CVE Board Meeting Notes October 26, 2022 (9:00 am – 11:00 am EDT) Agenda
· 9:00-9:05 Introduction · 9:05-10:25 Topics o WG Updates o Welcome New Board Member · 10:25-10:35 Open Discussion · 10:35-10:55 Review of Action Items · 10:55-11:00 Closing Remarks New Action Items from Today’s Meeting Action Item # New Action Item Responsible Party Due 10.26.01 Identify HW vendors participating in CVE Program; compare CWE HW SIG membership to CNA membership and report results. 10.26.02 Develop new board member welcome kit. Secretariat Working Group Updates * Automation Working Group (AWG) * During October, the AWG focused on CVE Services 2.1 soft deployment. * The two phases of soft deploy went as planned and ended October 25. * A few issues (from a down-convert perspective) between JSON 4 and JSON 5 were identified during soft deployment. None were show-stoppers, and hard deployment will proceed as planned. Messaging to the user community about these issues will be discussed at the TWG meeting on October 27. * Outreach and Communications Working Group (OCWG) * Working with CNACWG; blog content has been developed and posted. * Current project is developing messaging to help counter concerns or objections to becoming a CNA. * Next project will be making sure that 2023 Summit content can be recorded, and that content can be broken out into discrete topics for viewing/reuse. * OCWG meeting attendance has been up and down lately, and some key members have moved on. * CNA Coordination Working Group (CNACWG) * There have been some new CNAs participating in the WG meeting. * CNAs have expressed interest in the upcoming workshop, so they can learn more about the new CVE services. * The chair suggested that maybe the CNA Operational Rules could be updated more frequently/incrementally (continuous integration, continuous deployment – CICD), rather than just a ‘big’ version update that occurs less frequently. There is a sense the CNA community would like that and benefit. * The idea would be to update continuously for small or quick updates, but still have significant version updates as needed for bigger and more time-consuming changes. * Incremental updates would be reserved for those that do not disrupt a CNA’s workflow. * The change would require ‘retooling’ of the current update process and selection of the technology or platform to use. It would also require criteria/rules to distinguish a small update from a big update. * Members liked the idea, and there was agreement by the Board members in attendance to ask the SPWG to flesh out the idea for further consideration. * Quality Working Group (QWG) * Version 5 schema has been finalized and released. * About 15 issues have been identified with the new schema and these will be addressed in version 5.1. One example is users would like the ability to add hardware version identification to a CVE Record. * None of these issues are major or interfering with CNA work. * It was suggested to leave 5.0 in place long enough to identify other issues that may have not been discovered yet, given the early stage of deployment. * QWG will collaborate with AWG to define the 5.1 updates and determine a logical time to release. * Slides/content about potential schema updates and timing will be prepared by QWG for the upcoming CVE Services 2.1 workshop on November 2. * Transition Working Group (TWG) * Recent activity has focused on preparing for the workshop on November 2. * A member asked about current status of the next bulletin to the user community. * AWG and OCWG worked together to draft Bulletin #11. The next step is review by TWG, hopefully at the TWG meeting on October 27. * Target posting/publishing is by the end of this week. * Strategic Planning Working Group (SPWG) * The current major activity is finalizing the CVE Program Governance and Organization document. No set timeline yet for completion. * The next big activity will be finalizing the CNA Operational Rules update. Welcome New Board Member * Pete Allor (Red Hat, Inc.) is the Board’s newest member, as of October 24. Open Discussion * CVE Record Dispute Policy * A researcher filed a dispute for CVE record 2022-28958<https://nvd.nist.gov/vuln/detail/CVE-2022-28958>, which is on the CISA KEV<https://www.cisa.gov/known-exploited-vulnerabilities-catalog> list. The researcher disputes that the vulnerability is a real vulnerability. * The dispute was filed October 3 (est.), and after three weeks, the researcher had not heard back about status of the dispute. * The recent Dispute Policy update specifies SLAs that have already been missed. * The Secretariat will look into what happened with this dispute, and how there can be better communications about dispute process status. * Disputes about records on the KEV<https://www.cisa.gov/known-exploited-vulnerabilities-catalog> list should be communicated to CISA. * Hardware CVE Records * NIST has responsibility under the CHIPS Act<https://www.nist.gov/semiconductors/chips-act> which is about improving chip capability production capabilities in the U.S. and improving security in hardware. * There have been recent discussions between NIST and stakeholders about this subject, and some feedback has been provided about the lack of CVE records for hardware vulnerabilities. * It is not always easy to identify a hardware vulnerability. Some vulnerabilities are easy to distinguish between software or hardware, but in other cases it is not clear. Better definition of a hardware vulnerability would help. * It is not currently easy to query records to identify which ones (or how many) are hardware vulnerabilities. How can the program get better data for this? Also, how can the program improve its process for assigning hardware vulnerabilities? * NIST is interested in getting experts together to look into how to answer these questions. Are members of the Board interested? An email will be sent to the Board to gauge interest. * Maybe add a hardware tag to the record. * The question was asked about the level of hardware vendor CNA involvement in the CVE Program. The program will look into this and report back. A review of which CWE HW SIG members are CVE CNAs will be conducted and the results reported to the Board on the private email list. * Members of the program will attend a CWE HW SIG meeting to discuss the value proposition of participating in CVE. * The suggestion was made to provide guidance on how to choose the correct communication channel for different messaging/audiences. For example, private or public list, Slack, Discord, etc. The Secretariat will include this information in a new board member welcome kit. A Board channel in Slack was created during this discussion, and the link will be provided via email. * JSON 5.0 Character Limits * The Secretariat sent an email to NIST concerning whether JSON 5.0 character limits affect NVD’s<https://nvd.nist.gov/> ability to pull data from CVE. * Questions about/for NVD can be directed straight to them. Next CVE Board Meetings · Wednesday, November 9, 2022, 2:00pm – 4:00pm (EST) · Wednesday, November 23, 2022, 9:00am – 11:00am (EST) · Wednesday, December 7, 2022, 2:00pm – 4:00pm (EST) · Wednesday, December 21, 2022, 9:00am – 11:00am (EST) · Wednesday, January 4, 2023, 2:00pm – 4:00pm (EST) · Wednesday, January 18, 2023, 9:00am – 11:00am (EST) Discussion Topics for Future Meetings · CVE Services 2.1 updates (on-going) · Working Group updates (every other meeting) · Council of Roots meeting highlights (aligned with Council of Roots meeting dates) · Researcher Working Group proposal for Board review · Vision Paper and Annual Report · Secretariat review of all CNA scope statements · Proposed vote to allow CNAs to assign for insecure default configurations