considerations.  MITRE 
lawyers are digging into the implications and Madison Oliver is also doing some 
research on behalf of Github and GDPR.
Lisa

From: Tod Beardsley 
Sent: Tuesday, January 24, 2023 5:39 PM
To: Art Manion 
Cc: Landfield, Kent ; CVE Program Secretariat 
; CVE Editorial Board Discussion 

Subject: [EXTERNAL] Re: CVE Board Meeting Summary: January 18, 2023

I would expect so, Art. Is this a controversial issue? I assume there's some 
context and nuance here.

And yes, I'm fully prepared to take my absentee lumps, Kent. 8am Wednesdays are 
no longer really great for me for calls (though it looks like I can join on the 
bottom half pretty often).

On Tue, Jan 24, 2023 at 3:58 PM Art Manion 
mailto:zman...@protonmail.com>> wrote:
On 2023-01-24 16:48, Kent Landfield wrote:

> Reach out to the CNA community to gauge how important CVE Record Change 
> History is to them.

Opinion:  CVE Record change history should be fully public and transparent.

While partially a separate question, this could be provided through a git repo 
of JSON files.

  - Art


NOTICE OF CONFIDENTIALITY: At Rapid7, the privacy of our customers, partners, 
and employees is paramount. If you received this email in error, please notify 
the sender and delete it from your inbox right away. Learn how Rapid7 handles 
privacy at 
rapid7.com/privacy-policy<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.rapid7.com%2Fprivacy-policy%2F=05%7C01%7Celolson%40microsoft.com%7C413e2d62ceef4da0e60408dafe750bf5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638102075930256490%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=0DPf%2Fwiu%2BVgdm5Hejq8%2FEIu8ySPke9UG1IVsCvdegQc%3D=0>.
 To opt-out of Rapid7 marketing emails, please click 
here<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Finformation.rapid7.com%2Fcommunication-preferences.html=05%7C01%7Celolson%40microsoft.com%7C413e2d62ceef4da0e60408dafe750bf5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638102075930256490%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=aBOPWqomt%2Bq7knWrErTbPejHUPKeeI9gyW7piB%2BXjAk%3D=0>
 or email priv...@rapid7.com<mailto:priv...@rapid7.com>.

Re: CVE Board Meeting Summary: January 18, 2023

2023-01-24 Thread Tod Beardsley 
I would expect so, Art. Is this a controversial issue? I assume there's
some context and nuance here.

And yes, I'm fully prepared to take my absentee lumps, Kent. 8am Wednesdays
are no longer really great for me for calls (though it looks like I can
join on the bottom half pretty often).

On Tue, Jan 24, 2023 at 3:58 PM Art Manion  wrote:

> On 2023-01-24 16:48, Kent Landfield wrote:
>
> > Reach out to the CNA community to gauge how important CVE Record Change
> History is to them.
>
> Opinion:  CVE Record change history should be fully public and transparent.
>
> While partially a separate question, this could be provided through a git
> repo of JSON files.
>
>   - Art
>
>
>

-- 
NOTICE OF CONFIDENTIALITY: At Rapid7, the privacy of our customers, 
partners, and employees is paramount. If you received this email in error, 
please notify the sender and delete it from your inbox right away. Learn 
how Rapid7 handles privacy at rapid7.com/privacy-policy 
. To opt-out of Rapid7 marketing 
emails, please click here 
 or email 
priv...@rapid7.com .

Re: CVE Board Meeting Summary: January 18, 2023

2023-01-24 Thread Art Manion 
On 2023-01-24 16:48, Kent Landfield wrote:

> Reach out to the CNA community to gauge how important CVE Record Change 
> History is to them.

Opinion:  CVE Record change history should be fully public and transparent.

While partially a separate question, this could be provided through a git repo 
of JSON files.

  - Art

Re: CVE Board Meeting Summary: January 18, 2023

2023-01-24 Thread Kent Landfield 
Ya miss a Board call and we assign you work. What is so complicated about that? 


