CVE Board Meeting Notes
July 10, 2024 (2:00 pm - 4:00 pm EDT)
Agenda
* Introduction
* Topics
* Working Group Updates
* Organizational Liaisons
* ADP (and CPE)
* Policy documents on GitHub
* Open Discussion
* Review of Action Items
* Closing Remarks
New Action Items from Today's Meeting
New Action Item
Responsible Party
Make Automation Working Group charter accessible to board members.
Secretariat
Reach out to QWG member about a statement around the pros and cons of consumer
working group and moving forward with it.
QWG Co-Chair
Remove legacy download format file links from cve.org and inform community.
Secretariat
Draft the governance documentation for nomination and onboarding of
organizational liaisons.
SPWG
Organize policy documents for markdown on GitHub and create a short briefing
file and present the trail to the board.
Board Member
Review the CVE Record Dispute Policy and other policies and submit to Board for
approval.
SPWG
Draft initial proposal for a Fall Technical Workshop and provide to the Board
for review.
VCEWG
Working Group Updates
Automation Working Group
* CISA ADP deployed in June without major issues.
* CVE services update candidate 2.3.3 released for two-week testing on July
9.
* Development team now pivoting to a focus on website development.
* Looking to get more people from community involved -organizations are
giving presentations on their use of CVE to help inform AWG.
* Focusing on the deployment next week of the Secretariat References ADP.
Anticipate having rendering of that data operational by the end of July.
* New AWG charter in place.
* Board member comments:
* Make charter accessible to read.
CNA Organization of Peers
* No report.
Outreach and Communications Working Group
* Published four blogs since last update.
* Working on communications around Secretariat ADP and promoting CNA rules.
* The group discussed whether another webinar is needed around new CNA
rules or if pointing to the existing video is sufficient.
* Consensus was, based on limited questions from community so far, wait
until after new rules take effect and potential create additional training
based on future responses or questions.
Quality Working Group
* The working group talked about CPE and how to move forward with
clarification of CPE in the CVE Record Format schema.
* Discussed removing the legacy JSON 4.0 data from records in the CVE
corpus.
* There is a Data Tiers document that has not been worked on for a while
and will be revisited.
* Board member comments:
* The Board has not heard of any issues since they stopped supporting
JSON 4.0.
* JSON 4.0 files should be removed from the website and announce the
action to the community.
Strategic Planning Working Group
* The working group is updating documents ancillary to the CNA rules
document.
* Focus on ADPs and documenting rules and responsibilities of ADPs and who
qualifies.
* The Board discussed the glossary and whether more work needs to be
completed.
Tactical Working Group
* Priorities include rendering CVE Record data and changes to the website.
* The working group has been developing some requirements around rendering
of ADP information.
* They have also discussed how to encourage CNAs to provide enriched data
in CVE Records, including recognizing star performers - those consistently
adding additional data fields.
* Data pulls for status or enriched data in records are produced on a
bi-weekly basis for the Board.
* Board member comments:
* We need to address website feedback and need to discuss the cumbersome
glossary.
* Feedback is received via Microsoft forms.
Vulnerability Conference and Events Working Group
* The group is working on schedules for the next VulnCon (call for papers,
etc.).
* Board member comments:
* CVE turns 25 years old on September 29th and we should consider some
activity around this milestone.
AI Working Group
* Initial focus has been planning a course of action over a series of
blogs, and the first has been published.
* Working on determining swim lanes for the CVE Program with respect to
AI/ML/LLM.
Organizational Liaisons
* CVE Board Charter version 3.5 vote passed.
* The new charter includes the capability to appoint a seat on the board to
an organization for which they can assign an individual of their choosing
(organizational liaison).
* SPWG will develop the governance documentation for nomination and
onboarding of organizational liaisons.
* Board member comments:
* Be sure that organizations bring value to the CVE board.
* NIST was a good example of a productive organizational liaison.
* Board to approve organizations, but not necessarily the individuals.
* The board discussed possible actions if the individual is not a good
contributor.
* The board discussed whether it is necessary to create a path from
organizational liaison to full board member (likely not).
ADP and CPE
* SPWG is leading the ADP work.
* QWG is leading the CPE work.
* Board member comments:
* The Board discussed whether there has been discussion with NIST and
alignment with CPE.
* Some progress has been made on the backlog of vulnerability enrichment
by the CISA ADP.
Policy Documents on GitHub
* Proposed to put policy documents in GitHub as markdown.
* This will help with tracking or proposed minor changes.
* Major changes would likely have to be completed via Word or Google Docs.
* Board member volunteered to organize the documents and create a short
briefing file and present the trail to the board.
* Board member comments:
* We do not want to include working documents - only official documents.
* The board discussed the editing power that GitHub administrators
should have.
* They also discussed whether official documents on the website should
be PDF or web site text.
Open Discussion
CVE Dispute process
* The Board discussed CVE disputes and whether they should be escalated to
the Council of Roots, which is not yet an official body, although it is listed
in the approved Program Glossary.
* The CVE Record Dispute Policy has not been formally approved by the Board.
* The SPWG or a subgroup to review this and propose policies to the Board.
Fall Technical Workshop
* VCEWG will bring recommendations for a Fall Technical Workshop to the
board.
Review of Action Items
None.
Next CVE Board Meetings
* Wednesday, July 24, 2024, 9:00am - 11:00am (EDT)
* Wednesday, August 7, 2024, 2:00pm - 4:00pm (EDT)
* Wednesday, August 21, 2024, 9:00am - 11:00am (EDT)
* Wednesday, September 4, 2024, 2:00pm - 4:00pm (EDT)
* Wednesday, September 18, 2024, 9:00am - 11:00am (EDT)
Discussion Topics for Future Meetings
* End user working group write-up discussion
* Board discussions and voting process
* ADP discussion
* Sneak peek/review of annual report template SPWG is working on
* Bulk download response from community about Reserved IDs
* CVE Services updates and website transition progress (as needed)
* Working Group updates (every other meeting)
* Council of Roots update (every other meeting)
* Researcher Working Group proposal for Board review
* Vision Paper and Annual Report
* Secretariat review of all CNA scope statements
* Proposed vote to allow CNAs to assign for insecure default configurations
* CVE Communications Strategy
