CVE Board Meeting Minutes June 25, 2025 (9:00 a.m. – 11:00 a.m. EST) CVE Board Attendance ☒Pete Allor ☐Ken Armstrong, EWA – Canada, an Intertek Company<https://www.intertek.com/cybersecurity/ewa-canada/> ☒Tod Beardsley, Austin Hackers Anonymous<https://takeonme.org/> (AHA!) ☒Chris Coffin (MITRE At-Large), The MITRE Corporation<https://www.mitre.org/> ☒William Cox, Black Duck Software, Inc. ☐Jen Ellis, NextJenSecurity<https://uk.linkedin.com/in/infosecjen> ☒Patrick Emsweller, Cisco Systems, Inc.<https://www.cisco.com/> ☐Jay Gazlay, Cybersecurity and Infrastructure Security Agency (CISA)<https://www.dhs.gov/cisa/cybersecurity-division/> ☐Tim Keanini ☐Kent Landfield ☒Scott Lawler, LP3<https://lp3.com/> ☐Art Manion ☐MegaZone (CNA Board Liaison), F5, Inc. ☐Tom Millar, Cybersecurity and Infrastructure Security Agency (CISA)<https://www.dhs.gov/cisa/cybersecurity-division/> ☐Chandan Nandakumaraiah ☐Kathleen Noble ☒Madison Oliver, GitHub Security Lab ☒Lisa Olson, Microsoft<https://www.microsoft.com/> ☐Shannon Sabens, CrowdStrike, Inc.<https://www.crowdstrike.com/>, Inc. ☐Christopher Turner, NIST ☒Takayuki Uchiyama, Panasonic Holdings Corporation<https://holdings.panasonic/global/> ☒ David Waltermire ☒James “Ken” Williams, Broadcom Inc.<https://www.broadcom.com/>
MITRE CVE Team Attendance ☒ Kris Britton ☐ Christine Deal ☒ Dave Morse ☒ Bob Roberge ☒ Anthony Singleton ☒ Jo Bazar ☒ Alec J Summers Agenda * Introduction * Topics * Guest speaker from HeroDevs: Vulnerabilities in Unsupported or Forked Projects * Working Group Updates * CVE Program Funding and Governance * GCVE and GNAs * Review of Action Items * Closing Remarks New Action Items from Today’s Meeting New Action Item Responsible Party Meet with HeroDevs to explore path forward on how to treat vulnerabilities in unsupported or forked projects. CVE Board HeroDevs Discussion A representative from HeroDevs CNA introduced a pressing concern regarding vulnerabilities in the open-source fork of a platform which is no longer maintained by a product owner. Because the relevant CNA does not recognize downstream forks, these vulnerabilities are currently not reflected in CVE Records, despite being exploited in the wild. Key points from the discussion: * The CVE system lacks clarity on how to treat vulnerabilities in unsupported or forked projects when the original CNA does not engage. * There was debate over whether new CVEs should be issued for forks or whether ADPs (Authorized Data Providers) should enrich the original CVEs with downstream impact. * A clear appetite emerged for policy evolution, with strong interest in: * Clarifying the dispute policy for EOL software * Exploring models from other ecosystems (e.g., Ubuntu kernel forks) * Formalizing enrichment mechanisms via ADPs A subgroup will follow up with HeroDevs and internal contacts to explore a feasible CVE path for the issue. ________________________________ Working Group Updates Automation Working Group (AWG) * The AWG provided an update on the minimum viable product (MVP) of the user registry, confirming that it is collecting feedback until July 12, when it will adjudicate the comments on the MVP. * AWG also recently completed Phase 3 of the enhanced search capabilities for the cve.org website. * Recent topics included discussion of an MCP framework. Upcoming work may focus on automated access control, data attribution logging, and open APIs for vulnerability metadata. AI Working Group (AIWG): * The AI WG compiled a sample set of existing AI-related CVEs to support collaboration with the CWE AI Working Group and the CVSS Special Interest Group. * The group also received input from the QWG on how to better inform consumers about AI-related vulnerabilities, particularly through enhanced CWE guidance. * Work continued developing a playbook for triaging and assigning CVE IDs for AI-related vulnerabilities. The first draft is expected by the next AI WG meeting on July 7, 2025. Outreach & Communications Working Group (OCWG): No members were available to speak about the OCWG’s recent activities. Quality Working Group (QWG): * The QWG is finalizing a Request for Discussion (RFD) process to better document and manage changes to the CVE record format; with implementation expected soon. A link to the proposal and template will be shared. * Initial conversations have also begun on how to handle remediation and fix information, with updates to come as ideas solidify. * Summary slides of recent survey feedback are being drafted and will be reviewed by the group before presentation to the Board. Strategic Planning Working Group (SPWG): * The SPWG has finalized revisions to the CVE dispute policy, including three additions to the CVE glossary. The policy is currently under a formal vote. Updates reflect feedback that strengthened the document beyond its original form. * The group’s next area of focus is revisiting the concept and scope of Authorized Data Publishers (ADPs). Discussions have begun around redefining the ADP model to allow greater flexibility and scalability, moving away from earlier assumptions that limited ADP roles to a small number of highly vetted entities. Ideas included support for more diverse data enrichment and CNA participation levels, as well as reevaluation of how ADP technology and automation can be better leveraged. * Considerations are also being made regarding how these changes might affect ongoing efforts like the user registry. Coordination with related efforts, such as automation requirements, will be explored further in upcoming meetings. Tactical Working Group (TWG): * TWG’s recent discussion focused primarily on the HeroDevs EOL topic. The group explored how the project’s open-source nature impacts its classification, with consensus emerging that it should be treated as a distinct product and assigned a separate CVE. Vulnerability Conference and Events Working Group (VCEWG): * The VCEWG remains on hiatus but is expected to resume activity in late July. A meeting is planned to align participation and identify the right individuals to support the group’s future efforts. ________________________________ CVE Program Funding and Governance The Board discussed the criticality of CVE Program funding for core functions and services. Several members voiced their concerns over funding stability. Members discussed the idea of diversifying funding through various methods (e.g., interagency, intergovernmental collaboration, international government support). Members discussed the importance of CVE’s public neutrality and independence in considering alternative funding. Members called to continue discussing these and other governance matters in future meetings. ________________________________ GCVE and GNAs The designated speaker was not present. No discussion took place during this session item. Topic will be carried over to a future meeting. Relevant resources were shared via links in the agenda. ________________________________ Open Discussion None. Review of Action Items Deferred.