CVE Board Meeting Notes March 29, 2023 (2:00 pm - 4:00 pm EDT) Agenda
* 2:00-2:05 Introduction * 2:05-3:25 Topics * Council of Roots Update * Working Group Updates * Summit Takeaways * KEV Data Addition to the Corpus * CVE Program Registry Effort * Hard Deploy Update * TWG Official Name Change * Clarification: When JSON 4.0 "Submission" Should be Discontinued * CVE Records Transfer from Submitters to Newly Onboarded CNAs * 3:25-3:35 Open Discussion * 3:35-3:55 Review of Action Items * 3:55-4:00 Closing Remarks New Action Items from Today's Meeting Action Item # New Action Item Responsible Party Due 03.29.01 Check with Summit presenters and ask if they're okay having their presentations shared publicly. Secretariat 03.29.02 Notify users that JSON 4 submissions will be deprecated in 90 days. Secretariat Council of Roots Update * Good attendance at the March 29 meeting. * Positive feedback received about the summit with some suggestions for future summits. * Red Hat, CISA ICS and MITRE have announced new CNAs in the last 30 days. * MITRE and CISA ICS working together for onboarding NCSC Finland (CERT) Working Group Updates * CNA Coordination Working Group (CNACWG) * No meeting last week, attended summit. * CNA Mentor Program is rebooted. * Strategic Planning Working Group (SPWG) * Most of the work right now is on cloud-related updates to the CNA Rules. * Have started to assist with the record elements we need for the user registry. * Tactical Working Group (TWG) * Working group name has changed (see TWG Official Name Change topic). * A next effort is to reduce the list of folks using JSON 4 submission. * Quality Working Group (QWG) * Identified a bug in the JSON 5 schema that allows a typo in certain fields. * Working on the fix and have notified the two affected CNAs. Minor change. * Automation Working Group (AWG) * Hard deploy has occurred; recent activity has been about closing out final issues. * Next big rocks: Authorized Data Publisher (ADP) pilot, User Registry. * Outreach and Communications Working Group (OCWG) * At the March 29 meeting, talked about feedback from the summit, who is going to RSA and other conferences, and updates on podcasts and blogs. * Question: Is it okay to use the "State of the Program" presentation content from the summit in a podcast for broader public distribution? Answer: No objections. * Question: Can we share full videos (from the summit) with CNA's and board members? Answer: Probably not a problem, but the program will check with presenters first (action item). Summit Takeaways (Open Comment) * Hybrid attendance format was not optimal. * Would have liked more time to hear from the community/participants, not program. * Do not overburden one presenter with too many agenda topics. * There was a session that presented a new way of looking at CVE. Need more sessions like that, i.e., more than just status and direction/guidance. How is CVE being used? * Begin planning of Summit earlier to better support preparation. * Need more discussion about how CVE is being used in organizations. * Think about breakout sessions and having separate tracks to help people who are new versus the more advanced users. * Have a prepared list of questions or 'discussion starters' to stimulate discussion. * Logistics could have been better, e.g., not enough microphones, a lot of passing around. * Important to start looking at how we apply CVE for the downstream vulnerability management community. * Consider co-locating the next summit with the FIRST conference to make it easier for broader in-person participation. * Expect to have a few ADPs by the next summit - that should be a topic. * More break time for opportunity to network for in-person attendees. KEV Data Addition to the Corpus * Issues with the CRA doing exploited vulnerabilities. It's the same kind of thing that KEV is doing. Trying to put it into law. * Explore the idea of incorporating KEV<https://www.cisa.gov/known-exploited-vulnerabilities> data into CVE. CVE Program Registry Effort * Held a meeting February 21 to review the user registry CONOPS and documentation from 2018 and verify we are still on the right path. Concepts are still in line, but some changes to the documents will be made. A follow-on meeting held after the summit to get into more specifics went well. * Intent is to establish the record elements for what's turning into a CVE Program data repository (not just user registry). There is no schema yet. * Suggestion made to add logos as a data element. * Get registry defined well enough that AWG can implement. * User registry portion will tie in with authentication services. Hard Deploy Update * The CVE Services hard deploy milestone was met earlier today. * Bulk download capability is now available to downstream users. Available in zip file format. * Some minor issues are being worked. * CVE.org<https://www.cve.org/Media/News/item/blog/2023/03/29/CVE-Downloads-in-JSON-5-Format> has been updated to reflect new download capability. * Talking with the TWG tomorrow about bulletin 15 to the CNAs announcing hard deploy and what that means. Will also be announced on Slack. TWG Official Name Change * There were no objections to the proposal to change the name of the Transition Working Group to the Tactical Working Group. * The TWG will have an operational focus. * Charter development is underway. Clarification: When Should JSON 4.0 "Submission" be Discontinued * A question came up at the summit about when submission of JSON 4 records will be discontinued (downloads will be discontinued by the end of 2023 - already announced). * A small number (69) of users are using Git Hub for JSON 4 submissions. Send out targeted notice that JSON 4 submissions will not be accepted after 90 days (action item). * Revise training and onboarding materials to remove references to JSON 4 submissions. CVE Records Transfer from Submitters to Newly Onboarded CNAs * There has been a long standing program practice to not transfer existing CVEs to new CNAs. Should we change that practice? * Consensus was to not change. The CNA can make a request for a CVE transfer on a case by case basis. A transfer can be made when appropriate. Open Discussion * Seem to be propagating the text "and not in another CNA's scope" constantly. It should not be a default; it should only be added to scopes where appropriate, such as when a CNA is doing research into vulnerabilities beyond their own products. No objections. Review of Action Items * 06.23.01 (2022 Annual Report). There was agreement to close this action item and try again for the 2023 Annual Report. Suggestion was made to start planning content and layout earlier. Example shared: Intel 2021 Product Security Report<https://www.intel.com/content/www/us/en/security/intel-2021-product-security-report.html>. Next CVE Board Meetings * Wednesday, April 12, 2023, 9:00am - 11:00am (EDT) * Wednesday, April 26, 2023, 2:00pm - 4:00pm (EDT) * Wednesday, May 10, 2023, 9:00am - 11:00am (EDT) * Wednesday, May 24, 2023, 2:00pm - 4:00pm (EDT) * Wednesday, June 7, 2023, 9:00am - 11:00am (EDT) * Wednesday, June 21, 2023, 2:00pm - 4:00pm (EDT) Discussion Topics for Future Meetings * Bulk download response from community about Reserved IDs * Finalize 2023 CVE Program priorities * CVE Services updates and website transition progress (as needed) * Working Group updates (every other meeting, next is April 26, 2023) * Council of Roots meeting highlights (next is April 26, 2023) * Researcher Working Group proposal for Board review * Vision Paper and Annual Report * Secretariat review of all CNA scope statements * Proposed vote to allow CNAs to assign for insecure default configurations * CVE Communications Strategy