CVE Board Meeting Notes
January 10, 2024 (9:00 am – 11:00 am EST)
Agenda
· Introduction
· Topics
* Board Charter and CNA Board Liaison Nomination
* CVE Program Direction with AI/ML
* Spring 2024 VulnCon
· Open Discussion
· Review of Action Items
· Closing Remarks
New Action Items from Today’s Meeting
New Action Item
Identify some CVEs that are useful AI examples, and share at the next meeting
or on the list.
Prepare an abstract for a CWE Program presentation for the 2024 VulnCon.
Prepare an abstract for a Federation/Centralization topic for the 2024 VulnCon.
Distribute to the Board list for review.
Board Charter and CNA Board Liaison Nomination
* The program went through the CNA Board Liaison nomination period, as
required by the charter. The nomination period has been extended to January 24.
A new nominee has been identified to replace the current Liaison who has
withdrawn from the position. The program will send reminders to the CNA
community during the extension period.
* The former CNA Liaison was nominated to a permanent Board position, and
there was a desire to essentially have him go through the regular vetting
process to become one. Any deviation from the process requires Board approval.
Does the Board think the regular process is needed, or can we go straight to a
vote?
* A quorum agreed to conduct a vote on the list, and not require the
regular process. The Secretariat will send out the email later today.
CVE Program Direction with AI/ML
* Question to the Board: How is the CVE Program going to deal with AI/ML?
We need to start discussing this, and come up with a documented position to
share with the community. Comments:
* Make this the next big rock for the SPWG, after the Rules update has
been published. Bring back ideas, recommendations, etc., for the Board to
consider.
* The Rules update has removed what was referred to as the cloud rule.
Rules are now technology-agnostic.
* Maybe we could write a paper and present it at the Spring VulnCon. The
paper could be about the rules being technology-agnostic, and provide examples
of applicability to cloud technology, AI, and IoT. Probably not enough time to
prepare a program AI position paper for the conference. Could also be a panel
discussion. Only need one hour. Open source may also be added, to be discussed
off-line.
* The program will identify some CVEs that are useful AI examples, and
share them at the next meeting or on the list (action item). These can be
useful to share at VulnCon.
* This is as much an outreach effort as internal foundational
understanding.
* Call for abstracts ends January 31 for VulnCon.
* Need to have sessions at VulnCon that are CVE-related. We have a base
of 48 sessions, and can go as high as 72. Can handle about 400 in-person
attendees at the conference.
* There may be time at the conference to address root cause mapping,
using a panel format. This is about mapping CVEs to their root cause weakness.
CISA views CWE as a key tool in their critical infrastructure protection work.
The CWE quality problem is almost a national security issue. Impacts
understanding of vulnerabilities that are a national risk.
* A new root cause working group has been created to determine the
business case for effective, accurate, decentralized root cause mapping. A
federated approach to root cause mapping is required. Centralization won’t
scale. Membership is now open, so Board members with interest may participate
in meetings and activities. More info will be sent to the list after the
meeting.
* CWE is not currently a topic for the conference. An abstract will be
prepared and sent (action item).
Spring 2024 VulnCon
* Should we have some out of cycle meetings?
* Let’s contribute our ideas/topics to a spreadsheet, from a program
perspective, and the broader vulnerability ecosystem perspective.
* Also want to make sure we have a logical flow/order of topics.
* Should we consider federation as a topic? It could be from a broader
ecosystem perspective than just the CVE and CWE Programs. Federation probably
has applicability in other areas. Could be a panel discussion that includes
both the pro-federation and the pro-centralization points of view. Some Board
members expressed interest in being on the panel.
* An abstract will be prepared for the federation/centralization topic
and sent to the Board list for review (action item).
Open Discussion
* Working Groups
* A Board member asked if there is a pecking order for the working
groups. There is no pecking order, but there are times that working groups
collaborate and work together. In these cases, one WG may have assignments to
submit to another by a certain date. This does not imply any kind of formal
reporting relationship.
* Requests for support from another WG should be given high priority.
* Should we have something more formal to document the agreement between
the WGs? This could be valuable, but don’t make it a heavy-handed
administrative burden.
* A WG may add voting procedures in their charter for arriving at group
consensus. What about situations where there is an 80 person member list, but
only 4 or 5 people attend a meeting where a decision is needed? One example
response: The CNACWG Charter states that voting can only be done by members in
attendance at the meeting when the vote is held. They have not used the mailing
list voting option.
* CVE Program 25th Anniversary
* May 2024 will mark the program’s 25th anniversary, and we should plan
something. This could be motivational, and an opportunity to get some positive
media exposure.
* The event does not have to happen in May, but we do need to start
thinking about when and where, and what we want to do.
* There may be travel constraints for members, particularly in light of
the travel associated with VulnCon in March.
* Include both serious and funny awards.
* Consider coordinating the timing around another event, e.g., Black Hat.
* This will be a continuing topic of discussion, but start thinking
about it now.
* Annual Report
* Preparing an outline for the annual report that will then be fleshed
out.
* For now, the focus is to finish the outline and the content
development, and circulate that for review. Wait until happy with the content,
then work on making the report look flashy and pretty.
* Will discuss at the TWG meeting tomorrow whether we can have the
report ready by March for VulnCon. Need some advance warning if we want to add
it to the agenda or include it as part of another session.
Review of Action Items
Out of time.
Next CVE Board Meetings
· Wednesday, January 24, 2024, 2:00pm – 4:00pm (EST)
· Wednesday, February 7, 2024, 9:00am – 11:00am (EST)
· Wednesday, February 21, 2024, 2:00pm – 4:00pm (EST)
· Wednesday, March 6, 2024, 9:00am – 11:00am (EST)
· Wednesday, March 20, 2024, 2:00pm – 4:00pm (EDT)
· Wednesday, April 3, 2024, 9:00am – 11:00am (EDT)
Discussion Topics for Future Meetings
· Sneak peek/review of annual report template SPWG is working on
· Bulk download response from community about Reserved IDs
· CVE Services updates and website transition progress (as needed)
· Working Group updates (every other meeting)
· Council of Roots update (every other meeting)
· Researcher Working Group proposal for Board review
· Vision Paper and Annual Report
· Secretariat review of all CNA scope statements
· Proposed vote to allow CNAs to assign for insecure default
configurations
· CVE Communications Strategy
