CVE Board Meeting Notes
October 2, 2024 (2:00 pm - 4:00 pm EDT)
Agenda
* Introduction
* Topics
* Working Group Updates
* CVE AI WG: Charter/Chair
* Organizational Liaison Update
* Voting Mechanics: Considering Anonymous Voting
* 25th Anniversary: Status, Update, Logo, etc.
* CPE Vote
* Cancelling November 27/December 25 Board Meetings
* CNA Workshop Status Update
* Review of Action Items
* Closing Remarks
New Action Items from Today's Meeting
New Action Item
Responsible Party
CVE AI WG: Send out call for co-chair
Secretariat
25th Anniversary: Send organizations' PR contacts to the Secretariat.
CVE Board Members
CPE Support: Vote on proposed CPE Support solution, NIST NVD Schema, starting
Monday, October 7.
CVE Board Members
Topics
Working Group Updates (WG Chairs)
Automation Working Group
* Corrections have been completed to most CVE Records with missing or
incorrect dates. Remaining updates are being worked.
* User Registry is the next major effort and discussion continues regarding
requirements, security, roles, etc.
* Preparing for the test release of the search capability, scheduled for
middle of October.
CNA Organization or Peers
* No update.
Outreach and Communications Working Group
* Published three blogs - two about the CNA Enrichment Program List and one
was the Save the Date for VulCon 2025.
* Completed podcast on CNA onboarding - myths vs. facts.
* YouTube channel has surpassed 100,000 views over channel lifetime.
* Ad-hoc OCWG meeting Friday, October 4th to meet with Board and TWG
members working on the 25th Anniversary communication plan.
Quality Working Group
* QWG currently meeting every week and posting meeting minutes in groups.io.
* QWG discussions need to step back from schemas and updates and focus on
data quality.
* Reviewing older Milestone 5.2.0 issues in GitHub, closing out a few that
have already been implemented. Potential topics for future Board discussion:
* How to deal with rejected records and the data within those records.
* Disputed reasons and data around disputed records.
* Discussions on how to recognize CVE consumers and other downstream users,
and whether it will require its own working group. Started a CVE User Personas
document.
* Board Comments:
* Had discussed an end user/consumer type of working group earlier
this year. The conversation stopped at the point when someone was going to
write up a proposal for it and present it to the Board. Was a proposal ever
written and is a proposal required for the Board? Or should the Board move
forward with creation of a unique consumer working group?
* Should have a scope worked out before establishing a new working
group. What will the purpose of this working group be?
Strategic Planning Working Group
* Making progress on ADP definitions and responsibilities. Put together a
slide deck and are currently converting it into a narrative document. Completed
document will be discussed within the SPWG, approve the document, and bring to
the Board within the next few weeks.
* Reviewing CVE Records Dispute Policy and determining needed
changes/updates for accuracy.
Tactical Working Group
* Established recurring website updates in TWG every other week.
* Discussing 25th Anniversary planning and the anniversary report.
Vulnerability Conference and Events Working Group
* Continuing planning of VulCon, including sponsorships and getting ready
to put out the call for papers.
CVE AI WG: Charter/Chair
* As requested by the Board to make CVE AI WG an official group, drafted a
charter and provided to CVE Board.
* If any Board members have questions or concerns about the charter,
please let AI WG know, otherwise will be accepted as is.
* Plan on putting charter up Tuesday, October 8, as part of the Tuesday
website update.
* Board Comment:
* As the Board, do we mind that this new working group is using the
acronym convention "CVEAI" as opposed to ending in "WG" like nearly all of our
other groups do? Do we need to keep WG acronyms consistent?
Voting Mechanics: Considering Anonymous Voting
* It was proposed that a procedure be presented to allow for anonymous
voting by Board members.
* Board Comments:
* Board members would like further discussion on what initiated the need
for voting anonymously. Many members have concerns about anonymous voting.
* No major concern brought up about anonymous voting but was part of
previous Secretariat CVE Board agenda topics.
* Board consensus is that anonymous voting should not be allowed and make
it part of the voting mechanics (specifically in any vote initiation emails).
Charter does state that Board voting must be done on the private Board emailing
list.
25th Anniversary: Status, Update, Logo, etc.
* 25th Anniversary report serving as an annual product review as well as
telling the story of the CVE Program from its inception to the modernization
efforts of recent years. Also looks ahead to future of the program.
* Tentative report release on website is October 22.
* Updated logo including 25 - stickers and other swag to hand out.
* Recommendations: For 10 and 20 years, handed out challenge coins.
* Website updates - Plan to add the updated 25th Anniversary Program logo.
* MITRE corporate comms is going to help draft social media copy based off
the CVE Program press release.
* ACTION: Board members put Secretariat in contact with organizations' PR.
CPE Vote
* Improving CPE Support in CVE Records - information sent out by
Secretariat to the CVE Board on Tuesday, October 1.
* Summarized the meeting with NIST on CPE Support and program's proposed
solution.
* Includes draft language for the new CPE Support Board vote, which will
start on Monday, October 7th. It is the same language with some additional
context identified as needed from the original vote.
* Board members do not appear to have any concerns about the new Board vote
on CPE Support.
Canceling November 27/December 25 Board Meetings
* Canceling 11/27 and 12/25 meetings.
* ACTION: Move 12/11 meeting to afternoon (2:00pm - 4:00pm EST).
CNA Workshop Status Update
* Sent out save the dates and calendar placeholders.
* Sent out registration link and have approximately eighty attendees so far.
* The meeting invite will be sent to attendees in next few weeks.
* MITRE infrastructure/events team recommended using Zoom Webinar
instead of MS Teams for the Workshop. They will provide support during the
event.
Review of Action Items
None.
Next CVE Board Meetings
* Wednesday, October 16, 2024, 9:00am - 11:00am (EDT)
* Wednesday, October 30, 2024, 2:00pm - 4:00pm (EDT) - Working Group Updates
* Wednesday, November 13, 2024, 9:00am - 11:00am (EST)
* Wednesday, December 11, 2024, 2:00pm - 4:00pm (EST) - Working Group
Updates
Discussion Topics for Future Meetings
* End user working group write-up discussion
* Board discussions and voting process
* ADP discussion
* Sneak peek/review of annual report template SPWG is working on
* Bulk download response from community about Reserved IDs
* CVE Services updates and website transition progress (as needed)
* Working Group updates (every other meeting)
* Council of Roots update (every other meeting)
* Researcher Working Group proposal for Board review
* Vision Paper and Annual Report
* Should be an action item not future discussion topic.
* Secretariat review of all CNA scope statements
* Proposed vote to allow CNAs to assign for insecure default configurations
* CVE Communications Strategy
