CVE Board Meeting Notes
January 24, 2024 (2:00 pm – 4:00 pm EST)
Agenda
Introduction
Topics
o CVE Leadership Meeting during VulnCon
o Review of Comments for CVE Glossary Update
o Status of Nominations for CNA Liaison
o Board Discussions and Voting Process
Open Discussion
Review of Action Items
Closing Remarks
New Action Items from Today’s Meeting
Action Item #
New Action Item
Responsible Party
Due
Schedule a meeting with NIST about status of industry consortium for NVD
collaboration.
Secretariat
CVE Leadership Meeting during VulnCon
* Working to reserve space for Thursday and Friday (March 28 and 29),
following the Spring 2024 VulnCon, for an in-person CVE leadership meeting.
* A room that can accommodate about 25 people is needed. This will allow
room for Board members and others from program leadership.
* Agenda topics for the meeting are TBD, but may include, e.g.,
questions/concerns/ideas from VulnCon, next big steps for the program, etc.
Review of Comments for CVE Glossary Update
* As part of the Rules revision, the program Glossary also needed an
update. The SPWG produced a draft for Board review with terms and definitions
consolidated from different CVE documents. If approved, the Glossary will be
posted to the cve.org website. The Rules Glossary will be consistent with that
primary source.
* Many definitions have been modified, and new terms and definitions have
been added.
* The goal here is to bring this up for a vote, once the open comments are
handled.
* The current draft of the Glossary was shared. The Board participated in a
review and finalized some terms.
* The finalized Glossary will be submitted for a vote by the Board via the
Board list.
Status of Nominations for CNA Liaison
* Not covered, moved to next meeting.
Board Discussions and Voting Process
* Not covered, moved to next meeting.
Open Discussion
* Spring 2024 VulnCon Status
* The Vulnerability Conference and Events Working Group (VCEWG) is
tracking agenda topics and the call for papers. There are currently 54
submissions for the call for papers, and the review process begins next week.
* A panel discussion about vulnerability root cause mapping will be
included on the agenda.
* About 75 registered attendees so far. We are planning for a maximum of
about 400 attendees, but can go up to 570 if needed with an extra room.
* On the last day, there will be a wrap up and lessons learned session,
like a lightning round.
* A couple sessions planned intended to drive the conversation about
problems you need solved by the rest of the community.
* Logistics planning is underway, e.g., rooms, meals, beverages, evening
events, recording capability.
* Planning to finalize the agenda in mid-February.
* The EU cybersecurity agency, ENISA, is now a CNA. As a CVE Partner, ENISA
is integrating with CVE Program efforts around vulnerabilities.
* Board Notification of New CNAs Coming Onboard
* Is there a way for the Board to know what new CNAs are in the pipeline
and close to onboarding, other than attending the Council of Roots meetings? It
would be nice to have a chance to review the CNA prospect from the perspective
of the type of organization, their business model, or any concerns the program
may have about their participation.
* Comments:
* Agree that we should have some access to the pipeline snapshot at a
Board call or via an email that goes to the Board list.
* The Secretariat can provide access to Board members so they can
view the onboarding pipeline, or can prepare a report extract of pipeline
status and share that on a recurring basis.
* Also consider documented guardrails and standards the Board expects
Roots to abide by, to minimize instances where a CNA prospect is not
appropriate for the program.
* Make the notifications more event driven, based on defined gates or
milestones in the recruiting process. One challenge is that Roots may have
their own internal processes for on boarding new CNAs, which could trigger a
lot of events.
* Another idea is to periodically share at a Board meeting the queue
of CNA prospects that are close to completion of onboarding.
* Whatever approach is taken, the Board needs to know well in advance
of a formal and final onboarding date. We don’t want to reject someone late in
the process.
* Understanding who’s in the pipeline can also help the program
target recruitment in industries, or for organization types, that are not well
represented on the program.
* Next steps: The Secretariat will share the pipeline at the next Board
meeting. This will show the status of all of those onboarding. First agenda
item at next meeting.
* Annual Report and 4th Quarter Report
* The Annual Report is being written now, and hopefully done in the next
couple weeks for Board review.
* The 4th Quarter Report is going through review now and should be out
in the next couple weeks.
* Rules Update Review Schedule
* The proposed schedule was presented for Board review and discussion.
The SPWG will do one more review. When that is done, the review process will
start.
* The review process schedule was revised to add a two-week public
review period.
* All comments will be read, but the program will not necessarily
respond to, or adjudicate, each one. Prioritization of comments will depend on
impact and importance.
* The Board agreed to the following schedule:
* Four-week review period by the program, particularly CNAs. Board
members are encouraged to take advantage of this first review period and not
wait until the end of the process.
* Two-week SPWG comment adjudication period, updated version released.
* Two-week review period by the general public. The method for
commenting and receiving public input is TBD, but could include using GitHub,
Google Docs, or Word or PDF.
* One week SPWG comment adjudication period, updated version released.
* Two-week review period and approval by the Board.
* This schedule wraps up in late April, which is too late for the Spring
VulnCon. Highlights and key changes in the Rules may still be presented at
VulnCon.
* NIST and Industry Collaboration on NVD
* It was reported that NIST is standing up a consortium for
collaborating with industry relating to the NVD and has offered to talk to the
CVE Board.
* The Secretariat will coordinate the meeting (action item). All Board
members will be invited.
Review of Action Items
* Out of time.
Next CVE Board Meetings
Wednesday, February 7, 2024, 9:00am – 11:00am (EST)
Wednesday, February 21, 2024, 2:00pm – 4:00pm (EST)
Wednesday, March 6, 2024, 9:00am – 11:00am (EST)
Wednesday, March 20, 2024, 2:00pm – 4:00pm (EDT)
Wednesday, April 3, 2024, 9:00am – 11:00am (EDT)
Wednesday, April 17, 2024, 2:00pm – 4:00pm (EDT)
Discussion Topics for Future Meetings
Share Pipeline status from Monday.com
Nomination to the Board
Status of Nominations for CNA Liaison
Board Discussions and Voting Process
Sneak peek/review of annual report template SPWG is working on
Bulk download response from community about Reserved IDs
CVE Services updates and website transition progress (as needed)
Working Group updates (every other meeting)
Council of Roots update (every other meeting)
Researcher Working Group proposal for Board review
Vision Paper and Annual Report
Secretariat review of all CNA scope statements
Proposed vote to allow CNAs to assign for insecure default configurations
CVE Communications Strategy
