CVE Board Meeting Notes February 1, 2023 (2:00 pm – 4:00 pm EST) Agenda
· 2:00-2:05 Introduction · 2:05-3:25 Topics o GDPR Conclusion o Council of Roots Update o Working Groups Updates o CVE Program Priorities for the First Half of 2023 (cont.) o CVE Program Global Summit: Agenda · 3:25-3:35 Open Discussion · 3:35-3:55 Review of Action Items · 3:55-4:00 Closing Remarks New Action Items from Today’s Meeting Action Item # New Action Item Responsible Party Due 02.01.01 Ask CNA community and working groups if they have concerns, or know of a use that would be harmed, if bulk download capability of Reserved IDs was stopped. If no, the capability will be stopped. Secretariat two weeks for response 02.01.02 Consult with AWG to discuss level of effort to turn off bulk download of Reserved IDs. AWG Chair 02.01.03 Start inserting redirects from the old to the new website. Secretariat 02.01.04 Update 2023 Priorities spreadsheet and send to the Board. Target finalization at next Board meeting. Secretariat 02.01.05 Send request for Summit agenda ideas to the Board list. Include spreadsheet of ideas from today’s meeting. Secretariat GDPR Conclusion * General Data Protection Regulation (GDPR) comes out of the European Union (EU). The CVE Program consulted the MITRE legal team to get a legal opinion about GitHub compliance in the context of the bulk download architecture. * The GitHub architecture is good to go and the program knows what is has to do to comply with GDPR. Council of Roots Update * Discussed CNA recruiting and onboarding status. * Asked for Root input on Summit agenda topics. * Asked for input on program priorities for first half of 2023. * Provided an overview of upcoming program website updates, e.g., new CNA Types. * Discussion about Root capabilities to manage their CNA credentials for CVE Services, and have access to CNA information, e.g., metrics. Root requirements will be rolled into the overall User Registry requirements. Working Group Updates * OCWG * Published the ‘Our CVE Story’ blog about why Red Hat became a root. * Held a podcast production meeting with SPWG Chair. * New OCWG meeting schedule to be announced soon. * SPWG * Continuing to work on the CNA rules update. A cloud decision tree will be started soon to improve rules around cloud service providers and different types of cloud architectures. * TWG * Supporting AWG with defining User Registry requirements. * Discussion of forking vs not forking the Vulnogram client for program use. * Feedback has been received that CVE clients are not intuitive; the TWG will discuss and come up with solutions. * Discussion about the problem type field and the weakness field in JSON 5 records, and whether they are required or optional. Further Board discussion needed and results to be included in the CNA Rules update. CVE Program Priorities for the First Half of 2023 * Reviewed and discussed rows 49-53 (see spreadsheet for details) * Next steps: Send out updated priorities spreadsheet (create new column for Priority, insert references to dependencies) to the Board, target next Board meeting for finalizing. CVE Program Global Summit: Agenda * The program is collecting agenda items for the upcoming Summit (March 22-23). A request was sent to the CNA list, and Roots were asked for their input at their meeting this morning. * Some ideas were discussed; additional Board input will be requested via the mailing list. Open Discussion Out of time Review of Action Items Out of time Next CVE Board Meetings · Wednesday, February 15, 2023, 9:00am – 11:00am (EST) · Wednesday, March 1, 2023, 2:00pm – 4:00pm (EST) · Wednesday, March 15, 2023, 9:00am – 11:00am (EDT) · Wednesday, March 29, 2023, 2:00pm – 4:00pm (EDT) · Wednesday, April 12, 2023, 9:00am – 11:00am (EDT) · Wednesday, April 26, 2:00pm – 4:00pm (EDT) Discussion Topics for Future Meetings · Continue discussion about 2023 priorities – start down-select process · CVE Services updates and CVE Program website transition progress (as needed) · Working Group updates (every other meeting, next is March 1, 2023) · Council of Roots meeting highlights (next is March 1, 2023) · Researcher Working Group proposal for Board review · Vision Paper and Annual Report · Secretariat review of all CNA scope statements · Proposed vote to allow CNAs to assign for insecure default configurations · CVE Communications Strategy