CVE Board Meeting summary - 2Dec2020

10:35-10:55: Review of Action items (see attached excel file)

See attached Excel spreadsheet (CVE Board Meeting 16Dec20 – Agenda and Action items)

Kris provided an update on the status of ID Reservation (IDR) Service:

  • Code review was performed by the community and third party. There were no significant finds, nothing was identified that needed to be fixed immediately. There were some issues discovered with the library, but they are not critical.
  • Code issues identified will be on the list for future fixes.

AWG Proposed IDR Roll-Out Plan

§Credential roll-out will be over the course of 6 weeks (December 16 through January 29)

§First set of credentials will be sent to the Secretariat and early adopters December 16-18 ( (approximately 15 organizations defined as those that have requested testing credentials)

Should we deploy in December or January?

  • Concerns were raised about the December deployment date since some dates fall over the holiday season. Reduced staff could impact the response time to fix any issues that arise. Redhat expressed, in the AWG meeting, that because of the roll out date falling over the holidays, Redhat will not do anything until after the holidays anyway.
  • CVE Board Discussion: A Board discussion ensued with the general consensus being that IDR should deploy in December if a recommendation to deploy is rendered from the AWG and SPWG. The general consensus was that, although there is risk in deploying before Christmas, there is benefit to making the service available to early adopters as soon as possible.
  • The question was posed whether we could make credentials available earlier than December 15 (since the IDR was for all practical purposes ready to go); the response was twofold:
    1. The timing to "approve" the IDR for deployment given the CVE Board Deployment Approval process will take some time (i.e., 3 recommendations are required to deploy) with meetings normally scheduled over the next couple of weeks.
    2. The Secretariat Deployment team had not been consulted on an earlier date than what has been proposed (i.e., it was not clear whether credentials could be delivered earlier than proposed).

The Board agreed to the following for the IDR deployment:

  • How does the program handle low to moderate vulnerabilities for CNAs that do not want to assign? Microsoft has presented their process (implemented in 2018) for handling low to moderate vulnerabilities and is not the only CNA using this approach. The question is, is this a real concern for the program? Metrics were gathered to understand the volume of this problem.
  • At the December 1 SPWG meeting, MITRE presented data that there were 170 CVEs issued by the MITRE Root during the three years, so it is not an undue burden.
  • The group agreed that Vendor CNAs can decide their policy on how to handle low/moderate vulnerabilities. Vendors can refuse to issue low to moderate and reports can escalate to the Root CNA-LR.
  • This issue will need to be re-reviewed periodically to see if the level of effort is increasing on the Root CNA-LRs, or if it is remaining consistent.
  • CVE Board headshots have been requested by the Secretariat, and the group agreed a current photo should be provided, taken in the last 5 years is preferred. Including CVE Board member photos will help personalize the CVE Board webpage.
  • The CVE Community needs to be notified about the upcoming changes to data formats; the OCWG will send communications once the data formats have been identified.
  • Data download statistics were provided to the group; results were inconclusive:
    • The plan should include a description of the CVE download capabilities going forward and deprecation of certain (yet to be decided older versions), description of the JSON 5, new capabilities such as from a certain date and time download.

IETF is working on publishing a disclosure policy, and there may be some interest in assigning CVE IDs to protocol vulnerabilities. In addition, there is interest the CVE format. David W. is working with IETF to understand their interest and coordinate. IETF is also a good candidate for being a CNA.

The group voted and unanimously agreed to give the greenlight for IDR deployment contingent upon AWG and SPWG deployment recommendations (which will be determined during meetings on December 8)

  • The CVE Board meeting recording archives are in transition to a new platform. Once the new platform is ready, the Board recordings will be readily available to CVE Board Members. Until then, to obtain a recording of a CVE Board Meeting, please reach out to Jo Bazar ().


Previous Email: New CNA – Mitsubishi Electric Corporation

Next Email: CVE Board Agenda for Wednesday, 16 December 2020@9:00AM (EST)

December 2020 Email Index