CVE Board Notes: November 29, 2023

Thu, 14 Dec 2023 13:01:50 -0800 

CVE Board Meeting Notes

November 29, 2023 (9:00 am - 11:00 am EST)
Agenda

*       2:00-2:05        Introduction

*       2:05-3:25        Topics

o   Working Group Updates

o   Organizational Motivation/Intent - Does it matter when considering a CNA 
prospect?

o   Disputed/Rejected Records: Root/CNA Perspective

*       3:25-3:35        Open Discussion

*       3:35-3:55        Review of Action Items

*       3:55-4:00        Closing Remarks
New Action Items from Today's Meeting
New Action Item
Responsible Party
Conduct a poll of Board members to identify interested parties and a meeting 
time to further discuss organizational motivation/intent.
Secretariat
Working Group Updates

  *   AWG
     *   Working on a new deployment schedule for the maintenance release of 
CVE Services. Group proposes January 2024 for deployment.
     *   Started group discussions on schema migration strategy, e.g., JSON 5.0 
to 5.1. Working with TWG.
  *   CNACWG
     *   The mentoring initiative continues with a couple new sign ups. There 
are a couple of mentorships missing a mentor.
     *   Question: Has anyone heard feedback about the virtual workshop held 
earlier this month? Answer: That will be a topic at the CNACWG meeting later 
today, and meaningful results will be shared.
  *   OCWG
     *   The Roots podcast production will be rescheduled due to conflicts.
     *   The group is considering a blog about disputed/rejected CVE Records 
from the perspective of the consumer, not the CNA. There is currently not a lot 
of content for consumers and researchers.
     *   Recently, the group discussed doing a blog on picking the right CWE 
for a CVE.
     *   Published a blog yesterday, on the website and social media, about the 
Q3 CVE Program report. The report will be shared with the board and CNAs later 
today.
     *   OpenSSF.org published a guide to becoming a CNA as an open source 
project<https://openssf.org/blog/2023/11/27/openssf-introduces-guide-to-becoming-a-cve-numbering-authority-as-an-open-source-project/>.
 The blog will be promoted on CVE social media beginning today.
  *   QWG
     *   Sent a message to TWG in groups.io about QWG's position to move 
forward with the current schema release candidate. The email provided a rough 
plan for how that might proceed.
     *   Need to get the schema candidate into a test environment. Testing is 
needed to finalize the schema migration strategy. The AWG has the action to 
start discussing an overall schema migration strategy.
  *   SPWG
     *   The CNA Rules update is getting close to being released from the SPWG 
for broader review. Proposing a two-phase review, one for CNAs and the other 
for working groups. The Board will then have a couple weeks for review; Board 
vote is targeted for March.
  *   TWG
     *   Working with QWG and AWG on a schema migration strategy.
     *   A survey about the November 15 virtual workshop will be sent out by 
the Secretariat.
Organizational Motivation/Intent - Does it matter when considering a CNA 
prospect

  *   To become a CNA, some conditions must be met, e.g., agree to follow 
program rules, demonstrate competency in vulnerability determination, have a 
scope and stay in scope, disclose all vulnerabilities found in your scope. 
Currently, a prospective CNA is not required to explain their motivation to 
become a CNA.
  *   Board members discussed whether the program reconsider CNA requirements 
to get a better understanding of a prospect's motivation or intent.
  *   Next steps: Further discussion will be held off-line with interested 
Board members. The Secretariat will conduct a poll to identify interested 
parties and a meeting time (action item).
Disputed/Rejected Records: Root/CNA Perspective

  *   In a recent case, after a record had been published, both the product 
vendor and the original requestor of the CVE ID agreed that it was not a 
vulnerability, and they wanted the record rejected. Because both agreed, the 
program rejected the record.
  *   The MITRE CNA of Last Resort's process is, generally, to not reject a 
record. Instead, the record is tagged as disputed and the reasoning for that 
decision is added. Downstream consumers can then decide for themselves whether 
they think it is a vulnerability.
Open Discussion
Out of time.
Review of Action Items
Out of time.
Next CVE Board Meetings

*       Wednesday, December 13, 2023, 2:00pm - 4:00pm (EST)

*       Wednesday, January 10, 2024, 9:00am - 11:00am (EST)

*       Wednesday, January 24, 2024, 2:00pm - 4:00pm (EST)

*       Wednesday, February 7, 2024, 9:00am - 11:00am (EST)

*       Wednesday, February 21, 2024, 2:00pm - 4:00pm (EST)

*       Wednesday, March 6, 2024, 9:00am - 11:00am (EST)
Discussion Topics for Future Meetings

*       Sneak peek/review of annual report template SPWG is working on

*       Bulk download response from community about Reserved IDs

*       CVE Services updates and website transition progress (as needed)

*       Working Group updates (every other meeting)

*       Council of Roots update (every other meeting)

*       Researcher Working Group proposal for Board review

*       Vision Paper and Annual Report

*       Secretariat review of all CNA scope statements

*       Proposed vote to allow CNAs to assign for insecure default 
configurations

*       CVE Communications Strategy

Reply via email to