CVE Board Meeting Minutes
January 8, 2025 (9:00 a.m. – 11:00 a.m. EST)
Agenda
* Introduction
* Topics
* CVE AI Briefing
* CVE AI WG Strategic Discussion
* VulnCon 2025: CVE Program Presentations Discussion, CVE Program Role
at Vulncon
* Status of RBP Cleanup and Inactive CNAs
* Open Discussion
* Review of Action Items
* Closing Remarks
New Action Items from Today’s Meeting
New Action Item
Responsible Party
Draft a blog post in conjunction with CVE AI WG on findings and recommendations.
CVE Board
VulnCon 2025: Submit the idea of a panel discussion on cloud vulnerabilities
and no-action CVEs to VulnCon.
CVE Board
VulnCon 2025: Discuss and coordinate conference topics through the working
groups and the CVE Board email listserv.
CVE Board
Topics
CVE AI Briefing
The CVE AI Working Group is actively working to clarify the CVE program's
stance on CVE ID assignment for AI-related vulnerabilities. A document is being
drafted for board review, and once consensus is reached, it will guide
messaging to CNAs.
CVE AI WG Strategic Discussion
* Expanding Participation in AI Working Group: There's a need to encourage
more diverse participation and representation within the AI working group to
ensure the best possible outcomes.
* International Engagement: Adjusting meeting times to accommodate
different time zones, especially for international participants, could enhance
global participation.
* Blog as a Communication Tool: Using blogs to share ongoing discussions
and gather feedback from the community, providing transparency into the AI
working group's process and decisions.
* There was general agreement among board members for drafting a blog
post to illustrate the CVE AI WG’s recommendations and findings.
* Community Education: Emphasizing the importance of educating the
community on the rationale behind AI-related guidance to avoid surprises when
formal guidance is published.
* Engaging Stakeholders Early: Involving the community and key stakeholders
early in the process through blogs and feedback loops to refine ideas before
finalizing decisions or guidance.
* Iterative Process: Acknowledging that the AI working group’s process is
iterative, with an open feedback loop to continue refining the approach as more
voices are engaged.
________________________________
VulnCon 2025: CVE Program Presentations Discussion, CVE Program Role at Vulncon
Conference Status:
* In response to the CFP, 41 submissions have been received so far.
* The Call for Papers (CFP) officially closes January 15.
* Board members and community members are encouraged to submit proposals
now, even if details are not finalized.
* Multiple submissions on the same topic are still welcome.
* One submission has been made for a panel on “Software Identity and the
Vulnerability Management Ecosystem,” covering topics like CPE and Purl.
* Other potential sessions include discussions on new rules, ongoing CVE
work, and vendor IDs.
Desired CVE Program Content/Presence:
* Ensure CVE-related topics and panels at the conference, including:
* Birds of a Feather and open ended style sessions for direct Q&A and
community feedback.
* Best practices for CNAs (how to be a good CNA, quality reporting,
processes).
* Rules Updates (what changed since last year, why, and impact).
* CVE Services and Schema Changes (roadmap, CPE considerations, new data
fields).
* CVE Program Metrics (grading, scoring, frequency, etc.).
Motivation & Rationale:
* Engage the broader ecosystem, especially scanning vendors, large
enterprises, and other stakeholders, to share how they use CVE data and what
they need.
* Highlight the value of enrichment, such as linking CVE with CWE, SBOM, or
other data sets.
* Elicit user feedback on planned or proposed changes, such as the next
schema version.
________________________________
Status of RBP Clean and Inactive CNAs
* Deferred to next meeting due to time.
________________________________
Open Discussion
None.
Review of Action Items
None.
Next CVE Board Meetings
* Wednesday, January 22, 2025, 2:00pm – 4:00pm (EST) - Working Group Updates
* Wednesday, February 3, 2025, 9:00am – 11:00am (EST)
* Wednesday, February 19, 2025, 2:00pm – 4:00pm (EST) - Working Group
Updates
* Wednesday, March 16, 2025, 9:00am – 11:00am (EST)
* Wednesday, March 22, 2025, 2:00pm – 4:00pm (EST) – Working Group Update
Discussion Topics for Future Meetings
* End user working group write-up discussion
* CVE Services updates and website transition progress (as needed)
* Working Group updates (every other meeting)
* Researcher Working Group proposal for Board review
* Council of Roots update (every other meeting)
* Secretariat review of all CNA scope statements
* Proposed vote to allow CNAs to assign for insecure default configurations
* CVE Communications Strategy
This document includes content generated with the assistance of Microsoft Teams
Copilot, a generative AI tool. Microsoft Teams Copilot was used to generate the
initial draft of the meeting minutes and provide suggestions for summarizing
key discussion points. All AI-generated content has been reviewed and edited by
the CVE Program prior to publishing. Please report any inaccuracies or other
issues to the CVE Program.
