CVE Board Meeting Notes January 10, 2024 (9:00 am – 11:00 am EST) Agenda · Introduction
· Topics * Board Charter and CNA Board Liaison Nomination * CVE Program Direction with AI/ML * Spring 2024 VulnCon · Open Discussion · Review of Action Items · Closing Remarks New Action Items from Today’s Meeting New Action Item Identify some CVEs that are useful AI examples, and share at the next meeting or on the list. Prepare an abstract for a CWE Program presentation for the 2024 VulnCon. Prepare an abstract for a Federation/Centralization topic for the 2024 VulnCon. Distribute to the Board list for review. Board Charter and CNA Board Liaison Nomination * The program went through the CNA Board Liaison nomination period, as required by the charter. The nomination period has been extended to January 24. A new nominee has been identified to replace the current Liaison who has withdrawn from the position. The program will send reminders to the CNA community during the extension period. * The former CNA Liaison was nominated to a permanent Board position, and there was a desire to essentially have him go through the regular vetting process to become one. Any deviation from the process requires Board approval. Does the Board think the regular process is needed, or can we go straight to a vote? * A quorum agreed to conduct a vote on the list, and not require the regular process. The Secretariat will send out the email later today. CVE Program Direction with AI/ML * Question to the Board: How is the CVE Program going to deal with AI/ML? We need to start discussing this, and come up with a documented position to share with the community. Comments: * Make this the next big rock for the SPWG, after the Rules update has been published. Bring back ideas, recommendations, etc., for the Board to consider. * The Rules update has removed what was referred to as the cloud rule. Rules are now technology-agnostic. * Maybe we could write a paper and present it at the Spring VulnCon. The paper could be about the rules being technology-agnostic, and provide examples of applicability to cloud technology, AI, and IoT. Probably not enough time to prepare a program AI position paper for the conference. Could also be a panel discussion. Only need one hour. Open source may also be added, to be discussed off-line. * The program will identify some CVEs that are useful AI examples, and share them at the next meeting or on the list (action item). These can be useful to share at VulnCon. * This is as much an outreach effort as internal foundational understanding. * Call for abstracts ends January 31 for VulnCon. * Need to have sessions at VulnCon that are CVE-related. We have a base of 48 sessions, and can go as high as 72. Can handle about 400 in-person attendees at the conference. * There may be time at the conference to address root cause mapping, using a panel format. This is about mapping CVEs to their root cause weakness. CISA views CWE as a key tool in their critical infrastructure protection work. The CWE quality problem is almost a national security issue. Impacts understanding of vulnerabilities that are a national risk. * A new root cause working group has been created to determine the business case for effective, accurate, decentralized root cause mapping. A federated approach to root cause mapping is required. Centralization won’t scale. Membership is now open, so Board members with interest may participate in meetings and activities. More info will be sent to the list after the meeting. * CWE is not currently a topic for the conference. An abstract will be prepared and sent (action item). Spring 2024 VulnCon * Should we have some out of cycle meetings? * Let’s contribute our ideas/topics to a spreadsheet, from a program perspective, and the broader vulnerability ecosystem perspective. * Also want to make sure we have a logical flow/order of topics. * Should we consider federation as a topic? It could be from a broader ecosystem perspective than just the CVE and CWE Programs. Federation probably has applicability in other areas. Could be a panel discussion that includes both the pro-federation and the pro-centralization points of view. Some Board members expressed interest in being on the panel. * An abstract will be prepared for the federation/centralization topic and sent to the Board list for review (action item). Open Discussion * Working Groups * A Board member asked if there is a pecking order for the working groups. There is no pecking order, but there are times that working groups collaborate and work together. In these cases, one WG may have assignments to submit to another by a certain date. This does not imply any kind of formal reporting relationship. * Requests for support from another WG should be given high priority. * Should we have something more formal to document the agreement between the WGs? This could be valuable, but don’t make it a heavy-handed administrative burden. * A WG may add voting procedures in their charter for arriving at group consensus. What about situations where there is an 80 person member list, but only 4 or 5 people attend a meeting where a decision is needed? One example response: The CNACWG Charter states that voting can only be done by members in attendance at the meeting when the vote is held. They have not used the mailing list voting option. * CVE Program 25th Anniversary * May 2024 will mark the program’s 25th anniversary, and we should plan something. This could be motivational, and an opportunity to get some positive media exposure. * The event does not have to happen in May, but we do need to start thinking about when and where, and what we want to do. * There may be travel constraints for members, particularly in light of the travel associated with VulnCon in March. * Include both serious and funny awards. * Consider coordinating the timing around another event, e.g., Black Hat. * This will be a continuing topic of discussion, but start thinking about it now. * Annual Report * Preparing an outline for the annual report that will then be fleshed out. * For now, the focus is to finish the outline and the content development, and circulate that for review. Wait until happy with the content, then work on making the report look flashy and pretty. * Will discuss at the TWG meeting tomorrow whether we can have the report ready by March for VulnCon. Need some advance warning if we want to add it to the agenda or include it as part of another session. Review of Action Items Out of time. Next CVE Board Meetings · Wednesday, January 24, 2024, 2:00pm – 4:00pm (EST) · Wednesday, February 7, 2024, 9:00am – 11:00am (EST) · Wednesday, February 21, 2024, 2:00pm – 4:00pm (EST) · Wednesday, March 6, 2024, 9:00am – 11:00am (EST) · Wednesday, March 20, 2024, 2:00pm – 4:00pm (EDT) · Wednesday, April 3, 2024, 9:00am – 11:00am (EDT) Discussion Topics for Future Meetings · Sneak peek/review of annual report template SPWG is working on · Bulk download response from community about Reserved IDs · CVE Services updates and website transition progress (as needed) · Working Group updates (every other meeting) · Council of Roots update (every other meeting) · Researcher Working Group proposal for Board review · Vision Paper and Annual Report · Secretariat review of all CNA scope statements · Proposed vote to allow CNAs to assign for insecure default configurations · CVE Communications Strategy