CVE Board Meeting Notes May 1, 2024 (9:00 am - 11:00 am EDT) Agenda
* Introduction * Topics * Update on outreach to CNAs on enriched data * Messaging on new rules * Update on CNA candidates * External influence on CVE Operations * Open Discussion * Review of Action Items * Closing Remarks New Action Items from Today's Meeting New Action Item Responsible Party Planning for Lunch and Learns for CNAs Suggested topics: * Enriched data and best practices * New rules and impact COOP, Secretariat Next steps to publish a strategy for a How-To on CPE TWG Co-Chairs Draft New Rules announcement for 90-day grace period/expectations TWG, SPWG Data Quality Award planning and development as incentive TWG Co-Chairs Write up a transition brief that includes what an ADP for enriched data would be SPWG Chair Schedule discussion with HeroDevs and board members to discuss scope and CNA candidacy Board members/Secretariat Update on outreach to CNAs on enriched data * After initial outreach to Top 10 (code-owning) CNAs, there was an additional request to generate a list of enriched data submitted by all the CNAs. Raw data was presented from the last 12 months where CNAs have created CVEs and whether or not/how many CVSS, CWE, CPE data fields they have added. These are the additional non required data fields of interest that the NVD was providing. * When there is a discrepancy in this data - one or more of these records could have been rejected - this would cause the number to fluctuate compared to a number you would see on a website elsewhere. * Board member comments: * This data could be used to show the integrity of these records and the ability to highlight top contributors and percentage of data fulfilment. We can teach the CNAs what we are looking for with this data. * Best practices for how to use this data should be published. * Lunch and learns on how CNAs can utilize this data should be scheduled. The people who are best positioned to host are the ones doing the work every day and those who understand the way workflows are automated. Newer CNAs and broader groups would appreciate this conversation and it would best be coming from industry. * This idea falls under the scope of the CNA Organization of Peers (COOP) and can be hosted within the COOP on Wednesday; the COOP can host a seminar to keep up with these educational presentations. * Suggest reaching out to CNAs and going to other meetings to have these discussions. Secretariat is happy to reach out for these discussions in new spaces. * The program needs to publish a strategy on how people can do CPE because it is not easy. TWG co-chairs will sync on this activity. * Data quality award planning-comments from the Board: * Program needs to produce a logo that can be added to websites to serve as a "data quality award"-would need to publish requirements to attain award * Should put this on the metrics so we can see trends Messaging on new rules * The vote on new rules passed - voting technically stays open until May 9. * An announcement needs to be drafted with messaging about what the CVE Program has done over the last few years. Describe the impact of the rule changes, what CNAs need to prepare for after the grace period. Emphasis that there is no wiggle room on the 90-day period. * This message needs to be voiced and repeated enough times before the end date. Update on CNA candidate * A new CNA prospect has an interesting scope and also brings up the general question of monetizing CNA status as a business plan. * What are the benefits to the rest of the world and downstream users? * Some Board members requested a follow up meeting with the candidate for discussion. Open Discussion * Board member inquired about ADP status * AWG Chair gave a brief update on ADP implementation: The next version of CVE Services includes the final pieces of the infrastructure for ADP submission (deployment scheduled for May 8) * Discussion will continue during TWG * The CVE Program needs a an integrated Vision going forward (regarding ADPs); SPWG Chair will write up a transition brief Review of Action Items Out of time. Next CVE Board Meetings * Wednesday, May 15, 2024, 2:00pm - 4:00pm (EDT) * Wednesday, May 29, 2024, 9:00am - 11:00am (EDT) * Wednesday, June 12, 2024, 2:00pm - 4:00pm (EDT) * Wednesday, June 26, 2024, 9:00am - 11:00am (EDT) * Wednesday, July 10, 2024, 2:00pm - 4:00pm (EDT) * Wednesday, July 24, 2024, 9:00am - 11:00am (EDT) Discussion Topics for Future Meetings * End user working group write-up discussion * Board discussions and voting process * ADP discussion * Sneak peek/review of annual report template SPWG is working on * Bulk download response from community about Reserved IDs * CVE Services updates and website transition progress (as needed) * Working Group updates (every other meeting) * Council of Roots update (every other meeting) * Researcher Working Group proposal for Board review * Vision Paper and Annual Report * Secretariat review of all CNA scope statements * Proposed vote to allow CNAs to assign for insecure default configurations * CVE Communications Strategy