CVE Board Meeting Minutes
February 5, 2025 (9:00 a.m. - 11:00 a.m. EST)
Agenda
* Introduction
* Topics
* Discussion of CVE Rules and EOL products
* RBP and Inactive CNA outreach update
* CVE Board Maturity and Roles
* Quarterly Report Card
* Concerns for Secretariat / MITRE TL Root
* Open Discussion
* Review of Action Items
* Closing Remarks
Topics
Discussion of CVE Rules and EOL Products
The Board discussed the pros and cons of allowing for the publication of CVE
Records for EOL products (without a specific vulnerability).
The group explored the complexity of notifying users about vulnerabilities in
EOL software and the challenges supplier CNAs face in effectively communicating
these risks. There was a consensus that the current CVE rules, particularly
regarding EOL software, may need to evolve to better address the community's
needs.
Additionally, there was consensus on drafting a community blog post to outline
the issue and promote the survey. The blog will help communicate the challenges
around EOL software and invite further discussion from the community.
RBP and Inactive CNA Update
The Secretariat provided an update on "Reserved But Public" (RBP) ID outreach
effort, noting that some CNAs had large backlogs. During the first phase of
outreach to CNAs with RBP IDs, high volume producers were targeted. It was
noted also that the CVE Program does not have a robust detection program, and
that the RBPs "known" to the CVE Program constitute an incomplete data set.
The Board was also briefed on outreach to inactive CNAs. The conversation
emphasized that clarifying and enforcing inactive CNA policies is crucial for
improving program data quality. The next outreach will leverage Roots to
resolve their CNAs' RBPs.
Board members encouraged the drafting of a blog post to share RBP statistics
and progress on re-engaging inactive CNAs with the wider CVE community, as well
as the drafting of an FAQ for active CNAs for the inactive policy. A desire was
also expressed by the Board to mention RBPs at VulnCon 2025.
RBP Outreach results to date: Reduction in "known" RBPs from 699 to 93
CVE Board Maturity and Roles
Topic deferred to a later meeting.
Quarterly Report Card
The Board noted that content related to program metrics in quarterly reports is
due for review and adjustment. The group was asked to discuss ways to update
the reports to include better metrics for the Board.
There was a consensus that these reports should be revitalized to show more
detailed statistics, such as activity levels, RBP status, inactive CNAs, and
program health.
A plan was proposed to cross-check past reports with current ones and enhance
the reports with new metrics that reflect current program needs. The Tactical
Working Group (TWG) was chosen as the forum to discuss the format and content
of the updated Quarterly Report Cards.
Concerns for Secretariat/MITRE TLR
The Board discussed a concern that MITRE (as TLR Root) is taking on tasks
better suited for CNAs or researcher organizations. These include overly
hands-on recruitment of new CNAs and handling first-order triage for most CVE
submissions. By redistributing these responsibilities, the Secretariat can
concentrate on higher-level coordination and policy, such as enforcing the CVE
RBP policy.
A concern noted by the Board was that rapid onboarding of new CNAs has outpaced
MITRE's ability to assign and enrich CVEs effectively. Many remain inactive,
increasing the burden on the CNA of Last Resort (CNA-LR). The Board noted that
new CNAs should have clear readiness criteria and better onboarding protocols
to ensure active participation.
The Board aims to ensure the CVE Program grows without overwhelming MITRE by
establishing clear boundaries for Secretariat duties and leveraging the broader
CNA community. It was noted that the publication of "CVE: 25th Anniversary
Report" (published October 2024) involved weekly, small groups of Board
members, and this format could be used to discuss operational efficiencies for
MITRE in the CVE Program.
Open Discussion
The Board received an update on submissions for VulnCon 2025. An agenda for the
event is expected by February 17th, with some changes anticipated after.
The Board was also reminded to be on the lookout for a new blog draft from the
CVE AI WG.
Additionally, Board members were asked to pay attention to immediate action on
the policy around end-of-life records, and that the Quality Working Group (QWG)
would soon schedule a data call and survey.
The Board meeting was concluded after no other Open Discussion items were
volunteered.
Review of Action Items
None.
This document includes content generated with the assistance of Microsoft Teams
Copilot, a generative AI tool. Microsoft Teams Copilot was used to generate the
initial draft of the meeting minutes and provide suggestions for summarizing
key discussion points. All AI-generated content has been reviewed and edited by
the CVE Program prior to publishing. Please report any inaccuracies or other
issues to the CVE Program.