Thank you, Gracias, Grazie, Mahalo, Merci, Σας ευχαριστώ, Bedankt, Danke, 
ありがとう, धन्यवाद!
--
Kent Landfield
Trellix
+1.817.637.8026
kent.landfi...@trellix.com

From: Tod Beardsley 
Date: Tuesday, January 24, 2023 at 2:43 PM
To: CVE Program Secretariat 
Cc: CVE Editorial Board Discussion 
Subject: Re: CVE Board Meeting Summary: January 18, 2023

Caution: External email. Do not click links or open attachments unless you 
recognize the sender and know the content is safe.

What's this about?

> Reach out to the CNA community to gauge how important CVE Record Change 
> History is to them.

I am prepared to be reached. Or Dave Morse can just spring it on the CNACWG 
call tomorrow, he often shows up.


On Tue, Jan 24, 2023 at 2:31 PM CVE Program Secretariat 
mailto:cve-prog-secretar...@mitre.org>> wrote:

CVE Board Meeting Notes

January 18, 2023 (9:00 am – 11:00 am EST)
Agenda

•   9:00-9:05Introduction

•   9:05-10:25  Topics

o   Voting updates (deprecation of download formats, Transition Working Group)

o   CVE Program priorities for the first half of 2023

•   10:25-10:35Open Discussion

•   10:35-10:55Review of Action Items

•   10:55-11:00Closing Remarks
New Action Items from Today’s Meeting
Action Item #
New Action Item
Responsible Party
Due
01.18.01
Schedule face-to-face meeting to discuss development of more efficient ID 
management practices.
Secretariat

01.18.02
Reach out to the CNA community to gauge how important CVE Record Change History 
is to them.
CNACWG Chair

01.18.03
Bring up for discussion with AWG the idea of using the same API for both 
website search capability and record repository search capability.
AWG Chair

Voting Updates

  *   Deprecation of download formats

 *   The Board approved deprecating download formats by the end of 2023, 
with 14 votes cast. Members who have not voted may do so until midnight January 
19, 2023, if they want to get their vote on the record.

  *   Transition Working Group

 *   The Board approved making the Transition Working Group a permanent 
working group, with 14 votes cast. Members who have not voted may do so until 
midnight January 24, 2023, if they want to get their vote on the record.
CVE Program Priorities for First Half of 2023

  *   Continuation of discussion started on January 12 at an out-of-cycle Board 
meeting. Ongoing priorities are distinct from new priorities.
  *   Today’s discussion covered rows 23 through 39 in the spreadsheet "CVE 
2023 Priorities draft v3.xlsx" used to identify and prioritize (high, medium, 
low) important activities in 2023.
  *   The Remaining rows 48-52 will be discussed at the next meeting. The 
priorities spreadsheet will be updated to show the category (or categories) 
each priority aligns with.
Open Discussion

  *   Out of time
Review of Action Items

  *   Out of time
Next CVE Board Meetings

•   Wednesday, February 1, 2023, 2:00pm – 4:00pm (EST)

•   Wednesday, February 15, 2023, 9:00am – 11:00am (EST)

•   Wednesday, March 1, 2023, 2:00pm – 4:00pm (EST)

•   Wednesday, March 15, 2023, 9:00am – 11:00am (EDT)

•   Wednesday, March 29, 2023, 2:00pm – 4:00pm (EDT)

•   Wednesday, April 12, 2023, 9:00am – 11:00am (EDT)
Discussion Topics for Future Meetings

•   Continue discussion on priorities for the first half of 2023 (rows 
48-52) (next meeting).

•   CVE Services updates and CVE Program website transition progress (as 
needed)

•   Working Group updates (every other meeting, next is February 1, 2023)

•   Council of Roots meeting highlights (next is February 1, 2023)

•   Researcher Working Group proposal for Board review

•   Vision Paper and Annual Report

•   Secretariat review of all CNA scope statements

•   Proposed vote to allow CNAs to assign for insecure default 
configurations

•   CVE Communications Strategy




NOTICE OF CONFIDENTIALITY: At Rapid7, the privacy of our customers, partners, 
and employees is paramount. If you received this email in error, please notify 
the sender and delete it from your inbox right away. Learn how Rapid7 handles 
privacy at rapid7.com/privacy-policy<https://www.rapid7.com/privacy-policy/>. 
To opt-out of Rapid7 marketing emails, please click 
here<https://information.rapid7.com/communication-preferences.html> or email 
priv...@rapid7.com<mailto:priv...@rapid7.com>.

