CVE Board Meeting Notes
May 29, 2024 (9:00 am - 11:00 am EDT)
Agenda
* Introduction
* Topics
* ADP Pilot: CISA and References
* Use of public Board mailing list
* GitHub management (including GitHub repo and processes for Rules
documents)
* Open Discussion
* Review of Action Items
* Closing Remarks
New Action Items from Today's Meeting
New Action Item
Responsible Party
Write up paragraph explaining ADP.
CNACWG Chair
Determine whether to move ADP to production. Board supports.
SPWG
Send test email using listserv to determine whether every board member receives
it. Board members to report.
Secretariat
Explore whether groups.io can replace listserv for CVE Board correspondence.
Secretariat
Propose a method for document hosting and change management for the CNA Rules
documentation.
Board Member
ADP Pilot: CISA and References
* We have been piloting for two weeks with some minor technical issues that
have been resolved and seek final blessing from SPWG.
* The Board does not want to wait until the next meeting to move forward
with ADP.
* Board member comments:
* The Board discussed enrichment, scoring, and issues with vulnerability
enrichment on GitHub.
* We need to do a better job messaging changes and should not wait for a
CISA blog post.
* CNACWG Chair volunteered to write a paragraph, explaining ADPs, to be
added to the cve.org website.
* Containers need to be processed mandatorily: CNA record and
secretariat container.
* The group discussed potential bugs such as the versioning information
not being allowable, and versions set to asterisk.
* For the Secretariat (references) ADP, we are working on the following:
* Creating infrastructure for any ADP to be able to submit ADP
information.
* Concerned about bulk downloads and bulk input.
* Product information should be noticed and updated.
* Messaging will be directly to CNAs using the email list. We'll also
communicate publicly through the website and social media.
Use of public Board mailing list
* We should consider increasing the use of mailing lists because people can
work more asynchronously when discussions are archived.
* Board member comments:
* There is a public list and a board specific list.
* We want to encourage public discussion on issues.
* The MITRE listserv can be unreliable
* The Board discussed groups.io, Discord, and Slack - there are some
concerns over trust issues for some of these options.
GitHub management (including GitHub repo and processes for Rules documents)
* We have a lot of presence on GitHub.
* There has been discussion about hosting more on GitHub, primarily the
issue of rules, documents, and other living documents or policy for the program.
* There is a lot of information and repositories on GitHub and we need to
identify the "stale bits" and sort out what to do with them.
* There is also the issue of access control and change management.
* It's not the job of the Secretariat to "clean" the GitHub repositories.
The owners should contribute.
Open Discussion
The group agreed that the SPWG can make the decision at their next meeting
whether or not to proceed with the deployment of the CISA ADP into production.
Review of Action Items
Out of time.
Next CVE Board Meetings
* Wednesday, June 12, 2024, 2:00pm - 4:00pm (EDT)
* Wednesday, June 26, 2024, 9:00am - 11:00am (EDT)
* Wednesday, July 10, 2024, 2:00pm - 4:00pm (EDT)
* Wednesday, July 24, 2024, 9:00am - 11:00am (EDT)
* Wednesday, August 7, 2024, 2:00pm - 4:00pm (EDT)
Discussion Topics for Future Meetings
* End user working group write-up discussion
* Board discussions and voting process
* ADP discussion
* Sneak peek/review of annual report template SPWG is working on
* Bulk download response from community about Reserved IDs
* CVE Services updates and website transition progress (as needed)
* Working Group updates (every other meeting)
* Council of Roots update (every other meeting)
* Researcher Working Group proposal for Board review
* Vision Paper and Annual Report
* Secretariat review of all CNA scope statements
* Proposed vote to allow CNAs to assign for insecure default
configurations
* CVE Communications Strategy
