CVE Board Meeting Notes July 10, 2024 (2:00 pm - 4:00 pm EDT) Agenda * Introduction * Topics * Working Group Updates * Organizational Liaisons * ADP (and CPE) * Policy documents on GitHub
* Open Discussion * Review of Action Items * Closing Remarks New Action Items from Today's Meeting New Action Item Responsible Party Make Automation Working Group charter accessible to board members. Secretariat Reach out to QWG member about a statement around the pros and cons of consumer working group and moving forward with it. QWG Co-Chair Remove legacy download format file links from cve.org and inform community. Secretariat Draft the governance documentation for nomination and onboarding of organizational liaisons. SPWG Organize policy documents for markdown on GitHub and create a short briefing file and present the trail to the board. Board Member Review the CVE Record Dispute Policy and other policies and submit to Board for approval. SPWG Draft initial proposal for a Fall Technical Workshop and provide to the Board for review. VCEWG Working Group Updates Automation Working Group * CISA ADP deployed in June without major issues. * CVE services update candidate 2.3.3 released for two-week testing on July 9. * Development team now pivoting to a focus on website development. * Looking to get more people from community involved -organizations are giving presentations on their use of CVE to help inform AWG. * Focusing on the deployment next week of the Secretariat References ADP. Anticipate having rendering of that data operational by the end of July. * New AWG charter in place. * Board member comments: * Make charter accessible to read. CNA Organization of Peers * No report. Outreach and Communications Working Group * Published four blogs since last update. * Working on communications around Secretariat ADP and promoting CNA rules. * The group discussed whether another webinar is needed around new CNA rules or if pointing to the existing video is sufficient. * Consensus was, based on limited questions from community so far, wait until after new rules take effect and potential create additional training based on future responses or questions. Quality Working Group * The working group talked about CPE and how to move forward with clarification of CPE in the CVE Record Format schema. * Discussed removing the legacy JSON 4.0 data from records in the CVE corpus. * There is a Data Tiers document that has not been worked on for a while and will be revisited. * Board member comments: * The Board has not heard of any issues since they stopped supporting JSON 4.0. * JSON 4.0 files should be removed from the website and announce the action to the community. Strategic Planning Working Group * The working group is updating documents ancillary to the CNA rules document. * Focus on ADPs and documenting rules and responsibilities of ADPs and who qualifies. * The Board discussed the glossary and whether more work needs to be completed. Tactical Working Group * Priorities include rendering CVE Record data and changes to the website. * The working group has been developing some requirements around rendering of ADP information. * They have also discussed how to encourage CNAs to provide enriched data in CVE Records, including recognizing star performers - those consistently adding additional data fields. * Data pulls for status or enriched data in records are produced on a bi-weekly basis for the Board. * Board member comments: * We need to address website feedback and need to discuss the cumbersome glossary. * Feedback is received via Microsoft forms. Vulnerability Conference and Events Working Group * The group is working on schedules for the next VulnCon (call for papers, etc.). * Board member comments: * CVE turns 25 years old on September 29th and we should consider some activity around this milestone. AI Working Group * Initial focus has been planning a course of action over a series of blogs, and the first has been published. * Working on determining swim lanes for the CVE Program with respect to AI/ML/LLM. Organizational Liaisons * CVE Board Charter version 3.5 vote passed. * The new charter includes the capability to appoint a seat on the board to an organization for which they can assign an individual of their choosing (organizational liaison). * SPWG will develop the governance documentation for nomination and onboarding of organizational liaisons. * Board member comments: * Be sure that organizations bring value to the CVE board. * NIST was a good example of a productive organizational liaison. * Board to approve organizations, but not necessarily the individuals. * The board discussed possible actions if the individual is not a good contributor. * The board discussed whether it is necessary to create a path from organizational liaison to full board member (likely not). ADP and CPE * SPWG is leading the ADP work. * QWG is leading the CPE work. * Board member comments: * The Board discussed whether there has been discussion with NIST and alignment with CPE. * Some progress has been made on the backlog of vulnerability enrichment by the CISA ADP. Policy Documents on GitHub * Proposed to put policy documents in GitHub as markdown. * This will help with tracking or proposed minor changes. * Major changes would likely have to be completed via Word or Google Docs. * Board member volunteered to organize the documents and create a short briefing file and present the trail to the board. * Board member comments: * We do not want to include working documents - only official documents. * The board discussed the editing power that GitHub administrators should have. * They also discussed whether official documents on the website should be PDF or web site text. Open Discussion CVE Dispute process * The Board discussed CVE disputes and whether they should be escalated to the Council of Roots, which is not yet an official body, although it is listed in the approved Program Glossary. * The CVE Record Dispute Policy has not been formally approved by the Board. * The SPWG or a subgroup to review this and propose policies to the Board. Fall Technical Workshop * VCEWG will bring recommendations for a Fall Technical Workshop to the board. Review of Action Items None. Next CVE Board Meetings * Wednesday, July 24, 2024, 9:00am - 11:00am (EDT) * Wednesday, August 7, 2024, 2:00pm - 4:00pm (EDT) * Wednesday, August 21, 2024, 9:00am - 11:00am (EDT) * Wednesday, September 4, 2024, 2:00pm - 4:00pm (EDT) * Wednesday, September 18, 2024, 9:00am - 11:00am (EDT) Discussion Topics for Future Meetings * End user working group write-up discussion * Board discussions and voting process * ADP discussion * Sneak peek/review of annual report template SPWG is working on * Bulk download response from community about Reserved IDs * CVE Services updates and website transition progress (as needed) * Working Group updates (every other meeting) * Council of Roots update (every other meeting) * Researcher Working Group proposal for Board review * Vision Paper and Annual Report * Secretariat review of all CNA scope statements * Proposed vote to allow CNAs to assign for insecure default configurations * CVE Communications Strategy