CVE Board Meeting summary - 4Nov 2020

10:35-10:55: Review of Action items (see attached excel file)

See attached Excel spreadsheet (CVE Board Meeting 4Nov20 - Action items)

CVE Board Meeting schedule: Last week, the Board agreed to shift the meeting schedule a week because the Board meetings conflicted with the Holidays. The group agreed to move the Board meetings back to their original meeting week after the New Year, as some of the Working Group meetings were on alternating weeks of the CVE Board meetings.

CVE Program Report Card: Jo Bazar and Jonathan Evans walked through the Q3-20 CVE Program Report card. The group asked why the MITRE CNA-LR numbers are down; because MITRE worked off RBPs earlier in the year, production appears low. The CNA that was driving the increase in RBPs has reduced their RBPs after Q3 close to be below the 5% threshold; this reduction should be reflected in the next quarterly report.

The group had a couple of suggestions that will be incorporated into the next report, such as rethinking how the CNA age groups are grouped together, adding number of CNAs that contributed to average number of days for a CNA to publish their first CVE records from CNA announcement date. It was also suggested to update the Definitions slides so they are consistent with the CVE Terminology .

Are gaps or "vulnerabilities" in security compliance/process standards in scope for CVE?

Art M. submitted this topic for discussion based on a research paper titled, Compliance Cautions: Investigating Security Issues Associated with U.S. Digital-Security Standards . Although technical standards (like protocol RFCs and crypto specs) *are* in scope, this is a different abstraction, basically seeking to identify specific gaps or problems with security compliance standards.

The group discussed whether there are gaps or missed opportunities for assigning CVE IDs. The group agreed that additional information gathering was required. A meeting will be scheduled (1 hour and 30 minutes) with the authors, to include CVE Board members and Board recommendations (e.g., NIST, NVD and end users).

  • The CVE Board meeting recordings archives are in transition to a new platform. Once the new platform is ready, the board recordings will be readily available to CVE Board Members. Until then, to obtain a recording of a CVE Board Meeting, please reach out to Jo Bazar ().


Previous Email: New CNA - WhiteSource

Next Email: CVE Board Agenda for Wednesday, 18 November 2020@9:00AM (EST)

November 2020 Email Index