CVE Board Meeting Notes
June 26, 2024 (9:00 am – 11:00 am EDT)
Agenda
· Introduction
· Topics
* Inactive CNA Policy: Do we need it?
* Initial CNA requirements prior to acceptance and onboarding
* Data enrichment update
· Open Discussion
· Review of Action Items
· Closing Remarks
New Action Items from Today’s Meeting
New Action Item
Responsible Party
Work with Secretariat to refine CNA Registration Form and bring suggestions
back to the Board.
SPWG Chair
Develop a mockup of a page that recognizes organizations for data enrichment
and present it to the board.
Secretariat
Inactive CNA Policy: Do we need it?
* While performing data pulls, it is evident that several CNAs have not
published a CVE Record over the last 365 days.
* Because of the growth of the program, the Board should discuss whether we
need a CNA (in)activity policy, what it should contain, and how it is enforced.
* There is currently an Inactive CNA
Policy<https://www.cve.org/Resources/General/Policies/Inactive-CNA-Policy.pdf>
in place that defines inactive CNAs as, “over the preceding six-month period,
that have not assigned CVE IDs or published CVE Records within a scope, and
have not participated in any of the various working groups and discussions to
advance CVE Program objectives.” Board member comments:
* The purpose of CNAs is to publish CVEs.
* There are some major CNAs who are not publishing CVEs.
* The Board wants the CNAs to be active but understands that there are
sometimes legitimate reasons why they may not be.
* The group discussed classifying non-contributors in buckets such as
further education, inactive, and non-responsive.
* The Board wants to understand better why some CNAs are not
contributing.
* Members discussed whether to touch base with all roots first and to
perhaps implement periodic checks on CNAs for activity.
Initial CNA requirements prior to acceptance and onboarding
* The Board should consider setting guidelines for qualification as a CNA.
* Board member discussion:
* CNAs are tracked on Monday.com and the roots participate in it.
* There is currently lack of visibility into how roots recruit CNAs.
* To become a CNA, the online registration form is completed (or if
language issues, a hardcopy provided by a root) and then roots conduct
onboarding.
* The program has been in a growth phase and should now move to a
quality phase.
* Some board members feel that CNAs should be more restricted, while
others don’t have issues with the numbers of CNAs and level of activity.
* The Board discussed the roles of the Secretariat and the root in the
CNA registration process.
* SPWG Chair will work with Secretariat to refine the CNA Registration
Form and bring suggestions back to the Board.
Data enrichment update
* There has been discussion about data tiers in the QWG.
* We should consider recognizing tiers of information in order to
incentivize and recognize CNAs that are doing data enrichment.
* The Board should discuss what should be done to recognize organizations
and what are the criteria: CVE, CVSS (3.1 vs. 4.0), CWE, CPE.
* CPE is problematic at the moment, so likely would be left off at this
time.
* There is currently a mockup rendering ready if the board choses to move
forward with a recognition program.
* Board member discussion:
* The group discussed the level of compliance: 95%? 100%?
* CVSS 4.0 is challenging for most vendors. The Board should consider
recognizing 3.1 and perhaps have another tier for CNAs using 4.0.
* Should the first tier be those who provide CVSS and CWE?
* The Secretariat will develop a mockup of a page that recognizes
organizations for data enrichment and present it to the Board.
Open Discussion
* Some of the metrics on the metrics page do not display correctly on
certain browsers.
Review of Action Items
None.
Next CVE Board Meetings
· Wednesday, July 10, 2024, 2:00pm – 4:00pm (EDT)
· Wednesday, July 24, 2024, 9:00am – 11:00am (EDT)
· Wednesday, August 7, 2024, 2:00pm – 4:00pm (EDT)
· Wednesday, August 21, 2024, 9:00am – 11:00am (EDT)
· Wednesday, September 4, 2024, 2:00pm – 4:00pm (EDT)
· Wednesday, September 18, 2024, 9:00am – 11:00am (EDT)
Discussion Topics for Future Meetings
· End user working group write-up discussion
· Board discussions and voting process
· ADP discussion
· Sneak peek/review of annual report template SPWG is working on
· Bulk download response from community about Reserved IDs
· CVE Services updates and website transition progress (as needed)
· Working Group updates (every other meeting)
· Council of Roots update (every other meeting)
· Researcher Working Group proposal for Board review
· Vision Paper and Annual Report
· Secretariat review of all CNA scope statements
· Proposed vote to allow CNAs to assign for insecure default
configurations
· CVE Communications Strategy
