CVE Board Meeting Notes
May 1, 2024 (9:00 am - 11:00 am EDT)
Agenda
* Introduction
* Topics
* Update on outreach to CNAs on enriched data
* Messaging on new rules
* Update on CNA candidates
* External influence on CVE Operations
* Open Discussion
* Review of Action Items
* Closing Remarks
New Action Items from Today's Meeting
New Action Item
Responsible Party
Planning for Lunch and Learns for CNAs
Suggested topics:
* Enriched data and best practices
* New rules and impact
COOP, Secretariat
Next steps to publish a strategy for a How-To on CPE
TWG Co-Chairs
Draft New Rules announcement for 90-day grace period/expectations
TWG, SPWG
Data Quality Award planning and development as incentive
TWG Co-Chairs
Write up a transition brief that includes what an ADP for enriched data would be
SPWG Chair
Schedule discussion with HeroDevs and board members to discuss scope and CNA
candidacy
Board members/Secretariat
Update on outreach to CNAs on enriched data
* After initial outreach to Top 10 (code-owning) CNAs, there was an
additional request to generate a list of enriched data submitted by all the
CNAs. Raw data was presented from the last 12 months where CNAs have created
CVEs and whether or not/how many CVSS, CWE, CPE data fields they have added.
These are the additional non required data fields of interest that the NVD was
providing.
* When there is a discrepancy in this data - one or more of these records
could have been rejected - this would cause the number to fluctuate compared to
a number you would see on a website elsewhere.
* Board member comments:
* This data could be used to show the integrity of these records and the
ability to highlight top contributors and percentage of data fulfilment. We can
teach the CNAs what we are looking for with this data.
* Best practices for how to use this data should be published.
* Lunch and learns on how CNAs can utilize this data should be
scheduled. The people who are best positioned to host are the ones doing the
work every day and those who understand the way workflows are automated. Newer
CNAs and broader groups would appreciate this conversation and it would best be
coming from industry.
* This idea falls under the scope of the CNA Organization of Peers
(COOP) and can be hosted within the COOP on Wednesday; the COOP can host a
seminar to keep up with these educational presentations.
* Suggest reaching out to CNAs and going to other meetings to have these
discussions. Secretariat is happy to reach out for these discussions in new
spaces.
* The program needs to publish a strategy on how people can do CPE
because it is not easy. TWG co-chairs will sync on this activity.
* Data quality award planning-comments from the Board:
* Program needs to produce a logo that can be added to websites to serve
as a "data quality award"-would need to publish requirements to attain award
* Should put this on the metrics so we can see trends
Messaging on new rules
* The vote on new rules passed - voting technically stays open until May 9.
* An announcement needs to be drafted with messaging about what the CVE
Program has done over the last few years. Describe the impact of the rule
changes, what CNAs need to prepare for after the grace period. Emphasis that
there is no wiggle room on the 90-day period.
* This message needs to be voiced and repeated enough times before the end
date.
Update on CNA candidate
* A new CNA prospect has an interesting scope and also brings up the
general question of monetizing CNA status as a business plan.
* What are the benefits to the rest of the world and downstream users?
* Some Board members requested a follow up meeting with the candidate
for discussion.
Open Discussion
* Board member inquired about ADP status
* AWG Chair gave a brief update on ADP implementation: The next version
of CVE Services includes the final pieces of the infrastructure for ADP
submission (deployment scheduled for May 8)
* Discussion will continue during TWG
* The CVE Program needs a an integrated Vision going forward (regarding
ADPs); SPWG Chair will write up a transition brief
Review of Action Items
Out of time.
Next CVE Board Meetings
* Wednesday, May 15, 2024, 2:00pm - 4:00pm (EDT)
* Wednesday, May 29, 2024, 9:00am - 11:00am (EDT)
* Wednesday, June 12, 2024, 2:00pm - 4:00pm (EDT)
* Wednesday, June 26, 2024, 9:00am - 11:00am (EDT)
* Wednesday, July 10, 2024, 2:00pm - 4:00pm (EDT)
* Wednesday, July 24, 2024, 9:00am - 11:00am (EDT)
Discussion Topics for Future Meetings
* End user working group write-up discussion
* Board discussions and voting process
* ADP discussion
* Sneak peek/review of annual report template SPWG is working on
* Bulk download response from community about Reserved IDs
* CVE Services updates and website transition progress (as needed)
* Working Group updates (every other meeting)
* Council of Roots update (every other meeting)
* Researcher Working Group proposal for Board review
* Vision Paper and Annual Report
* Secretariat review of all CNA scope statements
* Proposed vote to allow CNAs to assign for insecure default
configurations
* CVE Communications Strategy
