Skip to content

Consumer_Working_Group_Charter.md

Latest commit

 

History

History
136 lines (79 loc) · 5.99 KB

Consumer_Working_Group_Charter.md

File metadata and controls

136 lines (79 loc) · 5.99 KB

Common Vulnerabilities and Exposures (CVE)

Consumer Working Group (CWG) Charter

Version 1.0
Adopted at the inaugural CWG meeting on [TBD]

1. Overview

The CVE Consumer Working Group (CWG) is established by the CVE Board to serve as a dedicated forum for representing the perspectives of end-consumers of CVE List data. These will include (but will not be limited to) enterprises, security teams, vulnerability analysts, government agencies, managed security service providersWe (MSSPs), academic researchers, software vendors and tool developers who rely on CVE data to support decision-making, operational defense, and risk management.

We want the people who use the cve data to contribute to the future of CVE data.

The CWG identifies consumer needs, evaluates the usability of CVE data, and recommends improvements to ensure that the CVE Program remains aligned with real-world use cases.

2. Roles and Responsibilities

Chair

One or more CWG Chair positions are appointed by the CVE Board and is responsible for:

  • Leading meetings and setting agendas.
  • Facilitating discussion and consensus.
  • Managing onboarding and offboarding of members.
  • Coordinating deliverables and reporting to the CVE Board.
  • Ensuring working group operations align with the CVE Program’s governance practices.

Members

Members of the CWG:

  • Participate in regular meetings.
  • Contribute to discussions, documentation, and analysis.
  • Support execution of approved initiatives.
  • Provide feedback and represent the views of CVE consumers.

3. Membership

Eligibility

Membership is open to external stakeholders who consume and work with CVE data as well as CVE Board members, CNAs and ADPs. Individuals with relevant perspectives on CVE consumption are encouraged to participate.

Size

There is no strict limit on group size, but the Chair may raise concerns about balance or effectiveness if needed.

Onboarding

New members receive access to CWG documentation, communications platforms, and a briefing on the group’s scope and norms.

Removal

Members may be removed by the Chair with notice to the CVE Board if:

  • They request removal.
  • They are inactive for an extended period.
    They violate the CVE Program’s Code of Conduct.

4. Meetings

  • Frequency: The CWG will meet weekly, at least during its initial phase.
  • Format: Meetings will be held virtually and recorded for public access.
  • Agenda: Agendas will be distributed in advance and may include carry-over or new items from members.
  • Participation: International accessibility is considered. Recordings and notes will be made available to ensure inclusivity.

5. Discussions and Decision-Making

CWG discussions are public and transparent, with all recordings, notes, and deliverables accessible unless explicitly marked otherwise.

Consensus is defined as the lack of sustained objection. If consensus cannot be reached, differing viewpoints will be documented and submitted to the CVE Board. The CWG may also invoke a Tacit Acceptance procedure, where silence after a defined review period indicates agreement.

6. Deliverables and Reporting

The CWG will provide:

  • Recommendations to the CVE Board.
  • Guidance on best practices for consuming CVE data.
  • Feedback on data formats, accessibility, and prioritization.

Deliverables will include:

  • Meeting summaries and action items.
  • Public guidance and artifacts marked with date and status.
  • Periodic updates to the CVE Board and Secretariat.

7. Coordination with Other Groups

The CWG may collaborate with other CVE Working Groups as needed. Recommendations or actions that affect the broader CVE Program must be submitted to the CVE Board for review and approval.

The CWG recognizes that its efforts may intersect with those of other CVE Program Working Groups, particularly the Quality Working Group (QWG), which focuses on data quality, consistency, and format standards within the CVE List.

While both groups may evaluate aspects of CVE data, their perspectives and objectives differ:

  • The CWG evaluates CVE data primarily from a data consumption consumer experience and usability standpoint, focusing on how end-users interact with and apply the data to real-world workflows such as vulnerability triage, threat prioritization, and tool integration.
  • The QWG is responsible for ensuring data quality and standardization, including maintaining the CVE JSON schema, defining quality requirements, and making formal recommendations for changes to the structure and fields of CVE records.

The CWG may suggest enhancements to CVE data formats or field definitions based on consumer needs:

  • The CWG may submit feedback or proposals to the QWG for consideration.
  • The QWG will evaluate suggestions in the context of technical feasibility, data integrity, and overall program standards.
  • The two groups may coordinate directly when consumer input is relevant to ongoing quality-related efforts or schema design.

In situations where responsibilities overlap, chairs from both groups are expected to coordinate on scope and deliverables to avoid duplication and ensure complementary efforts.

All CWG proposals that affect CVE Program policy, data formats, or tooling will be submitted to the CVE Board for review and approval as part of the established governance process.

8. Code of Conduct

All members must adhere to the CVE Program’s Professional Code of Conduct. Reports of misconduct can be made to the Chair or the CVE Program Secretariat.

9. Charter Review and Amendment

This charter will be reviewed:

  • As needed, based on major scope or structure changes.
  • With at least two weeks' notice prior to a scheduled vote.
  • Amendments require a voice vote during a regular CWG meeting.