CVE Board Meeting Notes May 24, 2023 (2:00 pm - 4:00 pm EDT) Agenda
* 2:00-2:05 Introduction * 2:05-3:25 Topics * Working Group Updates * ADP Pilot * Summit Planning Sub-Working Group * GitHub Pilot Retirement * 3:25-3:35 Open Discussion * 3:35-3:55 Review of Action Items * 3:55-4:00 Closing Remarks New Action Items from Today's Meeting Action Item # New Action Item Responsible Party Due 05.24.01 Send notification to CNAs and the Board about using Monday.com for RBP tracking/status. Include instructions for getting access. Secretariat 05.24.02 Review the RBP process to better understand its strengths and weaknesses. Project Leader Working Group Updates * Automation Working Group (AWG) * Current focus is on the ADP Pilot and working with SPWG to define and implement requirements. * Also fixing the remaining CVE Services issues. * Available to provide consultation to CNAs who are having technical trouble migrating to JSON 5. This would supplement the existing training materials, videos, and documentation. * CNA Coordination Working Group (CNACWG) * Actively archiving CVE references at archive.org<http://archivebot.com/beta>. About halfway through. * Question: There was good discussion at the Summit about the mentoring program. Have you seen any increase in either those wanting to mentor or those wanting to get help? * Answer: there has been a slight uptick in folks signing up for mentoring, and right now nearly everyone is matched up with a mentor. * Quality Working Group (QWG) * Working with the AWG through a handful of issues related to the JSON 5 record format. When ready, will do a patch release. * Also talking about updates for the next minor release. * Outreach and Communications Working Group * Two podcasts in the pipeline: * One scheduled for recording next Wednesday with CISA to address misconceptions some organizations have about becoming a CNA. * The other is to be scheduled with the SPWG, and is about leveraging KEV<https://www.cisa.gov/known-exploited-vulnerabilities> for CVE. * Published a blog about the Summit, designed to encourage recruitment and show CVE as a community and its benefits. * Revisions of the introduction video about CVE are well underway. * Question: Is it possible when you post blogs and other items to the website to send an email to the Board list so we can help promote it and spread the word? * Answer: Yes, we can start doing that for blogs, podcasts, and videos. * Strategic Planning Working Group (SPWG) * Two recent focus areas: * ADP pilot requirements (working with AWG) are in pretty good shape. The ADP pilot initially will focus on the references and getting references operational. * Also working on the CNA Rules update. Getting some pushback on cloud rules and the definition of cloud technology. * Tactical Working Group (TWG) * Continued working on the schedule for getting the API endpoints in place. * The program has a backup plan that can be used to help CNAs in an emergency, e.g., large upload and Vulnogram is down. * Comment about maybe moving ADP under the TWG (and away from SPWG) at some point after implementation gets underway. * Question: For AWG, what is happening with the new website search capability? * Answer: Requirements were solicitated, working on user stories and development schedule with TWG. It's the second priority after ADP pilot. ADP Pilot * CVE Services interfaces are scheduled to be released into the testing environment the week of June 19. * Code can be viewed on the GitHub repository. * Test management and design strategy are in progress. * Agreement that testing should be on a complete copy of production data. * Agreement that no data will move from the test environment to the production environment. * Discussion about having three environments: a dedicated test environment for the user community, and internal test and production environments. Will look into this and report back. * Agreement to notify the community that data can be wiped at any time and that that should be expected. * The Board agreed with the recommendation to not make any changes to the website for the ADP pilot. How to render ADP information on the site will be part of ADP production planning, not pilot planning. * Secretariat ADP Reference pilot is moving along nicely. Some prototype code has been developed, which will be publicly available. Summit Planning Sub-Working Group * Since the last meeting, the idea of the Summit sub-WG was mentioned to the community (at the CNACWG meeting). * An active CNA is interested in leading the new group, and a Board member also volunteered to help lead the effort. * The Working Group Operations Handbook<https://www.cve.org/Resources/Roles/WorkingGroups/CVE-Working-Group-Operations-Handbook-v1-0.pdf> is a useful resource to get started with a new working group. An early task is the development of the Charter. An example will be provided. GitHub Pilot Retirement * Notified CNAs about the June 30 date to discontinue using the web request form. * Notified the subset (31) of CNAs that have used the GitHub submission pilot in the last year that the pilot will shut down after June 30. Custom emails (based on CNA usage) were sent with guidance on transitioning to CVE Services. * Set up two June meetings where participants in the pilot will be asked to send a representative to tell us their transition plans, ask questions, etc. * Program will be prepared to provide additional support after June 30 for any CNAs that need it. Also, CNAs can use the Slack channel to get help from other members of the community. Open Discussion * July 5 meeting will be cancelled due to the U.S. Independence Day holiday. * RBPs * Used to get monthly/quarterly notifications about RBPs. Now, everybody has an RBP board on monday.com, and you have to go look up your RBP status. Need to get RBPs back on the radar. * Process was changed to make better use of program resources and give CNAs the flexibility to see their RBP status at any time. * A notice will be sent to all CNAs and the Board about the change and instructions for getting access to Monday.com (action). * A review of the RBP process will be performed to better understand its strengths and weaknesses (action). * Question: Are there two different scrapers, one for RBPs and one for References? Do they use the same technology? * Answer: For References, the program uses DIFFBOT<https://www.diffbot.com/>. For RBPs, we use custom scrapers. No further development is planned for these; there are too many website changes, and they cannot scale. Must rely on them until new technology is in place, and there are higher priorities right now. * Question: Do all Board members have a Monday.com account? * Answer: No. A summary roll up version of the RBP data will be generated and provided to the Board. Longer term, Board members will be provided access to Monday.com after the transition to the enterprise version June 1. It will take a few weeks after June 1 to fully integrate with our corporate authentication systems, and learn new features and more granular controls that we gain with enterprise. Review of Action Items Out of time. Next CVE Board Meetings * Wednesday, June 7, 2023, 9:00am - 11:00am (EDT) * Wednesday, June 21, 2023, 2:00pm - 4:00pm (EDT) * Wednesday, July 19, 2023, 2:00pm - 4:00pm (EDT) * Wednesday, August 2, 2023, 9:00am - 11:00am (EDT) * Wednesday, August 16, 2023, 2:00pm - 4:00pm (EDT) Discussion Topics for Future Meetings * Review draft charter for new working group (for Summit planning, Annual Report, and the upcoming CVE 25th anniversary) * Sneak peak/review of annual report template SPWG is working (June timeframe) * Bulk download response from community about Reserved IDs * Finalize 2023 CVE Program priorities * CVE Services updates and website transition progress (as needed) * Working Group updates (every other meeting, next is June 21) * Council of Roots meeting highlights (next is June 21) * Researcher Working Group proposal for Board review * Vision Paper and Annual Report * Secretariat review of all CNA scope statements * Proposed vote to allow CNAs to assign for insecure default configurations * CVE Communications Strategy