CVE Board Meeting Notes
April 17, 2024 (2:00 pm – 4:00 pm EDT)
Agenda
· Introduction
· Topics
* AI: Next Steps for CVE Program
* NVD Lull: CVE Program Game Plan
* ADP Discussion
* CNA Rules Vote
* WG Updates
· Open Discussion
· Review of Action Items
· Closing Remarks
New Action Items from Today’s Meeting
New Action Item
Responsible Party
Send email to Board re. Rules review period and voting.
Secretariat
Draft blog from Board re. CVE program position on AI.
CNACWG Chair
Produce metrics on additional data added by all CNAs.
Secretariat
AI: Next Steps for CVE Program
* The VunCon after action review with the Board was held the Thursday
following the conference at a Microsoft facility in Raleigh, NC.
* The remainder of the day was focused on AI with a workshop and discussion
by the Board.
* The participants reviewed examples of AI “vulnerabilities” and worked
together to categorize and determine if they rose to the level of being a CVE.
The proposed CNA operational rules were applied, which was helpful for this
effort.
* After the exercise, participants concluded that there is no reason that
we cannot assign CVE IDs to vulnerabilities found in large language models.
* The AI workshop recording will be made available to Board members.
* CNACWG Chair offered to draft a blog post about what the CVE program
considers in-scope or out-of-scope for AI CVEs (OCWG Co-Chair offered to help
edit).
NVD Lull: CVE Program Game Plan
* Some CNAs already add some of the fields (CVSS, CWE, CPE) that the NVD
was providing. The Secretariat began reaching out to high-volume CNAs (over
prior 12 months, focus on vendors) to ask about adding additional data fields
to their CVE Records. We emphasized the value to consumers of early data in the
vulnerability lifecycle.
* Initial responses varied – ranging from “we already add that” to “we
don’t plan to add any.” Some responded that they could add additional data and
that they’d appreciate additional guidance or references.
* Board member comments:
* The program needs to emphasize the benefit to the CNA of controlling
the message, and that the market will evaluate whether the vendor provides
quality data.
* It was noted that other CNAs should have been included in the initial
outreach and that the Secretariat should generate metrics showing the data
provided by all CNAs.
* The Secretariat will be reaching out to the full CNA community,
sending out guidance, examples, and encouragement for CNAs to add additional
data to CVEs.
* Does MITRE add these additional data fields?
* The program is looking at being able to do that (e.g., If a
researcher submits a CVE request with the data, the MITRE CNA-LR would like to
be able to include it.)
ADP Discussion
* Question for the Board – is it the right time to move ahead with ADP?
Does the SPWG own management of ADP coordination?
* Board member comments:
* Yes, it is time, and much progress has been made. Yes, the SPWG should
coordinate and now that the rules are being voted on, we can finalize the ADP
documentation. Anyone that wants to be an ADP must apply.
* SPWG Chair offered to draft documentation, but the Board should decide
whether proposed criteria for ADP selection are reasonable.
* Report from Secretariat
* The ADP infrastructure support is live in CVE Services production.
The ADP pilot for CVE references is in testing and is scheduled to go to
production by early June.
CNA Rules Vote
* The SPWG has completed its work, and the proposed rules are ready for a
Board vote.
* Group consensus that there will be a final review period ending on April
22, then the vote on the rules will begin on April 24.
* The Secretariat will send out the appropriate emails to the Board list.
Working Group Updates
* AWG
* We are preparing to deploy the new CVE Services to production. This
includes the updated CVE Record Format schema (v5.1.0) with support for CVSS
4.0.
* Integration testing continues, the AWG and TWG will be briefed on
progress.
* QWG
* QWG has been focused on the schema update (v5.1.0), supporting CVSS
4.0.
* In preparation for the update to CVE Services, the schema update will
be timed to coincide and the QWG GitHub schema repository will be updated and
reorganized to better support users.
* Regarding the question of CSV format support or guidance, one of the
QWG Co-Chairs spoke with DISA and received some feedback. Outreach continues.
* Some Board members argue that the program should not continue to
support legacy formats.
* QWG may produce guidance to help users who need to convert JSON to
CSV.
* CNACWE
* The WG is changing its name to “COOP”, CNA Organization of Peers, and
will update documentation at the next meeting.
* OCWG
* Published a blog, and a story from CNA Ericsson on why they became a
CNA.
* Produced a podcast (“Meet the 3 New CVE Board Members) during the
VulnCon conference.
Open Discussion
Out of time.
Review of Action Items
Out of time.
Next CVE Board Meetings
· Wednesday, May 1, 2024, 9:00am – 11:00am (EDT)
· Wednesday, May 15, 2024, 2:00pm – 4:00pm (EDT)
· Wednesday, May 29, 2024, 9:00am – 11:00am (EDT)
· Wednesday, June 12, 2024, 2:00pm – 4:00pm (EDT)
· Wednesday, June 26, 2024, 9:00am – 11:00am (EDT)
· Wednesday, July 10, 2024, 2:00pm – 4:00pm (EDT)
Discussion Topics for Future Meetings
· End user working group write-up discussion
· Board discussions and voting process
· ADP discussion
· Sneak peek/review of annual report template SPWG is working on
· Bulk download response from community about Reserved IDs
· CVE Services updates and website transition progress (as needed)
· Working Group updates (every other meeting)
· Council of Roots update (every other meeting)
· Researcher Working Group proposal for Board review
· Vision Paper and Annual Report
· Secretariat review of all CNA scope statements
· Proposed vote to allow CNAs to assign for insecure default
configurations
· CVE Communications Strategy
