CVE Board Meeting Notes October 11, 2023 (2:00 pm – 4:00 pm EDT) Agenda
· 2:00-2:05 Introduction · 2:05-3:25 Topics * Voting: Multiple Members from Same Organization * Fall Virtual Workshop Agenda * Board Meeting Survey Results · 3:25-3:35 Open Discussion · 3:35-3:55 Review of Action Items · 3:55-4:00 Closing Remarks New Action Items from October 11 Meeting New Action Item Responsible Party Send email to the Board list to vote on whether to keep the rule “one organization, one vote” for Board members. Allow one to two weeks for discussion before the voting period begins. Secretariat Send email to the Board list to summarize the ADP container issue so that members can weigh in on the topic prior to the initiation of a vote. Secretariat Voting: Multiple Members from Same Organization * Recently, a couple of Board members brought up that the rule of “one organization, one vote” may not be needed. This rule was put into place to minimize undue influence from a particular organization(s) with multiple members. * Current rules allow for an exception on a case-by-case basis (only used once). What do Board members think about the rule and whether it should be changed? A sample of comments are below: * An employment change may effectively eliminate a member’s vote. * There have been very few close votes, so there are not many instances where this rule has even come into play. Keep rule as is or eliminate. * Maybe reverse the rule so every member gets a vote, but an exception can be made in cases where there is the possibility of undue influence. * I like the rule as written. Continue to allow exceptions as needed. * Serves as a healthy constraint against too much influence. * Consider a cut off, say 3 or 4 members from the same organization, after which no more votes. * If it is not broken, do not fix it. * Discussion and an informal vote indicated an approximate 50/50 split between keeping as is and eliminating/modifying the rule. The Secretariat will send an email summarizing the issue to the Board list to initiate an online discussion before an official vote (action item). One to two weeks will be allowed for discussion before the voting period begins. * It was noted that the CNACWG Chair is always a voting member, regardless of organization affiliation. Fall Virtual Workshop Agenda * The draft agenda for the November 15 virtual-only workshop was presented. Let the Secretariat know if you have comments or additions. * CVE Services will be a topic (e.g., download capability, deprecation date), but a deep dive with demos will be scheduled for a later date. * The workshop will include a panel discussion with CNAs sharing their JSON 5 experiences. One CNA has tentatively agreed to participate, and others will be recruited. * Participants will be asked what changes they want in future CVE Record schema updates. * Corpus hygiene will be a topic and include, for example, the importance of cleaning up RBPs, and not accidentally deleting references. Will also include link rot discussion. Board Meeting Survey Results * Most respondents think the meetings are useful. There was discussion about ways to encourage more involvement in Board discussions. Comments included: * Strike a balance; sometimes there are too many voices. * Moderator can cut off anyone monopolizing the discussion. * Use the “raise your hand” feature more often to provide members less inclined to speak to have a way to share their opinion. * Consider calling on members who haven’t provided input in a while. * A large majority (88%) of respondents think the two-hour meeting duration is the right amount. * A large majority (94%) of respondents think the meeting tempo (every two weeks) is good. * A slight majority disagree with the statement “I like having staggered meeting times.” Last survey, the results were reversed; a slight majority agreed with the statement. Hard to find a good answer that will please everyone. * Under the open-ended question “how can we improve the board meetings” a suggestion was made to reach out to other cybersecurity organizations for collaboration and guest participation at the meetings. An offline meeting will be scheduled by the Secretariat to further discuss next steps to make this suggestion actionable. A comment was made to also consider inviting CNAs to meetings. Open Discussion There is not yet a consensus around how to implement ADPs in production. The Secretariat will summarize this issue and send it out in an email to the Board list for discussion (action item). Review of Action Items Out of time. Next CVE Board Meetings · Wednesday, October 25, 2023, 9:00am – 11:00am (EDT) · Wednesday, November 8, 2023, 2:00pm – 4:00pm (EST) · Wednesday, November 22, 2023, 9:00am – 11:00am (EST) · Wednesday, December 6, 2:00pm – 4:00pm (EST) · Wednesday, December 20, 2023, 9:00am – 11:00am (EST) · Wednesday, January 3, 2024, 2:00pm – 4:00pm (EST) Discussion Topics for Future Meetings · Sneak peek/review of annual report template SPWG is working on · Bulk download response from community about Reserved IDs · Finalize 2023 CVE Program priorities · CVE Services updates and website transition progress (as needed) · Working Group updates (every other meeting) · Council of Roots update (every other meeting) · Researcher Working Group proposal for Board review · Vision Paper and Annual Report · Secretariat review of all CNA scope statements · Proposed vote to allow CNAs to assign for insecure default configurations · CVE Communications Strategy