CVE Board Meeting Notes August 30, 2023 (9:00 am – 11:00 am EDT) Agenda
· 9:00-9:05 Introduction · 9:05-10:25 Topics * Working Group Updates * CVE (malicious) Link Rot Problem * AI/ML Vulnerabilities · 10:25-10:35 Open Discussion · 10:35-10:55 Review of Action Items · 10:55-11:00 Closing Remarks New Action Items from Today’s Meeting New Action Item Responsible Party Schedule a meeting to discuss the non-responsive domain reference problem in CVE Records. Include CNACWG, QWG, and AWG. Secretariat Reach out to Google to ask if they would present on their research into AI-driven fuzzing to automate CVE assignments. Secretariat Working Group Updates * Automation Working Group (AWG) * Provided technical guideline contributions to the Secretariat for the CVE Services guidance documentation. * Engaged with the QWG on how to effectively support use of JSON 5 by downstream users. * An ADP demonstration environment has been set up since June. CISA is using it and they have reported some initial results. The ADP references pilot is scheduled for delivery in late September. * Outreach and Communications Working Group (OCWG) * Published a Q2 CVE Program Summary blog and working on an “Our CVE story” blog with F5 (target publish date of mid to late September). * In process with three podcasts: CVE JSON 5 records format; refresher of the popular Working Groups podcast (in the process of reaching out the chairs to schedule); another Roots podcast to reflect new Roots and their experiences. * Have completed the scripted slides for the updated CVE introductory video on YouTube, and have revitalized the format. Working to streamline video updates going forward. Will be presented to the TWG on August 31, followed by review by the Board using the private email list. * CNA Community Working Group (CNACWG) * Have been working on the link rot effort (see next topic). * Reached out to the current mentors and proteges to remind them that they are in the CNA mentor program and suggest screen sharing (i.e., Mentors shoulder-surfing to guide mentees through their initial CVE Record processing). * Quality Working Group (QWG) * Have cutover what is called a release candidate for schema micro release 5.01, and it is being tested. Going through some issues found. The 5.0.1 release should not affect anyone's processes or any existing CVE Records. * Working on a best practices guide for use of the schema for encoding things in a CVE Record. * Question: Does the QWG have anything in backlog right now that would be appropriate for a major release? Answer: Yes, we have a bunch of things for a major release, e.g., changing the schema to stop allowing blank spaces before and after text field entries. A change like that takes planning and coordinating with the CNA community to implement. * The Secretariat has prepared a related document draft CVE Services Guide that is being reviewed by the TWG. * Strategic Planning Working Group (SPWG) * Initial draft of the updated CNA Rules document is expected late September for an internal program review. The CNAs will then be asked to review. The program will adjudicate CNA comments and provide a version for Board review. * After this update, will have a process to update the Rules more consistently, without having to do a major re-do. * Tactical Working Group (TWG) * Launched a CVE Program ‘Ideas and Suggestion’ board August 29 on GitHub<https://github.com/CVEProject/Ideas>; coordinated with AWG and OCWG. * Also working on an article in Dark Reading<https://www.darkreading.com/> that describes the changes the CVE Program has made over the years and inviting the community of users to take advantage of the changes. Hope to have out in next couple of weeks. * Vulnerability Conference Working Group (VCWG) * The draft conference announcement is almost done. When final, the call for papers will be prepared and distributed. * Next step for the charter is working group approval. CVE (malicious) Link Rot Problem * Presentation shared titled “CVE Reference Investigations.” * CVE Record references have requirements, i.e., have to be good and accessible. This is not the case for many references. * Recommendations to address this problem: * QWG: Take up this issue, as dead domains directly impact CVE data quality. Should have some way to check that references are good when a CVE Record is submitted. * AWG: Implement an on-the-spot archival procedure for references when CVEs are first submitted. * CNACWG: Encourage CNAs to archive their references. * Secretariat: Investigate the feasibility and impacts of hot swapping link destinations to archived sources. * Secretariat will schedule a meeting to get into more detail about this problem. Include CNACWG, QWG and AWG chair or representative (action item). AI/ML Vulnerabilities * Guest speakers from NVIDIA and Microsoft shared their thoughts on AI/ML vulnerabilities * Layers of an AI/ML-enabled application are application integration, framework, and ML model. Most ML attacks can be stopped at the application integration layer. * In the ML model layer, vulnerability “poisoning” can occur during data collection/processing, training, or inference. * Bad assumptions lead to flawed design, which can lead to vulnerabilities. * Discussion: There may be lack of awareness in the CNA community that they can request a CVE ID for an AI/ML vulnerability today. The CNA Rules update will include clarification (e.g., demonstrative ML examples); additionally, other communications should be used to make it known more publicly. * Some CVEs have been issued in this space, e.g., CVE ID 2019-20634, which is related to cloning machine learning model. * Guests were amenable to further collaboration. Open Discussion * Google’s new automated AI-driven fuzzing project * Google has plans to automate CVE assignments using AI fuzzing. * The Secretariat will reach out to Google to ask if they would present to the Board on their research into AI-driven fuzzing to automate CVE assignments. Review of Action Items None. Next CVE Board Meetings · Wednesday, September 13, 2:00pm – 4:00pm (EDT) · Wednesday, September 27, 2023, 9:00am – 11:00am (EDT) · Wednesday, October 11, 2023, 2:00pm – 4:00pm (EDT) · Wednesday, October 25, 2023, 9:00am – 11:00am (EDT) · Wednesday, November 8, 2023, 2:00pm – 4:00pm (EST) · Wednesday, November 22, 2023, 9:00am – 11:00am (EST) Discussion Topics for Future Meetings · Sneak peak/review of annual report template SPWG is working on · Bulk download response from community about Reserved IDs · Finalize 2023 CVE Program priorities · CVE Services updates and website transition progress (as needed) · Working Group updates (every other meeting) · Council of Roots update (every other meeting) · Researcher Working Group proposal for Board review · Vision Paper and Annual Report · Secretariat review of all CNA scope statements · Proposed vote to allow CNAs to assign for insecure default configurations · CVE Communications Strategy