CVE Board Meeting Notes June 26, 2024 (9:00 am – 11:00 am EDT) Agenda
· Introduction · Topics * Inactive CNA Policy: Do we need it? * Initial CNA requirements prior to acceptance and onboarding * Data enrichment update · Open Discussion · Review of Action Items · Closing Remarks New Action Items from Today’s Meeting New Action Item Responsible Party Work with Secretariat to refine CNA Registration Form and bring suggestions back to the Board. SPWG Chair Develop a mockup of a page that recognizes organizations for data enrichment and present it to the board. Secretariat Inactive CNA Policy: Do we need it? * While performing data pulls, it is evident that several CNAs have not published a CVE Record over the last 365 days. * Because of the growth of the program, the Board should discuss whether we need a CNA (in)activity policy, what it should contain, and how it is enforced. * There is currently an Inactive CNA Policy<https://www.cve.org/Resources/General/Policies/Inactive-CNA-Policy.pdf> in place that defines inactive CNAs as, “over the preceding six-month period, that have not assigned CVE IDs or published CVE Records within a scope, and have not participated in any of the various working groups and discussions to advance CVE Program objectives.” Board member comments: * The purpose of CNAs is to publish CVEs. * There are some major CNAs who are not publishing CVEs. * The Board wants the CNAs to be active but understands that there are sometimes legitimate reasons why they may not be. * The group discussed classifying non-contributors in buckets such as further education, inactive, and non-responsive. * The Board wants to understand better why some CNAs are not contributing. * Members discussed whether to touch base with all roots first and to perhaps implement periodic checks on CNAs for activity. Initial CNA requirements prior to acceptance and onboarding * The Board should consider setting guidelines for qualification as a CNA. * Board member discussion: * CNAs are tracked on Monday.com and the roots participate in it. * There is currently lack of visibility into how roots recruit CNAs. * To become a CNA, the online registration form is completed (or if language issues, a hardcopy provided by a root) and then roots conduct onboarding. * The program has been in a growth phase and should now move to a quality phase. * Some board members feel that CNAs should be more restricted, while others don’t have issues with the numbers of CNAs and level of activity. * The Board discussed the roles of the Secretariat and the root in the CNA registration process. * SPWG Chair will work with Secretariat to refine the CNA Registration Form and bring suggestions back to the Board. Data enrichment update * There has been discussion about data tiers in the QWG. * We should consider recognizing tiers of information in order to incentivize and recognize CNAs that are doing data enrichment. * The Board should discuss what should be done to recognize organizations and what are the criteria: CVE, CVSS (3.1 vs. 4.0), CWE, CPE. * CPE is problematic at the moment, so likely would be left off at this time. * There is currently a mockup rendering ready if the board choses to move forward with a recognition program. * Board member discussion: * The group discussed the level of compliance: 95%? 100%? * CVSS 4.0 is challenging for most vendors. The Board should consider recognizing 3.1 and perhaps have another tier for CNAs using 4.0. * Should the first tier be those who provide CVSS and CWE? * The Secretariat will develop a mockup of a page that recognizes organizations for data enrichment and present it to the Board. Open Discussion * Some of the metrics on the metrics page do not display correctly on certain browsers. Review of Action Items None. Next CVE Board Meetings · Wednesday, July 10, 2024, 2:00pm – 4:00pm (EDT) · Wednesday, July 24, 2024, 9:00am – 11:00am (EDT) · Wednesday, August 7, 2024, 2:00pm – 4:00pm (EDT) · Wednesday, August 21, 2024, 9:00am – 11:00am (EDT) · Wednesday, September 4, 2024, 2:00pm – 4:00pm (EDT) · Wednesday, September 18, 2024, 9:00am – 11:00am (EDT) Discussion Topics for Future Meetings · End user working group write-up discussion · Board discussions and voting process · ADP discussion · Sneak peek/review of annual report template SPWG is working on · Bulk download response from community about Reserved IDs · CVE Services updates and website transition progress (as needed) · Working Group updates (every other meeting) · Council of Roots update (every other meeting) · Researcher Working Group proposal for Board review · Vision Paper and Annual Report · Secretariat review of all CNA scope statements · Proposed vote to allow CNAs to assign for insecure default configurations · CVE Communications Strategy