CVE Board Meeting Notes
October 30, 2024 (2:00 p.m. - 4:00 p.m. EDT)
Agenda
* Introduction
* Topics
* New CVE Board Member
* CVE Fall Workshop Hot Wash
* Working Group Updates
* Open Discussion
* Review of Action Items
* Closing Remarks
New Action Items from Today’s Meeting
New Action Item
Responsible Party
CVE Fall Workshop: Send survey to attendees asking about topics, what they
liked, what they didn’t like, etc.
Secretariat
Topics
New CVE Board Member
* The CVE Board voted to enter into a liaison relationship with NIST.
Subsequently, NIST named Christopher Turner (NIST, NVD) as the Organization
Liaison to the CVE Board.
CVE Fall Workshop Hot Wash
* The workshop was a good use of time and saw significant participation
from those in attendance.
* Four hours each day works well, especially during the workday,
allowing people to complete other tasks.
* Need a good hook for the second day so participants are not
dropping.
* Need to figure out how to get more attendee participation.
* Workshop Discussion of CPE – There were questions about all angles of CPE
support.
* There were people pushing back on CPE and the use of CPE in the CVE
Program, indicating frustration with the use of CPE.
* There are also people that are looking for CPE support within the
CVE Program.
* Looking at CPE as a collaborative effort with NVD.
* CPE is not given the operational attention it needs at any stage of
its lifecycle.
* This is a naming problem that is a much bigger problem than anything
we are discussing within the CVE Program.
* A lot of coordination required.
* This problem will not be solved by one identifier.
* Lessons Learned
* Need to work out timing needs for presentations and panels, as some
people went long.
* Need to put some of the homework on the CNA community to prepare for
workshop – read aheads, questions to consider, etc., so that the comments at
the workshop are not reactionary.
* Expected attendees, especially CNAs, to share challenges and
issues, but that did not happen.
* Are there topics we should have included, or did we accomplish our goals
going into the workshop?
* ACTION: Send survey to attendees asking about topics, what they liked,
what they didn’t like, etc.
* Also consider sending surveys occasionally to the CNAs to check in.
* ACTION: Consider linking to the recordings on the website events page.
* If the intent is to record and release, it would be nice to have a
specific TLP Clear statement at the beginning of each workshop day.
* Consider going back to Teams, which is slightly more efficient for
presenters and participants than Zoom.
* Next event the CVE Program has planned is VulnCon.
* Will provide CVE Board with a timeline and need for volunteers.
Working Group Updates
Automation Working Group
* New Schema update should be going into testing in the near future.
CNA Organization or Peers
* No update.
CVE AI Working Group
* Established and approved charter and named a chair.
* Working on a survey for AI community membership to identify issues and
priorities for the WG. Results to be released in December.
Outreach and Communications Working Group
* 25th Anniversary report released. It received a lot of media coverage.
* Continuing to publish blog posts.
* Updating onboarding videos.
* Do we need to update any podcasts? Should also do a podcast on the value
of enrichment.
* WG podcast needs to be updated with new working groups.
* Make sure we scope these topics before following through with podcasts
or videos.
Quality Working Group
* Reviewing labels/tagging for GitHub issues.
* Discussing CVE Record Format release process and developing a document
outlining the process.
* WG members contributed to a CVE User Personas document, which defines the
various CVE end users and personas.
Strategic Planning Working Group
* Working on revising the Dispute Policy document.
Tactical Working Group
* Developed documentation to capture the process of establishing an
organizational liaison to the CVE Board
* Discussed and helped strategize the communications around the release of
the 25th anniversary report.
* Finalized the agenda and speakers for the CVE Program Fall Technical
Workshop, which was held October 29-30.
* The CVE Program development team provided an update on the cve.org search
capability, which was released on October 17 for community testing.
* The WG members discussed the next steps for CPE implementation following
the board vote on the selected solution. Implementing the selected solution
will include a four-week development effort with the goal of having it in
production by early December.
Vulnerability Conference and Events Working Group
* Continuing to plan for the FIRST/CVE VulnCon that will take place in
Raleigh, NC, April 7-10.
Open Discussion
* One Board member questioned the need for WG updates every other Board
meeting and suggested perhaps just having WG Chairs send out written updates on
a scheduled basis.
* Perhaps discuss with the CVE Board members about how working group
updates are provided – continue once a month updates in meetings? Or provide
written summary (keeping in mind they are currently summarized in the board
meetings)?
* A Board member also said that the Board email list should be utilized for
more work/discussion and not just only for votes.
* A Board member also said (via meeting chat) that they would prefer it if
the meetings could be cut down to one hour?
* Further discussion needed.
Review of Action Items
None.
Next CVE Board Meetings
* Wednesday, November 13, 2024, 9:00am – 11:00am (EST)
* Wednesday, December 11, 2024, 2:00pm – 4:00pm (EST) - Working Group
Updates
* Wednesday, January 8, 2025, 9:00am – 11:00am (EST)
* Wednesday, January 22, 2025, 2:00pm – 4:00pm (EST) - Working Group Updates
Discussion Topics for Future Meetings
* End user working group write-up discussion
* Board discussions and voting process
* ADP discussion
* Sneak peek/review of annual report template SPWG is working on
* Bulk download response from community about Reserved IDs
* CVE Services updates and website transition progress (as needed)
* Working Group updates (every other meeting)
* Council of Roots update (every other meeting)
* Researcher Working Group proposal for Board review
* Vision Paper and Annual Report
* Should be an action item not future discussion topic.
* Secretariat review of all CNA scope statements
* Proposed vote to allow CNAs to assign for insecure default configurations
* CVE Communications Strategy
