CVE Board Meeting Notes May 15, 2024 (2:00 pm – 4:00 pm EDT) Agenda
· Introduction · Topics * WG Updates * SPWG recommends that changes to documents classified as rules/policy must be voted on by the Board * CISA Vulnrichment ADP Governance · Open Discussion · Review of Action Items · Closing Remarks New Action Items from Today’s Meeting New Action Item Responsible Party Draft language for consideration and updating the Board Charter: * To make explicit as to Board snap votes or two-week long votes depending on program document type and changes. SPWG Chair WG Updates (WG Chairs) * COOP: * Started updating the Charter to remove “Working Group” and update name (CNA Organization of Peers) throughout; these changes are all cosmetic and nothing procedural. * Once all changes are made, a vote will be initiated to approve the updated charter. * AWG: * CVS services 2.3.1 (JSON 5.1) was successfully deployed on May 8. * AWG is looking for a co-chair; there is currently one candidate under consideration. * Charter was last renewed in 2021, so the group is undergoing a review. * OCWG: * Added all the VulnCon videos to the CVE YouTube channel as an additional outlet in coordination with FIRST.org * Promoted the addition of the videos with a blog and email to CNAs, CVE social media, and Slack. * Continued promotion of the legacy download formats deprecation, and made the messaging a little more urgent, including multiple blog posts (over 5000 views on Medium). * Promoted the use of additional data fields as well as the data enrichment capabilities of the CVE Record format and also started promoting the CNA rules 4.0 via email to CNAs, blog, social media * Webinar scheduled on this topic for June 5th; 67 registrants so far. This will be promoted a couple times a week. * Set up an advanced questions survey for the webinar but have not had any submissions on that so far. * Recorded a podcast about the new CNA rules. * Not going to have an OCWG meeting more than once a month but there is a poll to discuss changing the time for international attendance. * QCWG: * Priority was getting the CVE Record Format (JSON 5.1.0 schema) out the door and making some structural changes to the schema just for better support going forward as opposed to trying to support multiple versions. * Starting to go through the issues we have already for 5.2.0 release and some of the new ones that have been recently found and prioritizing those and figuring out what we what we want to include in 5.2.0. * SPWG: * Now that the CVE services have been updated to be able to support an ADP and we have two test pilots in progress, SPWG will be focused on clarifying the role of an ADP (will bring that of course back to the Board for review). * TWG: * Will begin to address the webpage and the enriched data to be added to CVE Records (e.g., CWE, CPE, CVSS). * VCEWG: * All videos from VulnCon have been posted. We are now looking to do some promotion of videos. * For next VulnCon, we discussed a possible presentation where we talk about the life of a bug going through its lifecycle, which is all the things that touch CVE, the CWEs, the CVSS, the CPEs, and have each group talk about what happens from their perspective and what they're aiming for. SPWG recommends that changes to documents classified as rules/policy must be voted on by the Board * Discussion coming out of the SPWG with respect to some of the program documents, programmatic/process, and governance documents around rules and how changes in them should be a matter of a Board vote. * Since these documents were originally voted on and approved - if there are necessary policy changes, the Board needs to vote on it. Any changes made to these documents must be transparent and changes should be approved, not just by the Secretariat, because these documents are for the management and guidance and governance of the CVE program itself. * A change to the Board Charter is necessary to clarify the need for votes on document changes. Whether it be a snap vote or a two-week vote. There are levels to rules and bylaws and if you are going to change an aspect of these documents you need to go to the appropriate level of authority for [each change]. * Members suggested a review of the Board Charter. CISA Vulnrichment ADP Governance * CISA “Vulnrichment” ADP is focusing on the governance process for the deployment into production. * CISA is ready to deploy their ADP and would like to better understand the process for moving into production. * The CVE Program needs to figure out how an entity becomes an ADP and what that process looks like. * Board member commented that the process may look a lot like how an entity becomes a CNA—and further, only CNAs should become ADPs, at least in the beginning. * Board comments: * This criterion is being discussed in SPWG. There will be a vote for every ADP that comes in. The criteria are currently being worked on and we have just finished the rules, so we want to bring consensus here from a governance perspective before we enable any long-term programs. * I don’t think we should be voting on each ADP. The CVE Board is a governance body and shouldn’t be focused on tactical operational execution. * Let’s get these two successful out there working and then let's discuss how we're going to address the long-term ADP capabilities in the program itself. * There are probably two big decisions for the Board: 1) Expanding ADP pilot so more data will go into the existing pilot period of testing because testing reveals things; 2) A decision (in a couple of weeks) to approve the Secretariat ADP as the reference ADP, and effectively put it into production. * Board members want to see the plan process and rules for this proposal and to be able to vote on this topic before going from a pilot phase to a production phase. * We have security reviews, but as far as a full blown community penetration testing, that hasn't happened since we deployed 5.0. · No objections were raised to the expanded scope for CISA ADP pilot (CISA's enrichment of public CVE records through CISA's ADP) Open Discussion None. Review of Action Items None. Next CVE Board Meetings · Wednesday, May 29, 2024, 9:00am – 11:00am (EDT) · Wednesday, June 12, 2024, 2:00pm – 4:00pm (EDT) · Wednesday, June 26, 2024, 9:00am – 11:00am (EDT) · Wednesday, July 10, 2024, 2:00pm – 4:00pm (EDT) · Wednesday, July 24, 2024, 9:00am – 11:00am (EDT) · Wednesday, August 7, 2024, 2:00pm – 4:00pm (EDT) Discussion Topics for Future Meetings · End user working group write-up discussion · Board discussions and voting process · ADP discussion · Sneak peek/review of annual report template SPWG is working on · Bulk download response from community about Reserved IDs · CVE Services updates and website transition progress (as needed) · Working Group updates (every other meeting) · Council of Roots update (every other meeting) · Researcher Working Group proposal for Board review · Vision Paper and Annual Report · Secretariat review of all CNA scope statements · Proposed vote to allow CNAs to assign for insecure default configurations · CVE Communications Strategy