CVE Board Meeting Minutes
April 16, 2025 (2:00 p.m. – 4:00 p.m. EST)
Agenda
* Introduction
* Topics
* Discussion: Recent Events
* Overview of Face-to-Face Board Meeting Action Items
* Consumer WG Discussion and Potential Call for Vote
* CNA Behavior Update and Discussion
* Review of Action Items
* Closing Remarks
New Action Items from Today’s Meeting
New Action Item
Responsible Party
Board Communications Policies Review
Board
Draft Potential Rule Change Requiring CNAs to Review Security Policies of Open
Source Projects Before CVE Assignment
Board
Topics
Discussion: Recent Events
At the start, it was acknowledged that a memo was sent to Board members earlier
in the week about a potential break in service of MITRE’s support CVE. It was
confirmed that there would be no interruption in service due to prompt action
by government partners. A member that represents CISA on the CVE Board
emphasized that the CVE Program remains “an absolutely essential tool in
America’s cybersecurity arsenal,” adding that support extends “straight up to
the top” of DHS. Another member that represents CISA on the CVE Board
reaffirmed the government’s understanding of the CVE Program’s impact and
importance.
Members discussed the impact of recent events and emphasized the need to
prevent similar situations in the future. The Board expressed a shared
commitment to safeguarding the program’s reputation and strategic importance,
with plans to continue discussions and identify actionable steps forward.
Overview of Face-to-Face Board Meeting Action Items
The Secretariat summarized the recent in-person Board session. Topics reviewed
included:
* Developing further language for the CVE website to improve community
understanding of various program roles (e.g., CNA, Root, TL-Root)
* Adopting AI-related tagging within CVE Records
* Reviewing CVE Record enrichment criteria and recognition
* Supporting automation efforts across CNA tooling
* Strengthening community communications and transparency
One Board member noted that these items aligned with community expectations and
reinforced the Board’s position as a strategic partner. Another emphasized
bundling-related actions for Working Groups to ensure deliverables, suggesting
formal tracking across quarters.
________________________________
Consumer WG Discussion and Potential Call for Vote
The Board was reminded of a proposal to charter a new Consumer Working Group
(CWG), with a draft charter and potential co-chairs circulated in advance. The
CWG’s goal would be to represent downstream CVE consumers—organizations and
individuals who rely on CVE data for operational security, compliance, or
analysis.
Several Board members endorsed the concept of a CWG, noting that consumer
perspectives were underrepresented. Others stressed the need to avoid
duplicating the work of existing Working Groups. One recommended cross-WG
coordination frameworks.
General agreement emerged to refine the CWG scope, finalize the charter, and
prepare for a formal approval process at the next meeting.
________________________________
CNA Behavior Update and Discussion
A recent issue with a CNA was recapped: a CNA assigned CVE IDs to
vulnerabilities already assigned by other CNAs. A Board member raised the
concern, noting that the CNA disclosures did not follow published security
policies of the affected projects.
When the Root reached out to the CNA, they responded promptly to reject the
duplicative records. They explained to their Root that they had resolved the
technical issues in their process and committed to improvement.
________________________________
Open Discussion
A Board member reported that the VulnCon 2025 conference was a success, with a
total attendance of 627 participants, including 448 in-person and 179 virtual
attendees from 31
countries. Board members expressed satisfaction with the hot wash discussion
after the conference.
It was announced that the next VulnCon conference will be held in Scottsdale,
Arizona, in April 2026, and optimism was expressed for the continued success
and growth of the event.
Review of Action Items
Deferred.
