CVE Board Meeting Notes
September 27, 2023 (9:00 am - 11:00 pm EDT)
Agenda
* 9:00-9:05 Introduction
* 9:05-10:25 Topics
* Working Group Updates
* Board Decisions: Use of Board Email List
* Workshop: Approve Date (November 15) and Time (10:30 a.m. - 4:30
p.m. EST)
* 10:25-10:35 Open Discussion
* 10:35-10:55 Review of Action Items
* 10:55-11:00 Closing Remarks
New Action Items from Today's Meeting
New Action Item
Responsible Party
Establish coordination with the CVSS SIG.
QWG
Schedule an out of band TWG meeting to discuss next steps and plan for link
rot. A Doodle poll will be sent out to identify a good date/time.
Secretariat
Working Group Updates
* Automation Working Group (AWG)
* Working on removing empty/white spaces in record data field.
* Brought forward a proposal to the SPWG to reject submissions with a
mismatch between their CVSS score and their rating. The proposal was agreed to.
Submissions with this problem will get an error message.
* Question: Are we allowing CNAs to put in where it is on the scale, as
opposed to just using the numeric value? Answer: They can do both.
* Comment: I think the smart thing would be to take anything that is
computed and leave it out.
* Starting to prioritize the lower priority CVE Services issues. If you
have interest, attend the next couple AWG meetings.
* Outreach and Communications Working Group (OCWG)
* New podcast recently published: How the New CVE Record Format Will
Benefit Consumers<https://www.youtube.com/watch?v=Tgo-PHxc4Uk>. The SPWG Chair
participated.
* We talked this morning to some Root members who joined the OCWG
meeting. Will be scheduling a meeting in October to discuss a podcast with them
focused on updated Roots content.
* Received some great content from a representative of a new CNA.
* The rep has asked for the CVE Program to review it. OCWG has completed
their review.
* The Dark Reading article about new CVE Records format has been drafted
and is under review; may publish in October.
* VCEWG (Vulnerability Conference and Events Working Group)
* Charter was approved on September 15
* The Board had no objection to changing the working group name back to
Vulnerability Conference and Events Working Group without holding a vote. The
Charter will be revised with the updated name and published next Tuesday.
* Received an informal acknowledgement from a 2024 conference co-sponsor
to help run logistics. Asking for a meeting late this week.
* Attended PSIRT last week and mentioned the 2024 conference and the
goal of trying to get together the ecosystem and talk vulnerabilities.
* Setting up two WG main workstreams: logistics, call for papers.
* Question: Are we going to have scheduled meetings? Answer: Working on
it, should start in October. Will begin with weekly meetings, and maybe move to
bi-weekly later.
* Quality Working Group (QWG)
* Working on resolving the remaining issues on the 5.01 patch release
and the 5.1 minor release.
* Also working on preparing educational material for the workshop coming
up to talk about best practices around using the format.
* Question: Is it true that CVSS 4.0 will be targeted for the schema in
the 5.02 release? Answer: No, will be in the 5.1 or 5.2 minor release (patches
like 5.02 do not introduce new functionality).
* CVSS update is scheduled for October 31. The program needs to be ready
quickly after that.
* There was an action item to establish coordination with the CVSS SIG.
* Strategic Planning Working Group (SPWG)
* The CNA rules update continues. The initial draft for review will
probably be mid October.
* Continuing to collaborate with other working groups, AWG specifically,
to assure that we're not standing in their way with any decisions or inactivity.
* Tactical Working Group (TWG)
* At tomorrow's meeting, there will be a continuation of the discussion
about the ADP container issue related to copying references in CVE Records.
There is not a consensus yet about how to proceed.
* Will also discuss the schedule and agenda for the November virtual
summit.
* CNA Coordination Working Group (CNACWG)
* Question: We were going to schedule a meeting to discuss Link Rot and
how we are going to go about it. What is the status? Answer: It was
held/scheduled during the TWG meeting two weeks ago. Need to schedule another
meeting to build out more specific activities, document a strategy. Action to
schedule an out of band TWG meeting to discuss. A Doodle poll will be sent out
to identify a good date/time.
* The slides about link rot presented by the CNACWG Chair at the August
30 Board meeting explained the problem and the pathways forward. Slides have
also been shared with the Council of Roots and the CNACWG membership.
Board Decisions: Use of Board Email List
* For any decisional votes, unless there is a quorum at the meeting, the
vote needs to take place on the list. Board members also need at least one day
(preferably two) before the voting period begins to review any related
materials.
* Votes that take place during a meeting need to be documented, as well as
some basis for the decision.
* Reminder to the Board that there is no contingency vote, e.g., I'll vote
yes if X is changed. You can only vote on what exists at the time and the
options are yes, no, or abstain. A vote cannot be changed after it has been
cast.
Workshop: Approve Date (November 15) and Time (10:30 a.m. - 4:30 p.m. EST)
* There were no objections to the proposed date and time for the virtual
workshop.
* For the agenda, it was recommended to move detailed topics related to CVE
Services (e.g., how to reserve, publish, update, etc.) to a separate meeting to
be held after the workshop. Provide a deeper dive and opportunity for
questions/discussion. There was no disagreement. A suggestion was made to
provide a brief overview of Services at the workshop and explain what to expect
at the follow on meeting.
* The CNA Rules is an important workshop topic. It will be positioned in
the agenda so it is not the first or last topic.
* Another workshop topic will be lessons learned, gotchas, and tips related
to using JSON 5. Could ask some CNAs to share their experiences with JSON 5
adoption (recruit some newer CNAs for this).
* Need to send "save the date" message for November 15 soon.
* Comment: Had a virtual event that included "watch parties" so people
could get together if they were in the same general geographic area. It helped
the flow in this case. This is something to consider for future CVE events, but
there is not enough time for logistics for the workshop.
* Comment: We do not have an easy way to identify CNAs by city, state, or
region, if we were to consider a watch party format. There was discussion about
addressing this with the user registry when it is rolled out. No need to ask
for anything more specific than city and state (or similar for international
CNAs).
* Watch parties will be considered during planning for the 2024 in-person
summit. Has the potential to reduce in-person attendance. International
community members might like the idea.
* The workshop agenda will be updated and sent to the board list for review.
Open Discussion
Out of time.
Review of Action Items
Out of time.
Next CVE Board Meetings
* Wednesday, October 11, 2023, 2:00pm - 4:00pm (EDT)
* Wednesday, October 25, 2023, 9:00am - 11:00am (EDT)
* Wednesday, November 8, 2023, 2:00pm - 4:00pm (EST)
* Wednesday, November 22, 2023, 9:00am - 11:00am (EST)
* Wednesday, December 6, 2:00pm - 4:00pm (EST)
* Wednesday, December 20, 2023, 9:00am - 11:00am (EST)
Discussion Topics for Future Meetings
* Sneak peek/review of annual report template SPWG is working on
* Bulk download response from community about Reserved IDs
* Finalize 2023 CVE Program priorities
* CVE Services updates and website transition progress (as needed)
* Working Group updates (every other meeting)
* Council of Roots update (every other meeting)
* Researcher Working Group proposal for Board review
* Vision Paper and Annual Report
* Secretariat review of all CNA scope statements
* Proposed vote to allow CNAs to assign for insecure default
configurations
* CVE Communications Strategy
