CVE Board Meeting Notes
March 20, 2024 (2:00 pm - 4:00 pm EST)
Agenda
* Introduction
* Topics
* Working Group Updates
* Downloads and CSV Format
* Organization Liaison Pilot: Status update
* Vote on potential Board member
* Open Discussion
* Review of Action Items
* Closing Remarks
New Action Items from Today's Meeting
New Action Item
Responsible Party
Add tools to CVE Services page on cve.org (e.g., cvelint)
Secretariat
Connect CVE Board with DISA Risk Management Director
QWG Co-Chair
Send email to DoD regarding CSV deprecation and tooling needed
Board Member
Draft vote description (regarding potential Board member) and initiate vote
Secretariat
Working Group Updates (WG Chairs)
* AWG
* Deployed CVE Services 2.2.1 (minor patch)
* CVE Services 2.3.0 was deployed into the test environment and
available to community; it includes the CVE Record Format update (schema
version 5.1) which supports CVSS 4.0.
* Anticipate 30 days of testing before moving to production.
* AWG minutes are now available on the GitHub
site<https://github.com/CVEProject/automation-working-group/tree/master/meeting-notes>.
* CNACWG
* Discussions during meetings included sharing information on the test
rollout of the new schema.
* Reviewed expected changes to CVE Rules and encouraged CNAs to comment.
* New CNAs are attending meeting and participating, asking questions.
* OCWG
* Published five blogs in the past month.
* Ongoing messaging on VulnCon event.
* Promotion of CVE Rules for public review and comment.
* Announced start of phase three of legacy downloads deprecation (now
files are only updated monthly).
* QWG
* Discussions about CVE Record Format 5.1.0
* CVSS issue score validation issue #1204 will be addressed in the
schema (Note: A patch in CVE Services addresses this in the backend now)
* Will be discussing CVE Record Format 5.2.0 soon
* For the updated CSV effort:
* Will work with AWG on prioritizing fields to include
* Exploring conversion tools, e.g., JQ
* Working on planning future schema updates and drafting a process
* SPWG
* Rule development continues with adjudication of public comments
* Feedback has been helpful, but less than hoped for
* Rules are on track per the schedule
* Board member commented that, during implementation, grace period
should be full 90 days
* VCEWG
* VunlCon has so far registered 365 for in-person and 226 for virtual
attendance
* Within a few weeks following the event, the session videos will be
available
* Board member commented that, during VulnCon, it is important to point
out that the data NVD adds can be added earlier in the process directly in the
CVE Record by the CNA
* CVE will have a service desk for technical support during VulnCon
* TWG
* CSV file format discussion
* QWG to work on identifying conversion tool and fields supported
* CVE Record Format schema transition planning review
* Comments from Board members
* We may need a Board vote on CSV format question
* Should focus on modernizing, not old formats
* CVE.org site should list tools the CVE Program considers
potentially useful (ACTION)
* The program should give major agencies (i.e., DoD) a heads up on
file format deprecation and need for tooling
* ACTIONS:
* QWG Co-Chair will connect Board with DISA Risk Mngt Dir
* Board member volunteered to send email to DoD regarding CSV
deprecation and tooling need
* Vote on Potential Board Member
* The Board has not achieved consensus on what to do with the idea of an
Organization Liaison position
* Consensus that the Board should conduct vote on potential Board member:
* Secretariat will draft the vote description and instructions and
the vote will be initiated
* Board member volunteered to contact potential Board member with an
update and note that vote will take place, but position details are still in
debate
Open Discussion
None, out of time
Review of Action Items
Out of time.
Next CVE Board Meetings
* Wednesday, April 3, 2024, 9:00am - 11:00am (EDT)
* Wednesday, April 17, 2024, 2:00pm - 4:00pm (EDT)
* Wednesday, May 1, 2024, 9:00am - 11:00am (EDT)
* Wednesday, May 15, 2024, 2:00pm - 4:00pm (EDT)
* Wednesday, May 29, 2024, 9:00am - 11:00am (EDT)
* Wednesday, June 12, 2024, 2:00pm - 4:00pm (EDT)
Discussion Topics for Future Meetings
* End user working group write-up discussion
* Board discussions and voting process
* ADP discussion
* Sneak peek/review of annual report template SPWG is working on
* Bulk download response from community about Reserved IDs
* CVE Services updates and website transition progress (as needed)
* Working Group updates (every other meeting)
* Council of Roots update (every other meeting)
* Researcher Working Group proposal for Board review
* Vision Paper and Annual Report
* Secretariat review of all CNA scope statements
* Proposed vote to allow CNAs to assign for insecure default
configurations
* CVE Communications Strategy
