CVE Board Meeting Notes
September 4, 2024 (2:00 pm - 4:00 pm EDT)
Agenda
* Introduction
* Topics
* Working Group Updates
* Red Hat: CNA-LR for CNAs under their Root
* 25th Anniversary Report: Media Engagement
* Open Discussion
* CPE Support
* Review of Action Items
* Closing Remarks
New Action Items from Today's Meeting
New Action Item
Responsible Party
25th Anniversary: Share media contacts with the Secretariat.
CVE Board
CPE Support: Finalize CPE Support solution and bring to the CVE Board for
discussion and vote.
QWG
Topics
Working Group Updates
AI Working Group
* Meets every other week - invite sent to all Board members.
* First blog post published - will be part of a series of blog posts.
Working to identify AI guardrails before moving forward with additional blog
posts.
Automation Working Group
* Completed the deployment of CVE Program Container, which is the last
major component of the ADP rollout for the summer.
* Search capability rollout - looking to release beta version for community
review in October.
* User registry - Starting to pull together user registry user stories and
have the framework up for review.
CNA Organization of Peers
* No report
Outreach and Communications Working Group
* Promoted the CNA Operational Rules, version 4, coming fully into effect.
* Recorded a podcast episode about onboarding myths vs. facts at the
program level. Will publish around the middle of September
* Updating some of the videos - Finished slides for Intro video and are
waiting on approval and working on revising a script for the Becoming a CNA
video.
* Plan to support the 25th anniversary media engagement.
Quality Working Group
* QWG is now meeting every week on Thursdays at 4:00 p.m. for a work surge.
* Starting to focus more on data quality - what does quality mean? How is
the CVE program defining quality - data completeness, data accuracy, etc.? Are
there things we should be working on to improve data quality?
* Defining CVE consumers and understanding them and their needs better.
* No objections on the QWG spending some time on data quality, as
opposed to focusing solely on record formats and adjustments.
* Will ensure that CPE work does not fall to the wayside - Plan for the
next QWG meeting is to arrive at some consensus and bring to the CVE Board for
a vote.
Strategic Planning Working Group
* Identifying what the process and requirements will be to add future ADPs.
What are the kinds of things we would want potential ADPs to demonstrate that
they would bring to the Program and provide value should they be made an ADP?
Tactical Working Group
* CVE.org website and different ways to display ADP data for CVE Records.
* Transition of CVE Record search from the legacy site to cve.org.
* Also discussing whether to retire the legacy website once the new
search functionality is up and running.
* CNA Enrichment Recognition List - a means to recognize those regularly
adding key additional data fields to CVE Records they publish.
* Will be published every other week (as part of the website update) in
the Programs Metrics section.
Vulnerability Conference and Events Working Group
* VulCon 2025 - jointly hosted by FIRST.org and CVE.
* VulCon 2025 webpage and sponsorship pages are both published.
* First week of April - location scheduled.
* Save the date will go out in September. Call for Papers will go out
in October.
* CNA Fall Workshop - to be held virtually
* Tentative date is October 22nd.
* Potential topics were discussed at last CVE Board meeting.
Red Hat: CNA-LR for CNAs under their Root
* The MITRE Top-Level Root has been working with Red Hat on standing up a
CNA-LR under Red Hat's Root with the scope of CNAs within their Root's
hierarchy.
* As the CVE Program continues its federated growth, additional CNA-LRs may
be stood up under other Roots.
25th Anniversary Report: Media Engagement
* Ad hoc group is working on initial draft for 25th anniversary product
report.
* Significant milestones within the history of the program.
* Where the program has seen growth and success in federation, etc.
* Current state of the program and the road ahead with some the
challenges and opportunities to continue to grow the program.
* Comments:
* Could we add something to the report draft about the durability of the
CVE Program - what are the qualities of CVE that makes this program durable?
* Could we make the celebration year-long, call it "The Year of the
CNA," and celebrate CNAs as the drivers of the CVE Program?
Open Discussion
* CPE Support in CVE Record Format
* QWG plans to finalize a proposed approach at their meeting on
September 5th and then bring to the CVE Board. The Board is currently leaning
toward "CPE Match," which was also positively received by QWG.
Review of Action Items
None.
Next CVE Board Meetings
* Wednesday, September 18, 2024, 9:00am - 11:00am (EDT)
* Wednesday, October 2, 2024, 2:00pm - 4:00pm (EDT) - Working Group Updates
* Wednesday, October 16, 2024, 9:00am - 11:00am (EDT)
* Wednesday, October 30, 2024, 2:00pm - 4:00pm (EDT) - Working Group Updates
* Wednesday, November 13, 2024, 9:00am - 11:00am (EDT)
Discussion Topics for Future Meetings
*Bold items are those flagged for discussion need.
* End user working group write-up discussion
* Board discussions and voting process
* ADP discussion
* Sneak peek/review of annual report template SPWG is working on
* Bulk download response from community about Reserved IDs
* CVE Services updates and website transition progress (as needed)
* Working Group updates (every other meeting)
* Council of Roots update (every other meeting)
* Researcher Working Group proposal for Board review
* Vision Paper and Annual Report
* Should be an action item not future discussion topic.
* Secretariat review of all CNA scope statements
* Proposed vote to allow CNAs to assign for insecure default configurations
* CVE Communications Strategy
