CVE Board Meeting Notes
August 7, 2024 (2:00 pm - 4:00 pm EDT)
Agenda
* Introduction
* Topics
* Working Group Updates
* Review of Action Items
* Closing Remarks
New Action Items from Today's Meeting
New Action Item
Responsible Party
Reach out to QWG member about a statement around the pros and cons of consumer
working group and moving forward with it.
QWG Chair
Develop a mockup of a page that recognizes organizations for data enrichment
and present it to the Board.
TWG
Assemble historical Board archives for both private and public Board lists.
Secretariat
Working Group Updates
Automation Working Group
* Deployed CVE services 2.3.3 as patch/maintenance deployment.
* Deployed the CVE program container, an ADP container initially used to
support reference ingest.
* Started deployment on July 31 and will take the next few weeks to
fully populate the new container and copy references to all existing records.
After initial adjustments, deployment is progressing smoothly.
* Continued to curate the user stories and discussed/decided on four issues
that AWG needed to address with the development team. GitHub repository has the
record for these discussions.
* Started a new program to have members of the community speak on how they
are using CVE automation services and get feedback on what they are doing and
how it is working for them.
CNA Organization of Peers
* No report.
Outreach and Communications Working Group
* Releasing blog on Thursday, August 8th about the CNA rules 4.0 becoming
official.
* Two blogs published since last update - the first in a series about CVE
and AI and one about the CVE Program container.
* Doing some podcast planning on a few different topics - data enrichment,
demystifying the CNA onboarding process, and ADP when the time comes.
* Working on updating some of the onboarding videos.
* Inactivated the CNA mentoring program podcast, as the program has been
discontinued by COOP.
Quality Working Group
* Discussions about CPE support and how we implement that in CVE Records.
The last QWG meeting included a push to create more examples and proposals.
* Currently working on a slide deck that shows some of the problems,
some of the CPEs and the way they are being created today by CNAs, and some
proposals for how we might fix things going forward. Multiple options
discussed, including possibly using the NIST NVD schema.
* Will then be passed to the Board so they can decide how to proceed.
Strategic Planning Working Group
* In early discussions about the roles and responsibilities of ADPs and
developing a set of requirements for who would qualify as an ADP.
* Working on a flexible solution to allow the CNAs to be able to assign
references to specific documents, so for example the URL is not just a URL but
a URL with an attribute.
* Consensus is that the idea would be to allow automation with receiving
services. Would need some additions in schema to handle new ways to identify
references. Could be used down the road for dead links as well.
* Will require a schema change and will require an API within CVE
services that would allow for this to write into the CVE Program container, so
that it can be picked up with the normal processing that the Secretariat has
going forward.
* This is considered a business requirement. Next steps will be for the
QWG to review the proposal and what impact might occur on the schema itself.
Then would be submitted to the CVE Services automation team for development.
Tactical Working Group
* Discussions about the webpage and how to render different things.
* Last week, TWG walked through a new version of the website without
tabs (internal tabs had represented CNA and ADP content). New version will be
released on August 19.
Vulnerability Conference and Events Working Group
* No report.
AI Working Group
* There is a CVE AI Working Group, an extension of what occurred after
VulnCon. If you would like to be a part of it and you're not, send the
Secretariat a request so you can be added to the calendar invite. This WG meets
every two weeks on Monday.
* Intention is to take the approach we took during the deep dive after
VulnCon on AI and try to figure out how we can devise some principles that the
program will use to guide us.
* Using use cases in a similar method to the ADP review to figure out what
is something we could assign a CVE to and what is the boundary between CNAs and
organizations and CVEs and data. A lot of the AI issues focus on data, so we
need to understand that a bit more before we determine principles.
Review of Action Items
* The Board updated the Action Items list
Next CVE Board Meetings
* Wednesday, August 21, 2024, 9:00am - 11:00am (EDT)
* Wednesday, September 4, 2024, 2:00pm - 4:00pm (EDT)
* Wednesday, September 18, 2024, 9:00am - 11:00am (EDT)
* Wednesday, October 2, 2024, 2:00pm - 4:00pm (EDT)
* Wednesday, October 16, 2024, 9:00am - 11:00am (EDT)
Discussion Topics for Future Meetings
*Bold items are those flagged for discussion need.
* End user working group write-up discussion
* Board discussions and voting process
* ADP discussion
* Sneak peek/review of annual report template SPWG is working on
* Bulk download response from community about Reserved IDs
* CVE Services updates and website transition progress (as needed)
* Working Group updates (every other meeting)
* Council of Roots update (every other meeting)
* Researcher Working Group proposal for Board review
* Vision Paper and Annual Report
* Should be an action item not future discussion topic.
* Secretariat review of all CNA scope statements
* Proposed vote to allow CNAs to assign for insecure default configurations
* CVE Communications Strategy
