CVE Board Meeting Notes
July 24, 2024 (9:00 am - 11:00 am EDT)
Agenda
* Introduction
* Topics
* CNA Requirements according to the CNA Rules: Advisories with a login
* Council of Roots (authority, dispute policy)
* Open Discussion
* Review of Action Items
* Closing Remarks
New Action Items from Today's Meeting
New Action Item
Responsible Party
Make 4.5.2.4 in the rules "should not" in the second clause, before August 8th
release of requirements.
Secretariat
Review the CVE Record Dispute Policy and other policies and submit to Board for
approval.
SPWG
Draft roles and responsibilities for the Council of Roots and bring back to the
CVE Board for discussion.
SPWG
CNA Requirements according to the CNA Rules: Advisories with a login
* In the rules, it states the same thing in two different places but with
different language- 4.5.2.4 and 5.3.3.1. - one uses "must not" and the other
uses "should not."
* Is this an oversight or is this intentional?
* Someone who attended the SPWG meetings when these rules were written
commented that it is intentional that one is "must" and the other is "should."
* "Must" was for public access to the supplier CNAs distribution
point for their advisories and the "should" was a reference within a CVE
record. The reason for this is some CNAs do not have control over the
references, they do not write their own advisories, instead linking out to
information they believe is publicly accessible.
* For those that have first order sources, the SPWG thought it was
reasonable to require those to be public. But for those CNAs that don't do
first order, SPWG did not want to restrict their ability to refer to
information that the public needs to defend their systems.
* Board thinks it should say "should not" and make sure it is consistent
throughout the rules.
* Focus now needs to be to make the rules consistent. Can discuss
whether it should be "should" or "must" later.
* The CNA- LR is different, and we never really say that in the rules, but
that seems to be what we're hung up on. The rules need further explanation, but
no one has had time to write an intent document behind the rules prior to their
effective date of 8 August.
* SNAP VOTE: CVE Board votes 12 yes to change language in the second clause
of 4.5.2.4 to the following:
* 4.5.2.4 The distribution point and Vulnerability information MUST be
publicly accessible, SHOULD NOT require registration or login, and MUST NOT
impose terms of use that restrict general-purpose use of the information or
contradict the CVE Program Terms of Use<https://cve.mitre.rip/Legal/TermsOfUse>.
Council of Roots (authority, dispute policy)
* The Council of Roots is not currently an official authorized
organization, but we mention it in the glossary and the CVE Program Policy and
Procedure for Disputing a CVE Record, so we have given the Council of Roots
some authority.
* The Council of Roots is functioning, but perhaps not "approved" by the
Board.
* There is no charter with roles and responsibilities or Board
participation for the Council of Roots.
* When created, one of their responsibilities was to deal with cross-domain
issues.
* The original intent for the Council of Roots was to focus on how to
maintain consistency with the CVE program; ensure that certain rules that were
not conflicting with how things operated and what may need to be changed; and
have discussions to create more efficient operations and rules.
* There are two issues to be addressed:
* The roles and responsibilities of the Council of Roots
* The CVE Record Dispute Policy and its use of the Council of Roots
Open Discussion
None.
Review of Action Items
None.
Next CVE Board Meetings
* Wednesday, August 7, 2024, 2:00pm - 4:00pm (EDT)
* Wednesday, August 21, 2024, 9:00am - 11:00am (EDT)
* Wednesday, September 4, 2024, 2:00pm - 4:00pm (EDT)
* Wednesday, September 18, 2024, 9:00am - 11:00am (EDT)
* Wednesday, October 2, 2024, 2:00pm - 4:00pm (EDT)
Discussion Topics for Future Meetings
* End user working group write-up discussion
* Board discussions and voting process
* ADP discussion
* Sneak peek/review of annual report template SPWG is working on
* Bulk download response from community about Reserved IDs
* CVE Services updates and website transition progress (as needed)
* Working Group updates (every other meeting)
* Council of Roots update (every other meeting)
* Researcher Working Group proposal for Board review
* Vision Paper and Annual Report
* Secretariat review of all CNA scope statements
* Proposed vote to allow CNAs to assign for insecure default configurations
* CVE Communications Strategy
