CVE Board Meeting Notes
May 24, 2023 (2:00 pm - 4:00 pm EDT)
Agenda
* 2:00-2:05 Introduction
* 2:05-3:25 Topics
* Working Group Updates
* ADP Pilot
* Summit Planning Sub-Working Group
* GitHub Pilot Retirement
* 3:25-3:35 Open Discussion
* 3:35-3:55 Review of Action Items
* 3:55-4:00 Closing Remarks
New Action Items from Today's Meeting
Action Item #
New Action Item
Responsible Party
Due
05.24.01
Send notification to CNAs and the Board about using Monday.com for RBP
tracking/status. Include instructions for getting access.
Secretariat
05.24.02
Review the RBP process to better understand its strengths and weaknesses.
Project Leader
Working Group Updates
* Automation Working Group (AWG)
* Current focus is on the ADP Pilot and working with SPWG to define and
implement requirements.
* Also fixing the remaining CVE Services issues.
* Available to provide consultation to CNAs who are having technical
trouble migrating to JSON 5. This would supplement the existing training
materials, videos, and documentation.
* CNA Coordination Working Group (CNACWG)
* Actively archiving CVE references at
archive.org<http://archivebot.com/beta>. About halfway through.
* Question: There was good discussion at the Summit about the mentoring
program. Have you seen any increase in either those wanting to mentor or those
wanting to get help?
* Answer: there has been a slight uptick in folks signing up for
mentoring, and right now nearly everyone is matched up with a mentor.
* Quality Working Group (QWG)
* Working with the AWG through a handful of issues related to the JSON 5
record format. When ready, will do a patch release.
* Also talking about updates for the next minor release.
* Outreach and Communications Working Group
* Two podcasts in the pipeline:
* One scheduled for recording next Wednesday with CISA to address
misconceptions some organizations have about becoming a CNA.
* The other is to be scheduled with the SPWG, and is about leveraging
KEV<https://www.cisa.gov/known-exploited-vulnerabilities> for CVE.
* Published a blog about the Summit, designed to encourage recruitment
and show CVE as a community and its benefits.
* Revisions of the introduction video about CVE are well underway.
* Question: Is it possible when you post blogs and other items to the
website to send an email to the Board list so we can help promote it and spread
the word?
* Answer: Yes, we can start doing that for blogs, podcasts, and
videos.
* Strategic Planning Working Group (SPWG)
* Two recent focus areas:
* ADP pilot requirements (working with AWG) are in pretty good shape.
The ADP pilot initially will focus on the references and getting references
operational.
* Also working on the CNA Rules update. Getting some pushback on
cloud rules and the definition of cloud technology.
* Tactical Working Group (TWG)
* Continued working on the schedule for getting the API endpoints in
place.
* The program has a backup plan that can be used to help CNAs in an
emergency, e.g., large upload and Vulnogram is down.
* Comment about maybe moving ADP under the TWG (and away from SPWG) at
some point after implementation gets underway.
* Question: For AWG, what is happening with the new website search
capability?
* Answer: Requirements were solicitated, working on user stories and
development schedule with TWG. It's the second priority after ADP pilot.
ADP Pilot
* CVE Services interfaces are scheduled to be released into the testing
environment the week of June 19.
* Code can be viewed on the GitHub repository.
* Test management and design strategy are in progress.
* Agreement that testing should be on a complete copy of production data.
* Agreement that no data will move from the test environment to the
production environment.
* Discussion about having three environments: a dedicated test
environment for the user community, and internal test and production
environments. Will look into this and report back.
* Agreement to notify the community that data can be wiped at any time
and that that should be expected.
* The Board agreed with the recommendation to not make any changes to the
website for the ADP pilot. How to render ADP information on the site will be
part of ADP production planning, not pilot planning.
* Secretariat ADP Reference pilot is moving along nicely. Some prototype
code has been developed, which will be publicly available.
Summit Planning Sub-Working Group
* Since the last meeting, the idea of the Summit sub-WG was mentioned to
the community (at the CNACWG meeting).
* An active CNA is interested in leading the new group, and a Board member
also volunteered to help lead the effort.
* The Working Group Operations
Handbook<https://cve.mitre.rip/Resources/Roles/WorkingGroups/CVE-Working-Group-Operations-Handbook-v1-0.pdf>
is a useful resource to get started with a new working group. An early task is
the development of the Charter. An example will be provided.
GitHub Pilot Retirement
* Notified CNAs about the June 30 date to discontinue using the web request
form.
* Notified the subset (31) of CNAs that have used the GitHub submission
pilot in the last year that the pilot will shut down after June 30. Custom
emails (based on CNA usage) were sent with guidance on transitioning to CVE
Services.
* Set up two June meetings where participants in the pilot will be asked to
send a representative to tell us their transition plans, ask questions, etc.
* Program will be prepared to provide additional support after June 30 for
any CNAs that need it. Also, CNAs can use the Slack channel to get help from
other members of the community.
Open Discussion
* July 5 meeting will be cancelled due to the U.S. Independence Day holiday.
* RBPs
* Used to get monthly/quarterly notifications about RBPs. Now, everybody
has an RBP board on monday.com, and you have to go look up your RBP status.
Need to get RBPs back on the radar.
* Process was changed to make better use of program resources and give
CNAs the flexibility to see their RBP status at any time.
* A notice will be sent to all CNAs and the Board about the change and
instructions for getting access to Monday.com (action).
* A review of the RBP process will be performed to better understand its
strengths and weaknesses (action).
* Question: Are there two different scrapers, one for RBPs and one for
References? Do they use the same technology?
* Answer: For References, the program uses
DIFFBOT<https://www.diffbot.com/>. For RBPs, we use custom scrapers. No further
development is planned for these; there are too many website changes, and they
cannot scale. Must rely on them until new technology is in place, and there are
higher priorities right now.
* Question: Do all Board members have a Monday.com account?
* Answer: No. A summary roll up version of the RBP data will be
generated and provided to the Board. Longer term, Board members will be
provided access to Monday.com after the transition to the enterprise version
June 1. It will take a few weeks after June 1 to fully integrate with our
corporate authentication systems, and learn new features and more granular
controls that we gain with enterprise.
Review of Action Items
Out of time.
Next CVE Board Meetings
* Wednesday, June 7, 2023, 9:00am - 11:00am (EDT)
* Wednesday, June 21, 2023, 2:00pm - 4:00pm (EDT)
* Wednesday, July 19, 2023, 2:00pm - 4:00pm (EDT)
* Wednesday, August 2, 2023, 9:00am - 11:00am (EDT)
* Wednesday, August 16, 2023, 2:00pm - 4:00pm (EDT)
Discussion Topics for Future Meetings
* Review draft charter for new working group (for Summit planning, Annual
Report, and the upcoming CVE 25th anniversary)
* Sneak peak/review of annual report template SPWG is working (June
timeframe)
* Bulk download response from community about Reserved IDs
* Finalize 2023 CVE Program priorities
* CVE Services updates and website transition progress (as needed)
* Working Group updates (every other meeting, next is June 21)
* Council of Roots meeting highlights (next is June 21)
* Researcher Working Group proposal for Board review
* Vision Paper and Annual Report
* Secretariat review of all CNA scope statements
* Proposed vote to allow CNAs to assign for insecure default
configurations
* CVE Communications Strategy
