NOTE: Please send an email to the Secretariat if you have a topic to add to the 
agenda for the next Board meeting on March 2.

CVE Board Meeting Notes, February 16, 2022
Members of CVE Board in Attendance

☐Ken Armstrong, EWA-Canada, An Intertek 

☒Tod Beardsley, Rapid7<>

☒Chris Coffin, The MITRE Corporation<> (MITRE At-Large)

☐Jessica Colvin

☒Mark Cox, Red Hat, Inc.<>

☒William Cox, Synopsys, Inc.<>

☒Patrick Emsweller, Cisco Systems, Inc.<>

☐Jay Gazlay, Cybersecurity and Infrastructure Security Agency 

☐Tim Keanini, Cisco Systems, Inc.<>

☒Kent Landfield, McAfee<> 

☒Scott Lawler, LP3<>

☒Chris Levendis, CVE Program<> (CVE Board Moderator)

☐Art Manion, CERT/CC (Software Engineering Institute, Carnegie Mellon 

☐Pascal Meunier, CERIAS/Purdue University<>

☐Ken Munro, Pen Test Partners LLP<>

☐Tom Millar, Cybersecurity and Infrastructure Security Agency 

☒Chandan Nandakumaraiah, Palo Alto Networks<>

☐Kathleen Noble, Intel Corporation<>

☒Lisa Olson, Microsoft<>

☐Shannon Sabens, CrowdStrike<>

☒Takayuki Uchiyama, Panasonic 

☒David Waltermire, National Institute of Standards and Technology 

☐James “Ken” Williams, Broadcom Inc.<>

Others in Attendance (MITRE CVE Team)
☒Kris Britton
☒Christine Deal
☒Art Rich
☒Thu Tran


  *   Introductions and Roll Call
  *   Today’s Topics
     *   Vulnogram adoption
     *   CVE website metrics
  *   Open Discussion
  *   Review of Action Items
  *   Next Meetings and Future Agenda Topics
New Action Items from Today’s Board Meeting
Action Item #
Action Item
Responsible Party
Begin planning next steps related to Vulnogram.
Update website to fix Partners List (incorrect roles for Google (add 
Root) and Android (remove Root) and format “Root Scope” and “CNA Scope” 
consistently (bold/not bold).

Today’s Topics

  *   Vulnogram adoption (Lisa Olson/Chris Levendis)
     *   Vulnogram was discussed as a tool to replace the current web form to 
reserve CVE IDs and submit/retrieve CVE Records.
     *   Implementation may include a period of overlap when Vulnogram or the 
webform may be used.
     *   Discussion was positive, and the consensus was the tool is better than 
the webform, but could use some simplification (i.e., it is not intuitive).
     *   The Automation Working Group (AWG) supports Vulnogram as an option to 
reserve CVE ID Reservations and to submit/retrieve CVE Records. AWG 
observations include:
        *   Current version needs to demonstrate that is supports JSON 5.0, and 
interfaces cleanly with CVE Services 2.1. Testing can begin after February 25.
        *   Planning is needed to determine an adoption schedule for Vulnogram 
and integrating that with the CVE Services 2.1 deployment schedule.
        *   Program will need to provide resources for tool management, e.g., 
configuration management, security.
     *   Proposal to the Board: Should the CVE Program move to implement 
Vulnogram (replacing current webform)?
        *   Decision: YES (All 12 Board members on the call voted YES)
     *   The Transition Working Group (TWG) will begin planning next steps, 
e.g., adoption schedule, customization needs, creation of user documentation.
  *   New CVE Website Metrics (Thu Tran/Kris Britton)
     *   CVE website metrics (about site activity since the roll-out) were 
shared and discussed:
        *   Number of Users over time (stable to upward trend, spike in 
December due to log4j, total users since deployment is 216k)
        *   Top Countries with the greatest number of users (top 3 are U.S., 
Germany, and India). This metric indicates an opportunity to recruit more CNAs 
from particular countries, e.g., there are currently only four CNAs in India, 
yet they represent the third greatest number of users who accessed the website.
        *   Web Pages accessed (top 3 are CVE Record Details, Home, and News).
     *   The Board agreed to add the metrics to Quarterly Reports.
Open Discussion

  *   CNA inactivity (not assigning CVE IDs) and subsequent removal from the 
program was raised as a concern. Chris Levendis reminded the Board that the 
Program tries every avenue, over at least a six-week period, to communicate 
with the inactive CNA to understand the reason for the inactivity. There are 
valid reasons, such as the CNA did not identify any vulnerabilities in their 
area of scope. Only after the program has communicated with the CNA at least 
three times over a six-week period, without a response or satisfactory 
response, is the CNA considered for removal.
  *   Highlights of the February 16, 2022, Council of Roots meeting were shared:
     *   Google attended for the first time as a new Root.
     *   Program recognizes the onboarding videos are out of date and is 
waiting until CVE Services 2.1 is deployed and stable before making significant 
updates. In the meantime, supplemental/clarifying documentation may be used as 
     * is viewed positively by Roots. is less popular, 
and it was suggested a future Roots meeting be used to conduct a walk through 
of the tool.
  *   An agenda for the April 7 Summit was developed by the TWG and sent to the 
Board for review/comments on February 16, 2022. The agenda focuses on CVE 
Services 2.1.
Review of Action Items

  *   Program will reach out to Tod Beardsley to get status updates on his 
Action Items.
  *   Program will check with MITRE Help Desk about the Zoom meeting problem 
(Kent Landfield can’t access). Related to Action Item number 01.05.01.
Next CVE Board Meetings

§  Wednesday, March 2, 2022, 2:00pm-4:00pm (ET)

§  Wednesday, March 16, 2022, 9:00am-11:00am (ET)

§  Wednesday, March 30, 2022, 2:00pm-4:00pm (ET)

§  Wednesday, April 13, 2022, 9:00am-11:00am (ET)
Discussion Topics for Future Meetings

  *   CVE Working Groups Updates – March 2, 2022
CVE Board Recordings

The CVE Board meeting recording archives are in transition to a new platform. 
Once the new platform is ready, the Board recordings will be readily available 
to CVE Board Members. Until then, to obtain a recording of a CVE Board Meeting, 
please reach out to the CVE Program Secretariat 

Christine Deal
Homeland Security Systems Engineering and Development Institute (HSSEDI)
MITRE | Solving Problems for a Safer World™​
813-830-2338 (cell)

Reply via email to