CVE Board Meeting Minutes
June 25, 2025 (9:00 a.m. – 11:00 a.m. EST)
CVE Board Attendance
☒Pete Allor
☐Ken Armstrong, EWA – Canada, an Intertek
Company<https://www.intertek.com/cybersecurity/ewa-canada/>
☒Tod Beardsley, Austin Hackers Anonymous<https://takeonme.org/> (AHA!)
☒Chris Coffin (MITRE At-Large), The MITRE Corporation<https://www.mitre.org/>
☒William Cox, Black Duck Software, Inc.
☐Jen Ellis, NextJenSecurity<https://uk.linkedin.com/in/infosecjen>
☒Patrick Emsweller, Cisco Systems, Inc.<https://www.cisco.com/>
☐Jay Gazlay, Cybersecurity and Infrastructure Security Agency
(CISA)<https://www.dhs.gov/cisa/cybersecurity-division/>
☐Tim Keanini
☐Kent Landfield
☒Scott Lawler, LP3<https://lp3.com/>
☐Art Manion
☐MegaZone (CNA Board Liaison), F5, Inc.
☐Tom Millar, Cybersecurity and Infrastructure Security Agency
(CISA)<https://www.dhs.gov/cisa/cybersecurity-division/>
☐Chandan Nandakumaraiah
☐Kathleen Noble
☒Madison Oliver, GitHub Security Lab
☒Lisa Olson, Microsoft<https://www.microsoft.com/>
☐Shannon Sabens, CrowdStrike, Inc.<https://www.crowdstrike.com/>, Inc.
☐Christopher Turner, NIST
☒Takayuki Uchiyama, Panasonic Holdings
Corporation<https://holdings.panasonic/global/>
☒ David Waltermire
☒James “Ken” Williams, Broadcom Inc.<https://www.broadcom.com/>
MITRE CVE Team Attendance
☒ Kris Britton
☐ Christine Deal
☒ Dave Morse
☒ Bob Roberge
☒ Anthony Singleton
☒ Jo Bazar
☒ Alec J Summers
Agenda
* Introduction
* Topics
* Guest speaker from HeroDevs: Vulnerabilities in Unsupported or Forked
Projects
* Working Group Updates
* CVE Program Funding and Governance
* GCVE and GNAs
* Review of Action Items
* Closing Remarks
New Action Items from Today’s Meeting
New Action Item
Responsible Party
Meet with HeroDevs to explore path forward on how to treat vulnerabilities in
unsupported or forked projects.
CVE Board
HeroDevs Discussion
A representative from HeroDevs CNA introduced a pressing concern regarding
vulnerabilities in the open-source fork of a platform which is no longer
maintained by a product owner. Because the relevant CNA does not recognize
downstream forks, these vulnerabilities are currently not reflected in CVE
Records, despite being exploited in the wild.
Key points from the discussion:
* The CVE system lacks clarity on how to treat vulnerabilities in
unsupported or forked projects when the original CNA does not engage.
* There was debate over whether new CVEs should be issued for forks or
whether ADPs (Authorized Data Providers) should enrich the original CVEs with
downstream impact.
* A clear appetite emerged for policy evolution, with strong interest in:
* Clarifying the dispute policy for EOL software
* Exploring models from other ecosystems (e.g., Ubuntu kernel forks)
* Formalizing enrichment mechanisms via ADPs
A subgroup will follow up with HeroDevs and internal contacts to explore a
feasible CVE path for the issue.
________________________________
Working Group Updates
Automation Working Group (AWG)
* The AWG provided an update on the minimum viable product (MVP) of the
user registry, confirming that it is collecting feedback until July 12, when it
will adjudicate the comments on the MVP.
* AWG also recently completed Phase 3 of the enhanced search capabilities
for the cve.org website.
* Recent topics included discussion of an MCP framework. Upcoming work may
focus on automated access control, data attribution logging, and open APIs for
vulnerability metadata.
AI Working Group (AIWG):
* The AI WG compiled a sample set of existing AI-related CVEs to support
collaboration with the CWE AI Working Group and the CVSS Special Interest Group.
* The group also received input from the QWG on how to better inform
consumers about AI-related vulnerabilities, particularly through enhanced CWE
guidance.
* Work continued developing a playbook for triaging and assigning CVE IDs
for AI-related vulnerabilities. The first draft is expected by the next AI WG
meeting on July 7, 2025.
Outreach & Communications Working Group (OCWG):
No members were available to speak about the OCWG’s recent activities.
Quality Working Group (QWG):
* The QWG is finalizing a Request for Discussion (RFD) process to better
document and manage changes to the CVE record format; with implementation
expected soon. A link to the proposal and template will be shared.
* Initial conversations have also begun on how to handle remediation and
fix information, with updates to come as ideas solidify.
* Summary slides of recent survey feedback are being drafted and will be
reviewed by the group before presentation to the Board.
Strategic Planning Working Group (SPWG):
* The SPWG has finalized revisions to the CVE dispute policy, including
three additions to the CVE glossary. The policy is currently under a formal
vote. Updates reflect feedback that strengthened the document beyond its
original form.
* The group’s next area of focus is revisiting the concept and scope of
Authorized Data Publishers (ADPs). Discussions have begun around redefining the
ADP model to allow greater flexibility and scalability, moving away from
earlier assumptions that limited ADP roles to a small number of highly vetted
entities. Ideas included support for more diverse data enrichment and CNA
participation levels, as well as reevaluation of how ADP technology and
automation can be better leveraged.
* Considerations are also being made regarding how these changes might
affect ongoing efforts like the user registry. Coordination with related
efforts, such as automation requirements, will be explored further in upcoming
meetings.
Tactical Working Group (TWG):
* TWG’s recent discussion focused primarily on the HeroDevs EOL topic. The
group explored how the project’s open-source nature impacts its classification,
with consensus emerging that it should be treated as a distinct product and
assigned a separate CVE.
Vulnerability Conference and Events Working Group (VCEWG):
* The VCEWG remains on hiatus but is expected to resume activity in late
July. A meeting is planned to align participation and identify the right
individuals to support the group’s future efforts.
________________________________
CVE Program Funding and Governance
The Board discussed the criticality of CVE Program funding for core functions
and services.
Several members voiced their concerns over funding stability.
Members discussed the idea of diversifying funding through various methods
(e.g., interagency, intergovernmental collaboration, international government
support).
Members discussed the importance of CVE’s public neutrality and independence in
considering alternative funding.
Members called to continue discussing these and other governance matters in
future meetings.
________________________________
GCVE and GNAs
The designated speaker was not present. No discussion took place during this
session item. Topic will be carried over to a future meeting. Relevant
resources were shared via links in the agenda.
________________________________
Open Discussion
None.
Review of Action Items
Deferred.
