CVE Board Meeting Minutes
April 30, 2025 (9:00 a.m. – 11:00 a.m. EST)

CVE Board Attendance
☒Pete Allor, Red Hat, Inc.<https://www.redhat.com/>
☐Ken Armstrong, EWA – Canada, an Intertek 
Company<https://www.intertek.com/cybersecurity/ewa-canada/>
☐Tod Beardsley, Austin Hackers Anonymous<https://takeonme.org/> (AHA!)
☒Chris Coffin (MITRE At-Large), The MITRE Corporation<https://www.mitre.org/>
☒William Cox, Black Duck Software, Inc.
☒Patrick Emsweller, Cisco Systems, Inc.<https://www.cisco.com/>
☐Jay Gazlay, Cybersecurity and Infrastructure Security Agency 
(CISA)<https://www.dhs.gov/cisa/cybersecurity-division/>
☐Tim Keanini
☐Kent Landfield
☒Scott Lawler, LP3<https://lp3.com/>
☒Art Manion
☒MegaZone (CNA Board Liaison), F5, Inc.
☒Tom Millar, Cybersecurity and Infrastructure Security Agency 
(CISA)<https://www.dhs.gov/cisa/cybersecurity-division/>
☐Chandan Nandakumaraiah, Palo Alto Networks<https://www.paloaltonetworks.com/>
☐Kathleen Noble, Intel Corporation<https://www.intel.com/>
☒Madison Oliver, GitHub Security Lab
☒Lisa Olson, Microsoft<https://www.microsoft.com/>
☐Shannon Sabens, CrowdStrike, Inc.<https://www.crowdstrike.com/>, Inc.
☒Christopher Turner, NIST
☒Takayuki Uchiyama, Panasonic Holdings 
Corporation<https://holdings.panasonic/global/>
☒ David Waltermire
☒James “Ken” Williams, Broadcom Inc.<https://www.broadcom.com/>

MITRE CVE Team Attendance
☒ Alec J Summers, Board Moderator

Agenda

  *   Introduction
  *   Topics
     *   Working Group Updates
     *   Moderated Board Discussion of Proposed Consumer Working Group

  *   Review of Action Items
  *   Closing Remarks


New Action Items from Today’s Meeting
New Action Item
Responsible Party
Provide Feedback on Proposed CVE Consumer Working Group
CVE Board
Review Changes to CVE Record Dispute Policy
CVE Board

Working Group Updates
Automation Working Group (AWG)
Update Search Capability v2: The new search functionality was deployed to 
test.cve.org on April 28. Early feedback highlighted usability challenges. To 
address immediate concerns, the team will clarify special character support in 
the documentation, add a banner to the test site outlining its limitations, and 
work to resolve the identified rendering anomaly.
Additionally, users reported a record rendering glitch that causes inconsistent 
views after page reloads. The team is actively investigating and targeting a 
fix by May 9.
Reference Archive: Documentaion is being drafted and a community test space is 
in planning.
User Registry MVP: Development is midway through a planned seven-sprint cycle 
on the Minimum Viable Product (MVP). A demo is tentatively scheduled for the 
next AWG meeting to review progress and gather feedback.
VulnCon Feedback: Community feedback emphasized the need for program-endorsed 
reference clients and clearly defined validation rules for development of 
clients for the CVE Services API. The AWG will generate a list of the 
validations CVE Services applies to API calls to inform stakeholders and 
developers.
CNA Organization of Peers (COOP):
The COOP continues to serve as a valuable networking forum. The North America 
time zone call remains well attended, with participation during APAC region 
time zone calls is lighter. No new projects have been initiated since the 
onboarding guide refresh. However, an opportunity has been identified for 
future collaboration with the QWG on a CNA self-audit checklist.
AI Working Group (AIWG):
Review of the first draft of the AI Playbook and a proposal for adding AI tags 
to records is planned for the May 12 meeting. That same week, the AIWG aims to 
brief the QWG on the potential schema impacts of the proposals.
Outreach & Communications Working Group (OCWG):
OCWG recently published six blog posts across three thematic campaigns: data 
enrichment, CNA recognition, and VulnCon 2025. Upcoming podcast episodes 
include a revamped “Working Groups 101” and a CVE and AI discussion, which will 
be coordinated with the AIWG once the playbook draft is ready. Meanwhile, the 
“Becoming a CNA” video is being updated to reflect Rules 4.0 updates, with a 
proposed script to be submitted to the TWG in mid-May.
Quality Working Group (QWG):
Following insights from VulnCon 2025, data quality remains a top concern for 
CVE stakeholders. The working group decided to retain current property names 
for version ranges, with a revised schema change proposal due May 10. A second 
proposed schema change for purl support, utilizing the “affected” array, 
remains in progress and will be compared to the “applicability” array 
prototype. A draft Request for Design (RFD) process has also been distributed 
for comment, with discussion planned for May 16.
Strategic Planning Working Group (SPWG):
The revised CVE Record Dispute Policy entered its Board review phase from April 
24 to May 2. Substantive comments from one Board member have triggered a return 
to the SPWG for further review, likely to result in a new draft by May 8. 
Additionally, the revisions to rules, which contain non-breaking edits (e.g., 
end-of-life disclosure language, CVE year guidance, vendor advisory ID 
requirements), will undergo a one-week review followed by a one-week vote.
Tactical Working Group (TWG):
The TWG is currently updating the Code of Conduct. The group also is reviewing 
the Enrichment Recognition List, which has gained significant traction in the 
community and will be

adjusted to encourage partner participation. Looking ahead, the TWG plans to 
share the anonymized 2025 Survey dataset with all working groups for input 
before public release.
Vulnerability Conference & Events Working Group (VCEWG):
VCEWG is editing the 2025 VulnCon videos, adding graphics and captions, for 
cross-posting to CVE and FIRST (Forum of Incident Response and Security Teams) 
channels by May 20. The program committee has been relaunched with four active 
volunteers, and a draft framework for the 2026 call for papers is underway. The 
group has also finalized its internal Code of Conduct Violation SOP in 
collaboration with FIRST and will share its findings with the TWG to inform the 
broader code of conduct renewal.
________________________________
Moderated Board Discussion of Proposed Consumer Working Group

Endorsement and Purpose: The Board discussion endorsed the creation of a 
Consumer Working Group (CWG), provided it includes sector-balanced 
participation and clearly defined responsibilities. Members noted that 
consumers are varied, from enterprises and SOC analysts to users of 
tool-generated data, and that the CWG should serve as a meaningful 
counterbalance to the producer-heavy composition of the current Board. The 
group emphasized the need to include voices from a wide range of industries, 
including open-source distributions.
Structure and Representation: The members favored a controlled enrollment model 
over open participation, supporting an intentional approach for wider 
representation. There was also discussion about whether existing working group 
charters require balanced representation, prompting a review of charter 
templates. The Board also discussed the possibility of launching a time-boxed 
Special Interest Group (SIG) which could transition into a formal working group 
if the participation remains steady.
Next Steps: The Board agreed that the next steps should include refining the 
proposal and incorporating Board feedback into a revised charter. The Board 
would like more details on what the best consumer representation on the CWG 
should be and what kinds of information we are most interested in learning 
about CWG members.
________________________________
The CVE Board meeting adjourned early after a motion to adjourn was seconded.



Reply via email to