CVE Board Meeting Notes
June 12, 2024 (2:00 pm – 4:00 pm EDT)
Agenda
· Introduction
· Topics
* Working Group Updates
* Proposal for Organizational Liaison Role
* CVE Board Charter Update
* Organizational Liaison Role Incorporation
* Snap Voting on Board Calls
* Policy Document Changes
* AI Discussion Follow-Up (Draft Blog)
· Open Discussion
· Review of Action Items
· Closing Remarks
New Action Items from Today’s Meeting
New Action Item
Responsible Party
Provide contacts to the Outreach and Communication Working Group for trade
organizations and publications.
Board Members
Edit Charter regarding voting, while adding provision for snap voting.
SPWG Chair
Send a message to the CVE Board about setting up a temporary working group to
discuss AI.
Secretariat
Draft guidance for specification level vulnerabilities and how to properly
assign CVEs to them.
Board Member
Working Group Updates
TWG
* Discussed the concept of displaying CPE information on the webpage
* It is complex because you have to interweave it between the products.
* We need to discuss whether it should be on the website.
* It’s available in the JSON file.
* Conducted a hotwash of the June 5 webinar on the new CNA rules.
* Board member comments:
* CPE is meant to be machine readable.
* We thought it would not be in the first rendering.
* It might be beneficial to have CNAs have another opportunity to ask
questions if necessary or we can poll the group. It was a great forum for
allowing people to ask those questions.
Vulnerability Conference and Events Working Group
* The VulnCon after action report is being finalized.
* Working on the timeline for next year and will be identifying program
leaders.
Strategic Planning Working Group
* We’ve been working through the authorization process for the first ADP
(CISA “Vulnrichment”). It has been operationalized and is getting into the data.
* The Secretariat (References) ADP is on track for a mid-July deployment.
* Working on documents to clean up related to the new CNA rules:
* Policy document changes not to be made by Secretariat without approval.
* Revising glossary items.
* The big focus is defining the requirements, responsibilities, and
on-boarding for ADPs moving forward.
Quality Working Group
* Two major discussions last meeting:
* Legacy JSON v4 data blocks: The CVE data should be concise and
consumable by the widest range of applications. Need to determine if folks
ingesting data or Secretariat will do the work.
* How do we define CPE going forward.
* Some feel CPEs should only be provided for affected versions, similar to
NVD.
* There were some back and forth discussions about dropping the “x_” field
(to be continued).
Outreach and Communications Working Group
* Two major communications activities underway:
* Developed a plan for outreach to trade media publications
* Researched press release aggregators like Business Wire and News Wire.
* Membership fees
* We published two blogs:
* Announcing ADP
* Final notice regarding legacy downloads.
* 22 blogs so far this year with 8,000 views.
* Since the last report, we have published a CNA rules podcast.
* 25 podcast episodes have been published with 30,000 plays.
* The meeting schedule will change in an effort to bring in more people:
will alternate between morning and afternoon meetings
* Board members were asked to provide contacts to the Outreach and
Communication Working Group for trade organizations and publications.
CNA Organization of Peers (COOP)
* No report.
Automation Working Group
* Deployed the CISA ADP on June 4.
* Will be adding some rendering in CVE Records on CVE.org at the end of
June.
* Made some edits to the AWG charter that will be voted on in two weeks.
Proposal for Organizational Liaison Role
* This was first discussed in March 2024.
* The intent is to provide a tool for the CVE Board to enhance its
governance capabilities to bring in voices that we normally would not hear from.
* There are partner organizations that are vital to our growth and success.
* There should be a nomination process.
* Board member comments:
* The group discussed how to select the organizations and subsequently
the nomination process.
* The current draft charter states that the Board decides the
organization and the organization selects the liaison.
* The group considered using the standard voting process for this and
discussed the length of term and renewal.
* If somebody changes position or job and is an organizational liaison,
they are no longer the liaison.
* Term limits could be different for each organization.
* Tracking may be tricky with staggered terms.
* This initiative will have to go to a Board vote.
CVE Board Charter Update
* The charter update includes the Organizational Liaison role.
* It also includes adding snap votes, which can be used for deciding
consensus, but cannot be used for approving policy documentation, initial
approvals or subsequent updates. This would help provide some direction when a
quorum is not present.
* Board member comments:
* Consider giving examples of what snap votes can be used for.
* The group discussed whether the votes should be unanimous.
* When a snap vote occurs, the video and discussion could be trimmed and
shared for those who could not attend the meeting.
* This is similar to unanimous consent.
AI Discussion Follow-Up (Draft Blog)
* A guest of VulnCon drafted a document highlighting the discussion that
took place related to AI deep dive.
* How does this apply to the new rules?
* Talked about the activities that went out during the event such as case
studies of negative outcomes associated with AI security issues.
* CWE board launched an AI working group.
* Board member discussion:
* We need to put something out, such as a series of blog posts.
* The group discussed how to best get the dialog started.
* There are different levels of AI.
* We should set up a temporary working group to discuss CVE AI.
* Secretariat to send a message to the CVE board about setting up a
temporary working group to discuss AI in the context of the CVE Program.
Open Discussion
Some information in the charter regarding Secretariat role and responsibilities
was taken out and placed back in.
The group discussed a members interesting discussion in the OpenSSF
Vulnerability Disclosures Working Group. There were some interesting
discussions around specification level vulnerabilities and how to properly
assign CVEs to them. We should consider more guidance in this area.
Review of Action Items
None.
Next CVE Board Meetings
· Wednesday, June 26, 2024, 9:00am – 11:00am (EDT)
· Wednesday, July 10, 2024, 2:00pm – 4:00pm (EDT)
· Wednesday, July 24, 2024, 9:00am – 11:00am (EDT)
· Wednesday, August 7, 2024, 2:00pm – 4:00pm (EDT)
· Wednesday, August 21, 2024, 9:00am – 11:00am (EDT)
Discussion Topics for Future Meetings
· End user working group write-up discussion
· Board discussions and voting process
· ADP discussion
· Sneak peek/review of annual report template SPWG is working on
· Bulk download response from community about Reserved IDs
· CVE Services updates and website transition progress (as needed)
· Working Group updates (every other meeting)
· Council of Roots update (every other meeting)
· Researcher Working Group proposal for Board review
· Vision Paper and Annual Report
· Secretariat review of all CNA scope statements
· Proposed vote to allow CNAs to assign for insecure default
configurations
· CVE Communications Strategy
