CVE Board Meeting Notes
February 21, 2024 (2:00 pm - 4:00 pm EST)
Agenda
* Introduction
* Topics
* Working Group Updates
* Open Discussion
* Review of Action Items
* Closing Remarks
New Action Items from Today's Meeting
New Action Item
Responsible Party
Due
None to report
Working Group Updates
* AWG
* CVE Services 2.2.0 was released in early January. Version 2.2.1 patch
to be released this week. There is a backlog of issues AWG is working through.
* The current big rock is CVE Record format version 5.1. Our target is
to release it into the test environment in the middle of March. At that time,
the CNA community can begin building their frameworks and tooling.
* Website search capability prototype is targeted for release to testing
for community review later in the Spring. The ADP production infrastructure
will be part of that release.
* CNACWG
* Welcome, MegaZone, as the new CNA Board Liaison, and thank you to
MegaZone for participating in multiple working groups.
* At the end of January, CISA attended a CNACWG meeting and did an
excellent job of explaining their approach to recruiting CNAs.
* OCWG
* Have been planning communications around upcoming milestones like
VulnCon, legacy downloads, deprecation, rules update, 25th anniversary.
* In 2024, we want to improve communication with downstream consumers,
and our international communications reach (e.g., podcasts in languages other
than English).
* Have published eight blogs this year about legacy download format
deprecation, VulnCon, new Board members, and clarification of the disputed tag
in CVE Records.
* This Friday, another CVE 101-style podcast about new definitions of
CVE records, states, and tags will be recorded.
* QWG
* Have been discussing CVE Record format 5.1.0 schema and the release
plan. The target for release to the test environment is mid-March.
* In the next couple of meetings, we will probably start looking at the
plan for CVE Record format 5.2.0 schema, which will include some identified
quality improvements.
* Going forward, we really need to start working on a better plan for
how we deal with record format updates, and ensure minimal burden on downstream
consumers.
* It is not clear when you go to the current CVE schema in GitHub, what
the current version is, where you get it, and what files to use because there
are multiple schema files.
* SPWG
* Working on the rules update. After that, will re-engage with some
other documents, e.g., end-of-life (EOL) processes.
* VCEWG
* The VulnCon agenda should be set for Monday. The AI topic made it in.
* We have 118 in-person registrations, 55 virtual. Registration is still
open.
* Working with CNACWG about how we take care of either a Slack or
Discord set of channels for conversations.
* Working on ironing out the problem of recording all three sessions
concurrently; might need some help from others running some computers.
Open Discussion
* AI Discussion after VulnCon
* We have an opportunity on the Thursday following VulnCon to spend a
full day with some AI people to begin to establish our guardrails for
AI-related assignment and publication. They are coming to the table with a
strawman to work from.
* The conference room is large (20-25 people), and we should be able to
include a virtual attendance option.
Review of Action Items
* Out of time.
Next CVE Board Meetings
* Wednesday, March 6, 2024, 9:00am - 11:00am (EST)
* Wednesday, March 20, 2024, 2:00pm - 4:00pm (EDT)
* Wednesday, April 3, 2024, 9:00am - 11:00am (EDT)
* Wednesday, April 17, 2024, 2:00pm - 4:00pm (EDT)
* Wednesday, May 1, 2024, 9:00am - 11:00am (EDT)
* Wednesday, May 15, 2024, 2:00pm - 4:00pm (EDT)
Discussion Topics for Future Meetings
* Organization Board Liaison strawman discussion
* End user working group write-up discussion
* Board discussions and voting process
* ADP discussion
* Sneak peek/review of annual report template SPWG is working on
* Bulk download response from community about Reserved IDs
* CVE Services updates and website transition progress (as needed)
* Working Group updates (every other meeting)
* Council of Roots update (every other meeting)
* Researcher Working Group proposal for Board review
* Vision Paper and Annual Report
* Secretariat review of all CNA scope statements
* Proposed vote to allow CNAs to assign for insecure default
configurations
* CVE Communications Strategy
