CVE Board Meeting Notes
March 29, 2023 (2:00 pm - 4:00 pm EDT)
Agenda
* 2:00-2:05 Introduction
* 2:05-3:25 Topics
* Council of Roots Update
* Working Group Updates
* Summit Takeaways
* KEV Data Addition to the Corpus
* CVE Program Registry Effort
* Hard Deploy Update
* TWG Official Name Change
* Clarification: When JSON 4.0 "Submission" Should be Discontinued
* CVE Records Transfer from Submitters to Newly Onboarded CNAs
* 3:25-3:35 Open Discussion
* 3:35-3:55 Review of Action Items
* 3:55-4:00 Closing Remarks
New Action Items from Today's Meeting
Action Item #
New Action Item
Responsible Party
Due
03.29.01
Check with Summit presenters and ask if they're okay having their presentations
shared publicly.
Secretariat
03.29.02
Notify users that JSON 4 submissions will be deprecated in 90 days.
Secretariat
Council of Roots Update
* Good attendance at the March 29 meeting.
* Positive feedback received about the summit with some suggestions for
future summits.
* Red Hat, CISA ICS and MITRE have announced new CNAs in the last 30 days.
* MITRE and CISA ICS working together for onboarding NCSC Finland (CERT)
Working Group Updates
* CNA Coordination Working Group (CNACWG)
* No meeting last week, attended summit.
* CNA Mentor Program is rebooted.
* Strategic Planning Working Group (SPWG)
* Most of the work right now is on cloud-related updates to the CNA
Rules.
* Have started to assist with the record elements we need for the user
registry.
* Tactical Working Group (TWG)
* Working group name has changed (see TWG Official Name Change topic).
* A next effort is to reduce the list of folks using JSON 4 submission.
* Quality Working Group (QWG)
* Identified a bug in the JSON 5 schema that allows a typo in certain
fields.
* Working on the fix and have notified the two affected CNAs. Minor
change.
* Automation Working Group (AWG)
* Hard deploy has occurred; recent activity has been about closing out
final issues.
* Next big rocks: Authorized Data Publisher (ADP) pilot, User Registry.
* Outreach and Communications Working Group (OCWG)
* At the March 29 meeting, talked about feedback from the summit, who is
going to RSA and other conferences, and updates on podcasts and blogs.
* Question: Is it okay to use the "State of the Program" presentation
content from the summit in a podcast for broader public distribution? Answer:
No objections.
* Question: Can we share full videos (from the summit) with CNA's and
board members? Answer: Probably not a problem, but the program will check with
presenters first (action item).
Summit Takeaways (Open Comment)
* Hybrid attendance format was not optimal.
* Would have liked more time to hear from the community/participants, not
program.
* Do not overburden one presenter with too many agenda topics.
* There was a session that presented a new way of looking at CVE. Need more
sessions like that, i.e., more than just status and direction/guidance. How is
CVE being used?
* Begin planning of Summit earlier to better support preparation.
* Need more discussion about how CVE is being used in organizations.
* Think about breakout sessions and having separate tracks to help people
who are new versus the more advanced users.
* Have a prepared list of questions or 'discussion starters' to stimulate
discussion.
* Logistics could have been better, e.g., not enough microphones, a lot of
passing around.
* Important to start looking at how we apply CVE for the downstream
vulnerability management community.
* Consider co-locating the next summit with the FIRST conference to make it
easier for broader in-person participation.
* Expect to have a few ADPs by the next summit - that should be a topic.
* More break time for opportunity to network for in-person attendees.
KEV Data Addition to the Corpus
* Issues with the CRA doing exploited vulnerabilities. It's the same kind
of thing that KEV is doing. Trying to put it into law.
* Explore the idea of incorporating
KEV<https://www.cisa.gov/known-exploited-vulnerabilities> data into CVE.
CVE Program Registry Effort
* Held a meeting February 21 to review the user registry CONOPS and
documentation from 2018 and verify we are still on the right path. Concepts are
still in line, but some changes to the documents will be made. A follow-on
meeting held after the summit to get into more specifics went well.
* Intent is to establish the record elements for what's turning into a CVE
Program data repository (not just user registry). There is no schema yet.
* Suggestion made to add logos as a data element.
* Get registry defined well enough that AWG can implement.
* User registry portion will tie in with authentication services.
Hard Deploy Update
* The CVE Services hard deploy milestone was met earlier today.
* Bulk download capability is now available to downstream users. Available
in zip file format.
* Some minor issues are being worked.
*
CVE.org<https://www.cve.org/Media/News/item/blog/2023/03/29/CVE-Downloads-in-JSON-5-Format>
has been updated to reflect new download capability.
* Talking with the TWG tomorrow about bulletin 15 to the CNAs announcing
hard deploy and what that means. Will also be announced on Slack.
TWG Official Name Change
* There were no objections to the proposal to change the name of the
Transition Working Group to the Tactical Working Group.
* The TWG will have an operational focus.
* Charter development is underway.
Clarification: When Should JSON 4.0 "Submission" be Discontinued
* A question came up at the summit about when submission of JSON 4 records
will be discontinued (downloads will be discontinued by the end of 2023 -
already announced).
* A small number (69) of users are using Git Hub for JSON 4 submissions.
Send out targeted notice that JSON 4 submissions will not be accepted after 90
days (action item).
* Revise training and onboarding materials to remove references to JSON 4
submissions.
CVE Records Transfer from Submitters to Newly Onboarded CNAs
* There has been a long standing program practice to not transfer existing
CVEs to new CNAs. Should we change that practice?
* Consensus was to not change. The CNA can make a request for a CVE
transfer on a case by case basis. A transfer can be made when appropriate.
Open Discussion
* Seem to be propagating the text "and not in another CNA's scope"
constantly. It should not be a default; it should only be added to scopes where
appropriate, such as when a CNA is doing research into vulnerabilities beyond
their own products. No objections.
Review of Action Items
* 06.23.01 (2022 Annual Report). There was agreement to close this action
item and try again for the 2023 Annual Report. Suggestion was made to start
planning content and layout earlier. Example shared: Intel 2021 Product
Security
Report<https://www.intel.com/content/www/us/en/security/intel-2021-product-security-report.html>.
Next CVE Board Meetings
* Wednesday, April 12, 2023, 9:00am - 11:00am (EDT)
* Wednesday, April 26, 2023, 2:00pm - 4:00pm (EDT)
* Wednesday, May 10, 2023, 9:00am - 11:00am (EDT)
* Wednesday, May 24, 2023, 2:00pm - 4:00pm (EDT)
* Wednesday, June 7, 2023, 9:00am - 11:00am (EDT)
* Wednesday, June 21, 2023, 2:00pm - 4:00pm (EDT)
Discussion Topics for Future Meetings
* Bulk download response from community about Reserved IDs
* Finalize 2023 CVE Program priorities
* CVE Services updates and website transition progress (as needed)
* Working Group updates (every other meeting, next is April 26, 2023)
* Council of Roots meeting highlights (next is April 26, 2023)
* Researcher Working Group proposal for Board review
* Vision Paper and Annual Report
* Secretariat review of all CNA scope statements
* Proposed vote to allow CNAs to assign for insecure default
configurations
* CVE Communications Strategy