Re: CVE Board Meeting Summary: January 18, 2023

2023-01-24 Thread Tod Beardsley 
What's this about?

> Reach out to the CNA community to gauge how important CVE Record Change
History is to them.

I am prepared to be reached. Or Dave Morse can just spring it on the CNACWG
call tomorrow, he often shows up.


On Tue, Jan 24, 2023 at 2:31 PM CVE Program Secretariat <
cve-prog-secretar...@mitre.org> wrote:

> *CVE Board Meeting Notes*
>
> *January 18, 2023 (9:00 am – 11:00 am EST)*
>
> Agenda
>
> ·   9:00-9:05Introduction
>
> ·   9:05-10:25  Topics
>
> o   Voting updates (deprecation of download formats, Transition Working
> Group)
>
> o   CVE Program priorities for the first half of 2023
>
> ·   10:25-10:35Open Discussion
>
> ·   10:35-10:55Review of Action Items
>
> ·   10:55-11:00Closing Remarks
>
> New Action Items from Today’s Meeting
>
> Action Item #
>
> New Action Item
>
> Responsible Party
>
> Due
>
> *01.18.01*
>
> *Schedule face-to-face meeting to discuss development of more efficient ID
> management practices.*
>
> *Secretariat*
>
>
>
> *01.18.02*
>
> *Reach out to the CNA community to gauge how important CVE Record Change
> History is to them.*
>
> *CNACWG Chair*
>
>
>
> *01.18.03*
>
> *Bring up for discussion with AWG the idea of using the same API for both
> website search capability and record repository search capability.*
>
> *AWG Chair*
>
>
>
> Voting Updates
>
>- Deprecation of download formats
>   - The Board approved deprecating download formats by the end of
>   2023, with 14 votes cast. Members who have not voted may do so until
>   midnight January 19, 2023, if they want to get their vote on the record.
>- Transition Working Group
>   - The Board approved making the Transition Working Group a
>   permanent working group, with 14 votes cast. Members who have not voted 
> may
>   do so until midnight January 24, 2023, if they want to get their vote on
>   the record.
>
> CVE Program Priorities for First Half of 2023
>
>- Continuation of discussion started on January 12 at an out-of-cycle
>Board meeting. Ongoing priorities are distinct from new priorities.
>- Today’s discussion covered rows 23 through 39 in the spreadsheet
>"CVE 2023 Priorities draft v3.xlsx" used to identify and prioritize (high,
>medium, low) important activities in 2023.
>- The Remaining rows 48-52 will be discussed at the next meeting. The
>priorities spreadsheet will be updated to show the category (or categories)
>each priority aligns with.
>
> Open Discussion
>
>- Out of time
>
> Review of Action Items
>
>- Out of time
>
> Next CVE Board Meetings
>
> ·   Wednesday, February 1, 2023, 2:00pm – 4:00pm (EST)
>
> ·   Wednesday, February 15, 2023, 9:00am – 11:00am (EST)
>
> ·   Wednesday, March 1, 2023, 2:00pm – 4:00pm (EST)
>
> ·   Wednesday, March 15, 2023, 9:00am – 11:00am (EDT)
>
> ·   Wednesday, March 29, 2023, 2:00pm – 4:00pm (EDT)
>
> ·   Wednesday, April 12, 2023, 9:00am – 11:00am (EDT)
>
> Discussion Topics for Future Meetings
>
> ·   Continue discussion on priorities for the first half of 2023
> (rows 48-52) (next meeting).
>
> ·   CVE Services updates and CVE Program website transition progress
> (as needed)
>
> ·   Working Group updates (every other meeting, next is February 1,
> 2023)
>
> ·   Council of Roots meeting highlights (next is February 1, 2023)
>
> ·   Researcher Working Group proposal for Board review
>
> ·   Vision Paper and Annual Report
>
> ·   Secretariat review of all CNA scope statements
>
> ·   Proposed vote to allow CNAs to assign for insecure default
> configurations
>
> ·   CVE Communications Strategy
>
>
>
>
>
>
>

