10:45-10:55: Review of Action items (see excel file attached)
See attached excel spreadsheet (CVE Board Meeting 14Oct20 - Action items)
- Thu Tran provided an overview of the new CVE Website; this overview will also be provided at the CVE Global Summit. Listed below is some of the feedback/discussion:
- Feedback: The buttons needs need more clarification; for example, the CNA button. Is that for new CNAs or interested CNAs? It is not clear to the user where they should go.
- Response: The CVE Website team is having a hard time balancing the text on the page in terms of what is too much or too little.
- Response: The CVE Website team agreed to use layman's terminology so that users unfamiliar with the program could understand. The site is designed so there are multiple ways to be a partner with the CVE Program.
- The group agreed that hover over text would help with adding clarification around the buttons.
- This process assumes that the Developer (in this case the Secretariat) has offered up an artifact for community review (e.g., an executing artifact to test, source code to review) and that Community Acceptance Testing is complete and the Developer Testing is complete.
|
The developer and the "community testers" will present an “assurance case” to the AWG. The “assurance case” may comprise a series of assertions, assurance artifacts, or actual test results. Upon that presentation, the AWG will render a “Deployment Recommendation” to the CVE Board and the SPWG. The recommendation will be “consensus based” and will comprise “minority” and “majority” opinions to provide the Board and the SPWG members multiple perspectives to consider. It will include all the assurance artifacts and discussions that were considered as part of the AWG deliberation. |
- There was general agreement by the CVE Board regarding the CVE program automation deployment decision process. The process will be written up and circulated to the CVE Board for approval.
- The AWG agreed upon 8 AWG Service Deployment Requirements that would need to be satisfied as a prerequisite to an AWG Recommendation to deploy any CVE Service. The eight requirements are as follows:
2.Have all unit tests passed? Are all user stories adequately covered by unit tests?
3.What was the result of community testing? How much testing occurred? What bugs were identified? Have all the bugs been fixed?
4.What measures are in place to ensure availability of the system (i.e., backups, scalability, DDoS protections, etc.)?
5.Do we have a sense that the services are functioning appropriately in a multiuser, concurrent environment?
6.What is the rollout plan? When will the cutover happen? When can CNAs use the service to get CVE IDs for program use?
7.How do we recover from a bug that may cause missed or duplicate assignment of a CVE ID? How will the affected CNAs be notified?
8.What is the rollback plan? How does the CVE program recover if use of the services has to be discontinued for any reason? Who decides this? How do we ensure continuity of operations? What should CNAs expect regarding reservations in a worst-case scenario?
The group agreed on the 8 criteria but suggested a 9 th criterion, to add security requirements. The AWG will include the component as part of its discussion at the next AWG meeting, on October 20, 2020 and the results will be part of the next IDR Status.
§The CVE Board meeting recordings archives are in transition to a new platform. Once the new platform is ready, the board recordings will be readily available to CVE Board Members. Until then, to obtain a recording of a CVE Board Meeting, please reach out to Jo Bazar ().