CVE Board Meeting Notes October 25, 2023 (9:00 am - 11:00 am EDT) Agenda
* 9:00-9:05 Introduction * 9:05-10:25 Topics * Working Group Updates * Call for Vote: Multiple Members from the Same Organization (discussion on private CVE Board mailing list) * 10:25-10:35 Open Discussion * 10:35-10:55 Review of Action Items * 10:55-11:00 Closing Remarks New Action Items from Today's Meeting New Action Item N/A Working Group Updates * AWG * Continued with CVE Services backlog curation. Initiated a reprioritizing of the backlog while there is a lull in ADP, which is awaiting decisions. ADP is currently in the demonstration environment. * Website search capability is moving along; will be a big push in November. * Started the discussion about user registry requirements and the review of papers that have been produced. Pulling together proposed user stories that will be presented to the other working groups for concurrence. AWG is not the owner of the requirements, but working to move the process forward. * Coordinated with QWG and SPWG about integration of JSON 5.1 into CVE Services. Concurrence of that integration is needed, and AWG is working on estimating the effort. * CNACWG * During the annual open nominations for CNACWG Chair, the only nominee was the current chair, who will serve for another year. * OCWG * Published a new article<https://www.cve.org/Media/News/item/blog/2023/10/17/CVE-Records-Keep-Getting-Better> "CVE Records Keep Getting Better and Better" on the CVE blog. * Currently developing a presentation about how the new and improved format of CVE Records will benefit consumers. * Drafting a presentation on CVE for upcoming ShmooCon. * Coordinating with the Roots on a podcast about their role, new partner recruitment, etc. Planning for the podcast is underway and recording is scheduled for early December. * Information about the new Vulnerability Conference and Events Working Group (VCEWG<https://www.cve.org/ProgramOrganization/WorkingGroups>) has been added to the CVE website. It includes a link to the charter<https://www.cve.org/Resources/Roles/WorkingGroups/VCEWG/VCEWG-Charter.pdf>. * QWG * QWG finalized release candidate for the CVE JSON 5.1 schema. * One aspect of 5.1 integration is support for CVSS 4.0. * The last QWG meeting included discussion about the link rot problem. * SPWG * The CNA Rules revision is a significant effort with many material changes. There are a couple sections left to complete, plus general editing, appendices, etc. After SPWG's final review, the document will be circulated in a formal review process (TBD) that will end with Board approval. Whether the process will include public review and comment is also TBD. * During review updates, priority will be given to comments that include suggested new language. * At the November 15 workshop, a revision update will be presented, including what to know and what major changes to expect. * Now is the time to think about defining an easier and more repeatable process for updates in the future. * TWG * There has been lots of discussion, with AWG, about the technical details for implementation of ADPs. The issue will come to the Board eventually for a vote. * Looking for three or four volunteers willing to participate on a panel at the workshop to discuss their real life experiences with RSUS and JSON 5. * VCEWG * The Spring conference will be at the McKimmon Center in Raleigh, NC, on March 25-27, 2024. We are working through the cost, meeting room rentals, etc. The logistics group is developing the 'save the date' email and a website for the event (hosted by FIRST and using their event & conference systems and registration). The programming group is drafting the call for papers. Call for Vote: Multiple Members from the Same Organization * Topic was brought up at the last Board meeting, and there was subsequent discussion on the private email list. * A vote will be held on the email list; watch for an email from the Secretariat. Open Discussion * JSON Schema Change * Continued discussion about CVE JSON schema version and whether/how to represent and validate version information in CVE Records. * Comments from the CVE Board: * It is important to avoid breaking changes and also to avoid having to convert existing records for minor schema changes. * Preference should be given to whatever is easier and least costly for CNAs to implement. Do not want to put CNAs in a position where they must update a lot of records for a small schema update. * Regardless of what choice we make, all the retrieved records should always say the same thing, so that if you're a downstream consumer, you only need one copy of the schema. The latest copy at any point in time. * We must ensure we communicate what the change means for CNAs. The message should include information that when you download a record from CVE Services, it will be valid according to the latest version of the schema and users should not need to maintain multiple local versions of the schema. * Business requirements need to be defined and documented. Need to design and conduct tests to get specific information about what can break and the impact. A document will be created and posted to GitHub to capture the issue and recommendations; a link will be shared so others can review/comment. Review of Action Items Out of time. Next CVE Board Meetings * Wednesday, November 8, 2023, 2:00pm - 4:00pm (EST) * Wednesday, November 22, 2023, 9:00am - 11:00am (EST) * Wednesday, December 6, 2:00pm - 4:00pm (EST) * Wednesday, December 20, 2023, 9:00am - 11:00am (EST) * Wednesday, January 3, 2024, 2:00pm - 4:00pm (EST) * Wednesday, January 17, 2024, 9:00am - 11:00am (EST) Discussion Topics for Future Meetings * Sneak peek/review of annual report template SPWG is working on * Bulk download response from community about Reserved IDs * CVE Services updates and website transition progress (as needed) * Working Group updates (every other meeting) * Council of Roots update (every other meeting) * Researcher Working Group proposal for Board review * Vision Paper and Annual Report * Secretariat review of all CNA scope statements * Proposed vote to allow CNAs to assign for insecure default configurations * CVE Communications Strategy