CVE Board Meeting Minutes
February 19, 2025 (2:00 p.m. - 4:00 p.m. EST)
Agenda
* Introduction
* Topics
* Working Group Updates
* Discussion: CNA Inactivity and Outreach/Onboarding
* CVE Data Usage and Satisfaction Survey
* Review of Action Items
* Closing Remarks
New Action Items from Today's Meeting
New Action Item
Responsible Party
Confirm which Board members will be attending VulnCon 2025 for the hotwash and
Board meeting
Secretariat
Initiate vote on EOL CVE IDs
Secretariat
Review CVE Board Charter
Board
Conduct a poll to determine Board members' availability for a two-day off-site
strategy session
Secretariat
Topics
Working Group Updates
Automation Working Group (AWG):
* CVE Services: Versions 2.5.1 and 2.5.2 were released, with a major update
being the standardization of dates, fully backward compatible, which address
community feedback. All future dates will be converted to UTC.
* User Registry Requirements: A user registry is a critical component of
the future CVE Services infrastructure. Work will begin on breaking down the
requirements into user stories starting next week.
CNA Organization of Peers (COOP):
* Pacific Time Zone Participation: The COOP has seen increased engagement
from participants in the Pacific Time Zone. Meetings are being held at 1:00 PM
and 7:00 PM CT, the latter tied to Japan Standard Time (JST). The Pacific/JST
time meeting has seen an uptick in attendance.
* Onboarding Documentation Review: The group has reviewed the CNA
onboarding documentation and provided minor suggestions for improvement. The
feedback has been communicated and will be incorporated as needed and shared
back out to Roots for adoption.
* Meeting Discussions: COOP meetings have focused on fostering a welcoming
environment for new CNAs, with casual discussions often touching on topics like
VulnCon and RSA. While no new working group time zone meetings are planned at
this time, the idea will be revisited in future meetings in order to offer
additional networking opportunities.
* Participation and Retention: The group has observed that most new CNAs
attend only one or two meetings before deciding whether to continue. A small
number become consistent attendees for several months to network and ask
questions.
* The mailing list for COOP currently counts about 80 people and
approximately eight to ten CNAs appear at COOP meetings.
Outreach and Communications Working Group (OCWG):
* AI Blogpost and Social Media: The OCWG published the second AI-focused
blog, which has been promoted across social media platforms. This blog will
also be featured in the upcoming newsletter next week. A previous blog
promoting the CPE user guide was also published and shared across social media.
* Long Haul Promotions Campaign: The team continues with the long-haul
promotions campaign, which includes blog posts and social media activity. This
effort also extends to promoting the CNA enrichment list, with another post
scheduled for release next Tuesday.
* Podcast and Video Content: The 25-year anniversary podcast was published,
receiving over 217 listens in the past week or two. OCWG is in discussions with
two Board members about possibly producing another podcast, potentially to
promote the CPE guide. Additionally, the group is working on revisions for the
"Becoming a CNA" video.
* Upcoming Focus: Once the agenda for VulnCon 2025 is released, the OCWG
will focus on promoting individual talks, like the approach used during last
year's event.
AI Working Group (AIWG):
* Blog Development and Feedback: The AI working group focused heavily on
developing and composing a blog, which went live on February 18. There was also
an effort to collect feedback on the post, especially from other groups in the
AI space and CNAs that may have interest in the topic. This feedback process
will help refine the discussion and ensure broader engagement.
* Collaboration with CWE Working Group: The CVE AI Working Group and the
CWE AI Working Group are actively collaborating. CWE AI WG is working on
creating new CWEs and revising existing ones in the AI context, which helps
inform CVE creation, especially in grey areas that may overlap with CWE
revisions.
* Feedback on the Blog: The CWE AI Working Group provided valuable feedback
on the blog post, which was integrated into the discussion and added depth to
the content.
Quality Working Group (QWG):
* CVE Data Usage Survey: The CVE data usage and satisfaction survey is
nearing completion. It will gather insights on how the community uses CVE data
and their satisfaction with current processes and services.
* Charter Updates and Feedback: The QWG reviewed proposed changes to the
charter. Discussions focused on the balance between community involvement in
major schema changes and the need for timely updates that may not require
community input, such as the disputed reasons tag. The proposal emphasized
gathering community feedback but acknowledged that it should not delay critical
updates.
* Board Review: The final changes to the charter will be presented to
the Board for review and approval.
* Leadership Changes: A co-chair of the QWG stepped but down but will
remain a member of the QWG.
* CPE Tutorial and VulnCon Presentation: QWG is preparing a CPE tutorial
and CVE record format presentation for VulnCon 2025 to educate the community on
proper CPE usage.
* Tool Development: The group is working on automated support for
generating CPEs. The partial implementation allows for entering product data
once and generating CPE applicability statements automatically. Testing and
deployment are still pending.
Strategic Planning Working Group (SPWG):
* CVE Program Policy and Procedures Review: The SPWG continues to review
draft CVE program policy and procedures, particularly focusing on disputes
related to CNA operational rule 4.2.2.1. Discussions are progressing, with the
group nearing agreement on the CVE Record Dispute policy. However, further
adjustments are required before final approval.
Tactical Working Group (TWG):
* End of Life Policy (EOL) for CVE Records: The TWG discussed the ongoing
development of an EOL policy for CVE Records.
* Documentation and Roadmap Development: The group is working on creating a
comprehensive project management plan that includes a roadmap for upcoming
priorities. This effort aims to ensure all activities and milestones are
clearly defined and aligned across the TWG and other working groups and
represents a key initiative for the TWG.
* User Registry Prioritization: There was a discussion about prioritizing
the user registry as a key task for the development team. The need for a clear
schedule and visibility into progress was emphasized.
* Off-Site Strategy Session: The group talked about organizing an off-site,
two-day strategy session to solidify the direction for future projects. A poll
to gauge board members' availability will be conducted by the Secretariat.
Vulnerability Conference and Events Working Group (VCEWG):
* VulnCon Preparations: The Board was updated on preparations for VulnCon
2025. This includes handling sponsorships, registrations, submissions, and the
review process managed by VCEWEG. The group is actively organizing the CVE
Program's presence at the event and addressing potential themes.
________________________________
CVE Data Usage and Satisfaction Survey
The Board was presented with an update on the development of the CVE Data Usage
and Satisfaction Survey. The purpose of the survey is to gather insights into
how CVE members and stakeholders obtain and use CVE data, including whether
they republish or further process it. The survey will focus on identifying
primary and secondary data retrieval methods, such as direct downloads, APIs,
and third-party aggregators.
* Next Steps: The updated version of the survey will be finalized and
released the following day with adjustments based on the feedback provided.
________________________________
Discussion: CNA Inactivity and Outreach/Onboarding
Topic deferred to a later meeting.
________________________________
Open Discussion
None.
Review of Action Items
Deferred.
This document includes content generated with the assistance of Microsoft Teams
Copilot, a generative AI tool. Microsoft Teams Copilot was used to generate the
initial draft of the meeting minutes and provide suggestions for summarizing
key discussion points. All AI-generated content has been reviewed and edited by
the CVE Program prior to publishing. Please report any inaccuracies or other
issues to the CVE Program.
