CVE Board Meeting Minutes April 30, 2025 (9:00 a.m. – 11:00 a.m. EST) CVE Board Attendance ☒Pete Allor, Red Hat, Inc.<https://www.redhat.com/> ☐Ken Armstrong, EWA – Canada, an Intertek Company<https://www.intertek.com/cybersecurity/ewa-canada/> ☐Tod Beardsley, Austin Hackers Anonymous<https://takeonme.org/> (AHA!) ☒Chris Coffin (MITRE At-Large), The MITRE Corporation<https://www.mitre.org/> ☒William Cox, Black Duck Software, Inc. ☒Patrick Emsweller, Cisco Systems, Inc.<https://www.cisco.com/> ☐Jay Gazlay, Cybersecurity and Infrastructure Security Agency (CISA)<https://www.dhs.gov/cisa/cybersecurity-division/> ☐Tim Keanini ☐Kent Landfield ☒Scott Lawler, LP3<https://lp3.com/> ☒Art Manion ☒MegaZone (CNA Board Liaison), F5, Inc. ☒Tom Millar, Cybersecurity and Infrastructure Security Agency (CISA)<https://www.dhs.gov/cisa/cybersecurity-division/> ☐Chandan Nandakumaraiah, Palo Alto Networks<https://www.paloaltonetworks.com/> ☐Kathleen Noble, Intel Corporation<https://www.intel.com/> ☒Madison Oliver, GitHub Security Lab ☒Lisa Olson, Microsoft<https://www.microsoft.com/> ☐Shannon Sabens, CrowdStrike, Inc.<https://www.crowdstrike.com/>, Inc. ☒Christopher Turner, NIST ☒Takayuki Uchiyama, Panasonic Holdings Corporation<https://holdings.panasonic/global/> ☒ David Waltermire ☒James “Ken” Williams, Broadcom Inc.<https://www.broadcom.com/>
MITRE CVE Team Attendance ☒ Alec J Summers, Board Moderator Agenda * Introduction * Topics * Working Group Updates * Moderated Board Discussion of Proposed Consumer Working Group * Review of Action Items * Closing Remarks New Action Items from Today’s Meeting New Action Item Responsible Party Provide Feedback on Proposed CVE Consumer Working Group CVE Board Review Changes to CVE Record Dispute Policy CVE Board Working Group Updates Automation Working Group (AWG) Update Search Capability v2: The new search functionality was deployed to test.cve.org on April 28. Early feedback highlighted usability challenges. To address immediate concerns, the team will clarify special character support in the documentation, add a banner to the test site outlining its limitations, and work to resolve the identified rendering anomaly. Additionally, users reported a record rendering glitch that causes inconsistent views after page reloads. The team is actively investigating and targeting a fix by May 9. Reference Archive: Documentaion is being drafted and a community test space is in planning. User Registry MVP: Development is midway through a planned seven-sprint cycle on the Minimum Viable Product (MVP). A demo is tentatively scheduled for the next AWG meeting to review progress and gather feedback. VulnCon Feedback: Community feedback emphasized the need for program-endorsed reference clients and clearly defined validation rules for development of clients for the CVE Services API. The AWG will generate a list of the validations CVE Services applies to API calls to inform stakeholders and developers. CNA Organization of Peers (COOP): The COOP continues to serve as a valuable networking forum. The North America time zone call remains well attended, with participation during APAC region time zone calls is lighter. No new projects have been initiated since the onboarding guide refresh. However, an opportunity has been identified for future collaboration with the QWG on a CNA self-audit checklist. AI Working Group (AIWG): Review of the first draft of the AI Playbook and a proposal for adding AI tags to records is planned for the May 12 meeting. That same week, the AIWG aims to brief the QWG on the potential schema impacts of the proposals. Outreach & Communications Working Group (OCWG): OCWG recently published six blog posts across three thematic campaigns: data enrichment, CNA recognition, and VulnCon 2025. Upcoming podcast episodes include a revamped “Working Groups 101” and a CVE and AI discussion, which will be coordinated with the AIWG once the playbook draft is ready. Meanwhile, the “Becoming a CNA” video is being updated to reflect Rules 4.0 updates, with a proposed script to be submitted to the TWG in mid-May. Quality Working Group (QWG): Following insights from VulnCon 2025, data quality remains a top concern for CVE stakeholders. The working group decided to retain current property names for version ranges, with a revised schema change proposal due May 10. A second proposed schema change for purl support, utilizing the “affected” array, remains in progress and will be compared to the “applicability” array prototype. A draft Request for Design (RFD) process has also been distributed for comment, with discussion planned for May 16. Strategic Planning Working Group (SPWG): The revised CVE Record Dispute Policy entered its Board review phase from April 24 to May 2. Substantive comments from one Board member have triggered a return to the SPWG for further review, likely to result in a new draft by May 8. Additionally, the revisions to rules, which contain non-breaking edits (e.g., end-of-life disclosure language, CVE year guidance, vendor advisory ID requirements), will undergo a one-week review followed by a one-week vote. Tactical Working Group (TWG): The TWG is currently updating the Code of Conduct. The group also is reviewing the Enrichment Recognition List, which has gained significant traction in the community and will be adjusted to encourage partner participation. Looking ahead, the TWG plans to share the anonymized 2025 Survey dataset with all working groups for input before public release. Vulnerability Conference & Events Working Group (VCEWG): VCEWG is editing the 2025 VulnCon videos, adding graphics and captions, for cross-posting to CVE and FIRST (Forum of Incident Response and Security Teams) channels by May 20. The program committee has been relaunched with four active volunteers, and a draft framework for the 2026 call for papers is underway. The group has also finalized its internal Code of Conduct Violation SOP in collaboration with FIRST and will share its findings with the TWG to inform the broader code of conduct renewal. ________________________________ Moderated Board Discussion of Proposed Consumer Working Group Endorsement and Purpose: The Board discussion endorsed the creation of a Consumer Working Group (CWG), provided it includes sector-balanced participation and clearly defined responsibilities. Members noted that consumers are varied, from enterprises and SOC analysts to users of tool-generated data, and that the CWG should serve as a meaningful counterbalance to the producer-heavy composition of the current Board. The group emphasized the need to include voices from a wide range of industries, including open-source distributions. Structure and Representation: The members favored a controlled enrollment model over open participation, supporting an intentional approach for wider representation. There was also discussion about whether existing working group charters require balanced representation, prompting a review of charter templates. The Board also discussed the possibility of launching a time-boxed Special Interest Group (SIG) which could transition into a formal working group if the participation remains steady. Next Steps: The Board agreed that the next steps should include refining the proposal and incorporating Board feedback into a revised charter. The Board would like more details on what the best consumer representation on the CWG should be and what kinds of information we are most interested in learning about CWG members. ________________________________ The CVE Board meeting adjourned early after a motion to adjourn was seconded.