CVE Board Meeting Notes November 8, 2023 (2:00 pm - 4:00 pm EST) Agenda
* 2:00-2:05 Introduction * 2:05-3:25 Topics o ! CVE (read: not CVE) o Virtual Workshop Status o CVE Services Step-by-Step Document o Link Rot and Next Steps * 3:25-3:35 Open Discussion * 3:35-3:55 Review of Action Items * 3:55-4:00 Closing Remarks New Action Items from Today's Meeting New Action Item Responsible Party Have MITRE's legal department review the !CVE situation. Secretariat !CVE (read: not CVE) * A CVE Board member noticed on the oss-security list today a message from a group called !CVE. The sender was cont...@notcve.org<mailto:cont...@notcve.org>. They appear to be international (Spain). * They seem to be trying to cover vulnerabilities that CNAs have deemed out of scope or will not cover because they do not meet their disclosure requirements. They also cover security issues that have not been assigned a CVE ID after 90 days. * There is concern about possible trademark and copyright infringements. * There is concern that the !CVE name and the similar ID labeling convention will introduce confusion to the CVE user community. * Next steps (action item): The program will start the process internally to have MITRE legal review. Virtual Workshop Status * The virtual workshop is coming up next week on November 15. * The CNA Rules update presentation will hit on the more significant revisions (not a deep dive) and include next steps for finalization. It may include discussion about how to make the update process more agile/continuous going forward. The agenda item will be moved to the afternoon, and the CNA Panel Discussion and CVE Services items will move to the morning. * CVE Services slides will be ready for review at the TWG meeting tomorrow (an outline was presented last week). Topics will include an overview and legacy format deprecation. * JSON 5 Guidance is in progress. Topics will include a summary, guidance and gotchas, and new things coming with 5.1 and beyond. * The CNA Panel Discussion will be about CNA's JSON 5.0 experiences. Additional volunteers for the panel would be helpful. CVE Services Step-by-Step Document * A document with step by step (less technical) instructions for the CVE Services, intended for newer CNAs with less experience, is being drafted. It is in progress and will include topics like getting credentials, managing users, changing a role, record management, using the clients, etc. Link Rot and Next Steps * A document is being drafted with specific topics and questions to help guide next steps with regard to link rot. Open Discussion * Spring 2024 Vulnerability Conference: The Vulnerability Conference and Events Working Group (VCEWG) is working with the First.org CFO about planning/budget. Logistically, need to get the "save the date" and the "call for papers" announcements distributed. * Rules Update Process: The SPWG is getting close to getting the update out for review. Proposed next steps: (1) an initial four week comment period by CVE Program members with a two week revision period, (2) distribute update with a two week comment period and another two week revision period, (3) Board vote. An approval of the rules update will require approval of affected glossary terms. Priority will be given to comments with suggested edits. SPWG will write down the proposed process for finalizing the rules update and present it to the Board. Review of Action Items Not covered. Next CVE Board Meetings * Wednesday, November 29, 2023, 9:00am - 11:00am (EST) * Wednesday, December 13, 2:00pm - 4:00pm (EST) * Wednesday, December 20, 2023, 9:00am - 11:00am (EST) * Wednesday, January 3, 2024, 2:00pm - 4:00pm (EST) * Wednesday, January 17, 2024, 9:00am - 11:00am (EST) * Wednesday, January 31, 2024, 2:00pm - 4:00pm (EST) Discussion Topics for Future Meetings * Sneak peek/review of annual report template SPWG is working on * Bulk download response from community about Reserved IDs * CVE Services updates and website transition progress (as needed) * Working Group updates (every other meeting) * Council of Roots update (every other meeting) * Researcher Working Group proposal for Board review * Vision Paper and Annual Report * Secretariat review of all CNA scope statements * Proposed vote to allow CNAs to assign for insecure default configurations * CVE Communications Strategy