CVE Board Meeting Notes
May 15, 2024 (2:00 pm – 4:00 pm EDT)
Agenda
· Introduction
· Topics
* WG Updates
* SPWG recommends that changes to documents classified as rules/policy
must be voted on by the Board
* CISA Vulnrichment ADP Governance
· Open Discussion
· Review of Action Items
· Closing Remarks
New Action Items from Today’s Meeting
New Action Item
Responsible Party
Draft language for consideration and updating the Board Charter:
* To make explicit as to Board snap votes or two-week long votes depending
on program document type and changes.
SPWG Chair
WG Updates (WG Chairs)
* COOP:
* Started updating the Charter to remove “Working Group” and update name
(CNA Organization of Peers) throughout; these changes are all cosmetic and
nothing procedural.
* Once all changes are made, a vote will be initiated to approve the
updated charter.
* AWG:
* CVS services 2.3.1 (JSON 5.1) was successfully deployed on May 8.
* AWG is looking for a co-chair; there is currently one candidate under
consideration.
* Charter was last renewed in 2021, so the group is undergoing a review.
* OCWG:
* Added all the VulnCon videos to the CVE YouTube channel as an
additional outlet in coordination with FIRST.org
* Promoted the addition of the videos with a blog and email to CNAs,
CVE social media, and Slack.
* Continued promotion of the legacy download formats deprecation, and
made the messaging a little more urgent, including multiple blog posts (over
5000 views on Medium).
* Promoted the use of additional data fields as well as the data
enrichment capabilities of the CVE Record format and also started promoting the
CNA rules 4.0 via email to CNAs, blog, social media
* Webinar scheduled on this topic for June 5th; 67 registrants so
far. This will be promoted a couple times a week.
* Set up an advanced questions survey for the webinar but have not
had any submissions on that so far.
* Recorded a podcast about the new CNA rules.
* Not going to have an OCWG meeting more than once a month but there is
a poll to discuss changing the time for international attendance.
* QCWG:
* Priority was getting the CVE Record Format (JSON 5.1.0 schema) out the
door and making some structural changes to the schema just for better support
going forward as opposed to trying to support multiple versions.
* Starting to go through the issues we have already for 5.2.0 release
and some of the new ones that have been recently found and prioritizing those
and figuring out what we what we want to include in 5.2.0.
* SPWG:
* Now that the CVE services have been updated to be able to support an
ADP and we have two test pilots in progress, SPWG will be focused on clarifying
the role of an ADP (will bring that of course back to the Board for review).
* TWG:
* Will begin to address the webpage and the enriched data to be added to
CVE Records (e.g., CWE, CPE, CVSS).
* VCEWG:
* All videos from VulnCon have been posted. We are now looking to do
some promotion of videos.
* For next VulnCon, we discussed a possible presentation where we talk
about the life of a bug going through its lifecycle, which is all the things
that touch CVE, the CWEs, the CVSS, the CPEs, and have each group talk about
what happens from their perspective and what they're aiming for.
SPWG recommends that changes to documents classified as rules/policy must be
voted on by the Board
* Discussion coming out of the SPWG with respect to some of the program
documents, programmatic/process, and governance documents around rules and how
changes in them should be a matter of a Board vote.
* Since these documents were originally voted on and approved - if there
are necessary policy changes, the Board needs to vote on it. Any changes made
to these documents must be transparent and changes should be approved, not just
by the Secretariat, because these documents are for the management and guidance
and governance of the CVE program itself.
* A change to the Board Charter is necessary to clarify the need for votes
on document changes. Whether it be a snap vote or a two-week vote. There are
levels to rules and bylaws and if you are going to change an aspect of these
documents you need to go to the appropriate level of authority for [each
change].
* Members suggested a review of the Board Charter.
CISA Vulnrichment ADP Governance
* CISA “Vulnrichment” ADP is focusing on the governance process for the
deployment into production.
* CISA is ready to deploy their ADP and would like to better understand the
process for moving into production.
* The CVE Program needs to figure out how an entity becomes an ADP and
what that process looks like.
* Board member commented that the process may look a lot like how an
entity becomes a CNA—and further, only CNAs should become ADPs, at least in the
beginning.
* Board comments:
* This criterion is being discussed in SPWG. There will be a vote for
every ADP that comes in. The criteria are currently being worked on and we have
just finished the rules, so we want to bring consensus here from a governance
perspective before we enable any long-term programs.
* I don’t think we should be voting on each ADP. The CVE Board is a
governance body and shouldn’t be focused on tactical operational execution.
* Let’s get these two successful out there working and then let's
discuss how we're going to address the long-term ADP capabilities in the
program itself.
* There are probably two big decisions for the Board: 1) Expanding
ADP pilot so more data will go into the existing pilot period of testing
because testing reveals things; 2) A decision (in a couple of weeks) to approve
the Secretariat ADP as the reference ADP, and effectively put it into
production.
* Board members want to see the plan process and rules for this
proposal and to be able to vote on this topic before going from a pilot phase
to a production phase.
* We have security reviews, but as far as a full blown community
penetration testing, that hasn't happened since we deployed 5.0.
· No objections were raised to the expanded scope for CISA ADP pilot
(CISA's enrichment of public CVE records through CISA's ADP)
Open Discussion
None.
Review of Action Items
None.
Next CVE Board Meetings
· Wednesday, May 29, 2024, 9:00am – 11:00am (EDT)
· Wednesday, June 12, 2024, 2:00pm – 4:00pm (EDT)
· Wednesday, June 26, 2024, 9:00am – 11:00am (EDT)
· Wednesday, July 10, 2024, 2:00pm – 4:00pm (EDT)
· Wednesday, July 24, 2024, 9:00am – 11:00am (EDT)
· Wednesday, August 7, 2024, 2:00pm – 4:00pm (EDT)
Discussion Topics for Future Meetings
· End user working group write-up discussion
· Board discussions and voting process
· ADP discussion
· Sneak peek/review of annual report template SPWG is working on
· Bulk download response from community about Reserved IDs
· CVE Services updates and website transition progress (as needed)
· Working Group updates (every other meeting)
· Council of Roots update (every other meeting)
· Researcher Working Group proposal for Board review
· Vision Paper and Annual Report
· Secretariat review of all CNA scope statements
· Proposed vote to allow CNAs to assign for insecure default
configurations
· CVE Communications Strategy
