CVE Board Meeting Notes
October 16, 2024 (9:00 am – 11:00 am EDT)
Agenda
* Introduction
* Topics
* Mark Cox resignation: Emeritus Status
* 25th Anniversary: Status Update
* CPE: Next Steps
* CNA Workshop Status Update
* CVE Board Meeting October 30 (Same day as workshop)
* Open Discussion
* NIST Organizational Liaison Update
* Internet Archive – CVE Program Reference Archives
* AI in the CVE Program
* Consumer Data Working Group
* VulnCon
* Review of Action Items
* Closing Remarks
New Action Items from Today’s Meeting
New Action Item
Responsible Party
Update website to recognize Mark Cox with Emeritus Status.
Secretariat
25th Anniversary: Send out report draft to Board members for review.
Secretariat
25th Anniversary: Send out social media copy from MITRE comms team to the Board.
Secretariat
Reference Archive: Identify archival requirements for references.
AWG
Consumer Use & Data: Start process to develop data survey, including bringing
in some MITRE support.
Secretariat
Consumer Use & Data: Draft language to propose an informal group to discuss
consumers and data.
Secretariat
VulnCon: Start discussing presentations and participation at VulnCon 2025.
CVE Board
Topics
Mark Cox resignation: Emeritus Status
* All Board members on the call agreed (via snap vote) that Mark Cox should
have Emeritus status following his resignation from the Board.
* ACTION: The website will be updated in the release cycle to recognize
Mark with Emeritus status.
25th Anniversary: Status Update
* The planned date for delivery and release of the 25th anniversary report
is Tuesday, October 22.
* The report team met on October 15 and suggested one additional page in
the report, which is being worked on now. The report content is otherwise
frozen against any further change.
* ACTION: Secretariat will send out 25th anniversary report draft to
Board members for review following this meeting.
* The report will be posted on the website and will be linked in a
number of places, including in the press release. Also looking into
incorporating it into the history section of the website.
* Will be rebranding the website for the 25th anniversary for the next
year, including updated logo.
* Planning follow-up amplification messages as well as editorial and other
journal engagements. MITRE comms team working on social media copy for the
report and 25th anniversary.
* ACTION: Secretariat will send out social media copy when available to
the Board.
* A video to support the 25th anniversary will be developed as well as 25th
anniversary swag for events.
CPE: Next Steps
* Board vote passed on CPE solution 5. We are now moving forward with the
CPE support implementation as discussed.
* QWG created an example of the CPE in one of the examples in the CPE
schema GitHub repo. Once it is finalized, will send to AWG Chair to start
implementation on the AWG side.
* It will take 4 weeks to get it into deployment – 2 weeks for
development and 2 weeks to put it in the testing environment for the community.
CNA Workshop Status Update
* Reminder sent to CNAs on Tuesday, October 15, reminding them to register
for the workshop. Registration closes on October 22. Once registration is
closed, the Secretariat will send out the Zoom link.
* As of October 16, 169 people have registered.
* Presenters should complete their slides by this Friday, October 18. There
is CVE Program slide template available.
CVE Board Meeting October 30 (same day as workshop)
* Keep scheduled 2-4pm meeting on October 30 as a workshop hot wash.
* Next working group update will be at the November meeting.
Open Discussion
* Internet Archive – CVE Program Reference Archives
* The recent Internet Archive outage highlights the program’s dependence
on a free and shaky service that is now facing technical and legal threats.
* It is likely the recent Internet Archive outage affected the
program, likely missed archiving references. The website is currently back
online, but it is only read only so no submissions can be made.
* Additional issues with Internet Archive include copyright issues,
as well as the domain issue which is a problem as to the malicious use of
references.
* Currently, the CVE Program has no automated mechanism to archive
references. There is also no way to point to an archived reference, preferring
an archive reference, or keeping up with an archived reference when it changes.
* ACTION: AWG will start pulling together archival requirements for
references.
* Before we build something, we need to consider the legal aspects.
There are business requirements that need to be addressed first.
* Is the CVE team pursuing any use of AI technology within the CVE Program?
* The CVE Program currently has no plans to use AI for any operational
actions.
* CVE Data Consumer Working Group
* Widely held opinion that the CVE program could better understand its
downstream user needs and keep those in mind as it continues to do its mission,
including modernization and activities. There is currently an effort in QWG to
pull together information on the CVE user personas and figure out how to label
our consumers and identify how they use data.
* It could be very valuable to set up a specific initiative around
downstream users.
* This is something the whole ecosystem needs to work toward. There are
people who use CVE information but are not engaged in our active working groups
and we want to bring them into the fold, whether through a working group or the
data.
* Consider developing a document with the main principles for CVE, why
CVE exists, and why we think it is valuable.
* We have this information scattered throughout the old and new
websites as well as some documents, but we do not have one concise document
that talks about the guiding principles.
* Need to gather information – consider a data call survey sent out to
the whole community of CVE users – and then determine next steps, whether it is
a working group or something else, based on the data received.
* ACTION: Start process to develop data survey, including bringing in
some MITRE support.
* Need to get survey approved by CVE Board before it gets sent out
to consumers.
* Consider presenting on the survey at VulnCon.
* ACTION: Draft language to propose an informal group to discuss
consumers and data.
* VulnCon and CVE Program presentations
* The Board should start thinking about what the CVE Program wants to
present at VulCon.
* CVE Program has the opportunity to bring the community together and
help set a direction.
Review of Action Items
None.
Next CVE Board Meetings
* Wednesday, October 30, 2024, 2:00pm – 4:00pm (EDT) – Working Group
Updates (if time allows)
* Wednesday, November 13, 2024, 9:00am – 11:00am (EST)
* Wednesday, December 11, 2024, 2:00pm – 4:00pm (EST) – Working Group
Updates
* Wednesday, January 8, 2025, 9:00am – 11:00am (EST)
* Wednesday, January 22, 2025, 2:00pm – 4:00pm (EST)
Discussion Topics for Future Meetings
* End user working group write-up discussion
* Board discussions and voting process
* ADP discussion
* Sneak peek/review of annual report template SPWG is working on
* Bulk download response from community about Reserved IDs
* CVE Services updates and website transition progress (as needed)
* Working Group updates (every other meeting)
* Council of Roots update (every other meeting)
* Researcher Working Group proposal for Board review
* Vision Paper and Annual Report
* Should be an action item not future discussion topic.
* Secretariat review of all CNA scope statements
* Proposed vote to allow CNAs to assign for insecure default configurations
* CVE Communications Strategy
