CVE Board Meeting Notes
March 6, 2024 (9:00 am – 11:00 am EST)
Agenda
· Introduction
· Topics
* Generic Organization Liaison Pilot (e.g., NIST/NVD)
* Rules Status Update
* CVE Birthday Paper and Annual Report Status Update
* End User Working Group
* NotCVE
* Notifications of New CNA Applicants
· Open Discussion
· Review of Action Items
· Closing Remarks
New Action Items from Today’s Meeting
Action Item #
New Action Item
Responsible Party
Due
Invite two members of AWG to a QWG meeting to present/discuss their proposal
for an end user working group
QWG Co-Chair
Generic Organization Liaison Pilot (e.g., NIST/NVD)
* The write up describing this possible new Board position is almost
complete. Will wrap it up today and send it out to the Board list for review
and discussion.
* The position write up will be reviewed and a vote held on the list
whether to approve the new Board position.
Rules Status Update
* The CNA review period is over and most of the comments have been
adjudicated. A few remain; they will be addressed at the SPWG meeting today. A
new version of the document will then be distributed (also today) for a two
week public review period. After adjudication of these comments, a new version
will be provided to the Board for review.
* Board members were asked to not wait until their review period to start
looking at the document. Look at it now. We want to catch any major issues
sooner than later.
* The SPWG is also putting in place a process that will make it much easier
for people to suggest minor changes.
* A Board member mentioned that her team has identified a number of items
that may be concern to the Board and Secretariat, but not to CNAs. How should
these be addressed? It was agreed that the member will write up the concerns
and share them with the SPWG. Since the public review will start today, her
team’s concerns will be adjudicated along with the public comments. Attendance
at today’s SPWG, and public comment adjudication sessions, was also suggested.
CVE Birthday Paper and Annual Report Status
* Progress has been made. Expect it to be ready this time next week.
* A current version will be sent to member of the Board to help with the
formatting.
End User Working Group
* At a recent AWG meeting, the topic was raised by two members about
creating an end user working group. They expressed an interest in leading the
group, and volunteered to write up a description of what the group would do.
* There was agreement that the current write up should be shared with the
QWG as a starting point. The two AWG members will be invited to a QWG meeting
to start the discussion about next steps (action).
* The program can spin up a Slack channel specifically for end users in the
near term.
* The program still would like to consider a new end user working group and
the topic of end user/consumer working group will be brought up during VulnCon
in a couple of sessions.
NotCVE
* Several months ago, an outfit out of Spain made assertions about the CVE
Program that are untrue. Last week, the Secretariat met with a representative
from the outfit to get an understanding of their concerns/assertions.
* The organization identified three vulnerabilities that were not given
IDs, but they were unaware that the program has a dispute/escalation process.
They could have taken the vulnerabilities to the CNA-LR to get another
decision. They had also been referencing only the current rules. Links to the
dispute escalation process were provided (as well as links to the draft
proposed program rules).
* After checking details of the three vulnerabilities, they all are valid
and should be added to the program corpus.
* The program encouraged the individual from NotCVE to consider
participating in working groups to get a better understanding of how CVE works.
* A member commented that the program should translate the CNA rules into
other languages to promote better understanding globally. Two Roots, INCIBE and
JPCERT/CC, are good candidates to ask about their willingness to do that.
Notifications of New CNA Applicants
* At a previous meeting, the Board asked to be notified about CNA prospects
so they can catch any that may be a bad fit for the program.
* It was agreed to use the completed online application form as the prompt
to notify the Board about the prospect. The Secretariat has created an
automated email notification approach (using Monday.com) that can send Board
members a prospect’s organization name, scope, and disclosure policy. This
would result in members receiving one or two emails every couple of days.
* There was discussion about building a weekly report, so members don’t
receive so much email. Discussion will be continued offline, internally and
with Monday.com, to see how easy it is to generate a weekly report.
Open Discussion
* CSV Format Deprecation
* A board member commented that he had heard that the program is
considering not deprecating the CSV format at the request of two government
customers. The member wants the program to reconsider that decision. It’s a
second class format that cannot include all the data in a record. Deprecating
CSV has also been in the program’s plans for a long time.
* Recently, the two consumers reached out to the program and said they
will have trouble ingesting JSON format for a variety of reasons and requested
continuation of CSV.
* Continuing to provide CSV format is possible, but comes with
maintenance/support costs.
* There are tools available that can help them convert from JSON to CSV.
It is also relatively easy to develop your own tooling to do the conversion.
* Two meetings have been set up with the consumers to find out more
details about why they cannot ingest JSON, why they cannot use any of the
available converters, etc. Results of the meetings will be shared at the next
Board meeting.
* Post VulnCon
* The Secretariat has arranged for a facilitator to guide the AI
discussion at the program meetings scheduled for Thursday and Friday after
VulnCon.
Review of Action Items
Out of time.
Next CVE Board Meetings
· Wednesday, March 20, 2024, 2:00pm – 4:00pm (EDT)
· Wednesday, April 3, 2024, 9:00am – 11:00am (EDT)
· Wednesday, April 17, 2024, 2:00pm – 4:00pm (EDT)
· Wednesday, May 1, 2024, 9:00am – 11:00am (EDT)
· Wednesday, May 15, 2024, 2:00pm – 4:00pm (EDT)
· Wednesday, May 29, 2024, 9:00am – 11:00am (EDT)
Discussion Topics for Future Meetings
· End user working group write-up discussion
· Board discussions and voting process
· ADP discussion
· Sneak peek/review of annual report template SPWG is working on
· Bulk download response from community about Reserved IDs
· CVE Services updates and website transition progress (as needed)
· Working Group updates (every other meeting)
· Council of Roots update (every other meeting)
· Researcher Working Group proposal for Board review
· Vision Paper and Annual Report
· Secretariat review of all CNA scope statements
· Proposed vote to allow CNAs to assign for insecure default
configurations
· CVE Communications Strategy