-- 
NOTICE OF CONFIDENTIALITY: At Rapid7, the privacy of our customers, 
partners, and employees is paramount. If you received this email in error, 
please notify the sender and delete it from your inbox right away. Learn 
how Rapid7 handles privacy at rapid7.com/privacy-policy 
. To opt-out of Rapid7 marketing 
emails, please click here 
 or email 
priv...@rapid7.com .

CVE Board Meeting Summary: January 18, 2023

2023-01-24 Thread CVE Program Secretariat 
CVE Board Meeting Notes

January 18, 2023 (9:00 am - 11:00 am EST)
Agenda

*   9:00-9:05Introduction

*   9:05-10:25  Topics

o   Voting updates (deprecation of download formats, Transition Working Group)

o   CVE Program priorities for the first half of 2023

*   10:25-10:35Open Discussion

*   10:35-10:55Review of Action Items

*   10:55-11:00Closing Remarks
New Action Items from Today's Meeting
Action Item #
New Action Item
Responsible Party
Due
01.18.01
Schedule face-to-face meeting to discuss development of more efficient ID 
management practices.
Secretariat

01.18.02
Reach out to the CNA community to gauge how important CVE Record Change History 
is to them.
CNACWG Chair

01.18.03
Bring up for discussion with AWG the idea of using the same API for both 
website search capability and record repository search capability.
AWG Chair

Voting Updates

  *   Deprecation of download formats
 *   The Board approved deprecating download formats by the end of 2023, 
with 14 votes cast. Members who have not voted may do so until midnight January 
19, 2023, if they want to get their vote on the record.
  *   Transition Working Group
 *   The Board approved making the Transition Working Group a permanent 
working group, with 14 votes cast. Members who have not voted may do so until 
midnight January 24, 2023, if they want to get their vote on the record.
CVE Program Priorities for First Half of 2023

  *   Continuation of discussion started on January 12 at an out-of-cycle Board 
meeting. Ongoing priorities are distinct from new priorities.
  *   Today's discussion covered rows 23 through 39 in the spreadsheet "CVE 
2023 Priorities draft v3.xlsx" used to identify and prioritize (high, medium, 
low) important activities in 2023.
  *   The Remaining rows 48-52 will be discussed at the next meeting. The 
priorities spreadsheet will be updated to show the category (or categories) 
each priority aligns with.
Open Discussion

  *   Out of time
Review of Action Items

  *   Out of time
Next CVE Board Meetings

*   Wednesday, February 1, 2023, 2:00pm - 4:00pm (EST)

*   Wednesday, February 15, 2023, 9:00am - 11:00am (EST)

*   Wednesday, March 1, 2023, 2:00pm - 4:00pm (EST)

*   Wednesday, March 15, 2023, 9:00am - 11:00am (EDT)

*   Wednesday, March 29, 2023, 2:00pm - 4:00pm (EDT)

*   Wednesday, April 12, 2023, 9:00am - 11:00am (EDT)
Discussion Topics for Future Meetings

*   Continue discussion on priorities for the first half of 2023 (rows 
48-52) (next meeting).

*   CVE Services updates and CVE Program website transition progress (as 
needed)

*   Working Group updates (every other meeting, next is February 1, 2023)

*   Council of Roots meeting highlights (next is February 1, 2023)

*   Researcher Working Group proposal for Board review

*   Vision Paper and Annual Report

*   Secretariat review of all CNA scope statements

*   Proposed vote to allow CNAs to assign for insecure default 
configurations

*   CVE Communications Strategy