CVE Board Meeting summary - 28Oct 2020

09:05-10:05: Open discussion items (see attached excel file)

  1. Should the Board require working groups to rotate their meeting schedules to garner better international participation?

10:35-10:55: Review of Action items (see attached excel file)

See attached Excel spreadsheet (CVE Board Meeting 28Oct20 - Action items)

      • The group talked about the transparency of each of the WGs and how they are using different platforms for storing artifacts (i.e., SharePoint, GitHub, Google docs, etc.). Locating WG information is not easy for new WG participants, as each group manages and does things differently. There is also concern that WG documents should be made public, when appropriate. The group agreed that SharePoint is neither easy to use, nor conductive for sharing information.
      • The suggestion was made to send a slip-sheet with the information to CVE participants, which will include a description of WGs, how to contact the chairs, the frequency of the meetings, artifact storage and how to access, current status updates, and how to engage with the working group.
      • The group explained there are different levels of information that can be shared with the public.
  • Though the WGs each have a specific scope, there is some confusion regarding which WG is responsible for what activity. The group agreed that the current CVE Website can expand further on roles and responsibilities and the new CVE website should address this right out of the gate.
  • There is an occasional need for one WG to get information/input from another WG to complete an activity. It is important that WGs establish a process that can satisfy that need from an information, discussion, and decision perspective. It is generally good practice to send anything that impacts the way the program does business to the SPWG, but that is not written down anywhere.
  • What is the problem we are trying to solve? We are trying to make sure important stakeholders' groups are consulted and avoid that missed consultation.
  • The group agreed that each WG should have a co-chair so that institutional knowledge is retained.
  • The group agreed that WG updates are needed once a month in the CVE Board Meetings and via email. The group agreed that the Secretariat will send email reminders to the WG chairs to collect bi-weekly updates. The WG bi-weekly updates will be sent by the Secretariat. The timeframe for the updates will correspond to the existing reporting that the Secretariat is doing.
  • The Board agreed to also include CNA Coordination updates from the three Roots (i.e., JPCERT, MITRE, ICS) in the bi-weekly email updates, which is already being done by the Secretariat.
  1. Should the Board require working groups to rotate their meeting schedules to garner better international participation?

§The intent for this suggestion was specific to the CVE Board meetings, not necessarily to the WGs. The WG should survey their WG participants on when the best time to schedule the meetings. Each WG Chair should take a look at their participation list and be considerate of international participants and reschedule as needed.

§WG mailing lists should be used to continue discussions and work started during meetings.

§The group agreed that a WG Operations Manual be developed to address the aforementioned items in one through five.

§ID Reservation (IDR): Self-service allowing CNAs to get either an arbitrary number of non-sequential IDs, or a block of sequential IDs.

    • IDR unit, functional, and concurrency testing was conducted by the Secretariat, with one additional concurrency test identified in the most recent AWG meeting. A new Security sub-working group was formed to identify the full set of assurance tests required.
    • The release of IDR was put on hold by the community to identify and levy additional assurance and security requirement. A new IDR release date has not yet been identified by the community.
    • The report card will form the basis for an AWG "Recommendation to Deploy." There are eight criteria on the report card, and a ninth requirement to address security is being added. A Security sub-working group has been formed to define the security requirements.

§Two projects underway, working on the CNA Rules revision and how CNAs should manage low/moderate vulnerabilities.

  • The CNA Rules revisions updates will include updating the document with new verbiage (e.g., CVE Terminology ) and some rules are being updated for clarification. Some of the rules will be dependent on the automation of the services.
  • The second project underway is the low to moderate vulnerabilities, and how they should be dealt with moving forward. Microsoft has presented their process (implemented in 2018) for handling low to moderate vulnerabilities and is not the only CNA using this approach. The question is, is this a real concern for the program? Metrics are being gathered to understand the volume of this problem. This discussion is ongoing.
  • The goal of the CVE Program is to assign CVE IDs to all vulnerabilities. Once we have a better understanding of the issue, we need to look at what the program needs to do to ensure these low/moderate vulnerabilities are appropriately assigned. The options are being discussed in the SPWG.
  • Many in the vulnerability management community do not view CVE ID assignments in the same way; they believe if a CVE ID assigned, there also needs to be fix. How does the program deal with these different perceptions? CVE program does not agree that every CVE ID needs a fix.

§CNACWG suggested having live working group updates that will be recorded and put into podcast. CNACWG will work with OCWG to coordinate the podcasting efforts. The WG updates will not be public, but only provided to participating CNAs.

§Draft scripts developed for the intro/outros for the podcast and being reviewed by the OCWG. The group agreed that Jo Bazar should record the intro/outros, so there is consistency in the CVE program (since Jo did the voice track for the CNA onboarding videos on YouTube)

§A first cut at the voice track recording has been created and is being reviewed by the OCWG

§An undisclosed CNA has responded that they are interested in becoming a CNA; so far, 9 organizations have responded to our outreach efforts.

  • Recommended Tagging Approach by QWG email sent on 10/6/2020; however, the MITRE email issue continues, and the email message was not received by all recipients. The email was resent and the comments and remarks from the community are being received.
  • The tagging approach provides a way to manage various types of tagging in the CVE v4.0 and v5.0 record formats. The recommendations include 1) a method to allows CNAs and third parties (as Authorized Data Publishers) to categorize and characterize vulnerabilities published as CVE records in the v5.0 format; 2) a formalization of how tags appear in CVE record format 4.0 descriptions; 3) a list of tags to associate with references in the CVE v5.0 format; 4) a process for governing how new tags are to be proposed, reviewed, approved, and added to the official CVE tag list; and 5) a method for allowing tag extensions to be used in the CVE record v5.0 format.
  • The CVE Board meeting recordings archives are in transition to a new platform. Once the new platform is ready, the board recordings will be readily available to CVE Board Members. Until then, to obtain a recording of a CVE Board Meeting, please reach out to Jo Bazar ().


Previous Email: CVE Board Agenda for Wednesday, 4 November 2020@9:00AM (EDT)

Next Email: New CNA - WhiteSource

November 2020 Email Index