09:35-10:55: Review of Action items (see attached excel file)
See attached Excel spreadsheet for open action items from prior meetings (CVE Board Meeting 28 April21– Agenda and Action items)
- Products affected by a vulnerability because they inherit the vulnerability from a shared upstream product share the CVE ID for the upstream product.
- If there is a vulnerability in a standard that multiple products implement correctly, those products share the same CVE ID.
- If multiple vendors made the same mistake in different codebases, then there would be multiple CVE IDs (one per codebase).
- The proposal is to allow CNAs to assign at whatever level of abstraction they deem appropriate and build in a capability to include the relationships between CVE IDs.
- Once a decision is made, there are three actions: Design, Policy/rules, and implementation
- Roles, Responsibilities, and Requirements for CVE Program roles (TL-Root, Root, CNA-LR and CNA) are almost completed; the ADP is still in progress. The SPWG plans to finalize the Roles, Responsibilities, and Requirements soon, it may or may not include ADPs. The SPWG is ready to finalize the current program roles and make a recommendation to the CVE Board.
- The Board agreed the SPWG will send an email to the CNAs about the impact of deprecating to one format, the message will be sent soon.
- The deprecation of acceptable formats will be added to the CVE Summit agenda to discuss further with the CNAs
- Initial IDR Services (named CVE Services 1.0.0) is fully deployed. To date, 66 CNAs have requested CVE Service credentials (41%) with a total of 110 credentials distributed by the Secretariat. One CVE Service Patch has been deployed (CVE Services 1.0.1) since IDR went into production.
- CVE data format maintenance (i.e., JSON Schema) responsibility transferred to the QWG and adopted an AWG "governance approach" that alternates between development/design review and CVE Service Requirements Generation.
- The Board agreed that a marketing campaign for the AWG services focused on both external marketing (i.e., Podcast) and internal marketing to new CNAs during the onboarding process needs to be developed, as well as tools to help new CNAs with how to engage with the services.
- There are seven remaining issues that will be worked and closed out in the next few weeks. The QWG needs to remove this blocker of the AWG record service development ASAP.
- CERT/CMU SEI Broadcast Production has offered CVE Summit speakers the opportunity to pre-record their presentations for viewing on the day of the event. Allowing, speakers to participate in the text chat with participants, while your video is running -- answer questions. Records are due no later than April 30.
§The CVE Board meeting recording archives are in transition to a new platform. Once the new platform is ready, the Board recordings will be readily available to CVE Board Members. Until then, to obtain a recording of a CVE Board Meeting, please reach out to CVE Program Secretariat ().