CVE Board Meeting Minutes
June 25, 2025 (9:00 a.m. – 11:00 a.m. EST)

CVE Board Attendance
☒Pete Allor
☐Ken Armstrong, EWA – Canada, an Intertek 
Company<https://www.intertek.com/cybersecurity/ewa-canada/>
☒Tod Beardsley, Austin Hackers Anonymous<https://takeonme.org/> (AHA!)
☒Chris Coffin (MITRE At-Large), The MITRE Corporation<https://www.mitre.org/>
☒William Cox, Black Duck Software, Inc.
☐Jen Ellis, NextJenSecurity<https://uk.linkedin.com/in/infosecjen>
☒Patrick Emsweller, Cisco Systems, Inc.<https://www.cisco.com/>
☐Jay Gazlay, Cybersecurity and Infrastructure Security Agency 
(CISA)<https://www.dhs.gov/cisa/cybersecurity-division/>
☐Tim Keanini
☐Kent Landfield
☒Scott Lawler, LP3<https://lp3.com/>
☐Art Manion
☐MegaZone (CNA Board Liaison), F5, Inc.
☐Tom Millar, Cybersecurity and Infrastructure Security Agency 
(CISA)<https://www.dhs.gov/cisa/cybersecurity-division/>
☐Chandan Nandakumaraiah
☐Kathleen Noble
☒Madison Oliver, GitHub Security Lab
☒Lisa Olson, Microsoft<https://www.microsoft.com/>
☐Shannon Sabens, CrowdStrike, Inc.<https://www.crowdstrike.com/>, Inc.
☐Christopher Turner, NIST
☒Takayuki Uchiyama, Panasonic Holdings 
Corporation<https://holdings.panasonic/global/>
☒ David Waltermire
☒James “Ken” Williams, Broadcom Inc.<https://www.broadcom.com/>

MITRE CVE Team Attendance
☒ Kris Britton
☐ Christine Deal
☒ Dave Morse
☒ Bob Roberge
☒ Anthony Singleton
☒ Jo Bazar
☒ Alec J Summers

Agenda

  *   Introduction
  *   Topics
     *   Guest speaker from HeroDevs: Vulnerabilities in Unsupported or Forked 
Projects
     *   Working Group Updates
     *   CVE Program Funding and Governance
     *   GCVE and GNAs

  *   Review of Action Items
  *   Closing Remarks
New Action Items from Today’s Meeting
New Action Item
Responsible Party
Meet with HeroDevs to explore path forward on how to treat vulnerabilities in 
unsupported or forked projects.
CVE Board

HeroDevs Discussion
A representative from HeroDevs CNA introduced a pressing concern regarding 
vulnerabilities in the open-source fork of a platform which is no longer 
maintained by a product owner. Because the relevant CNA does not recognize 
downstream forks, these vulnerabilities are currently not reflected in CVE 
Records, despite being exploited in the wild.
Key points from the discussion:

  *   The CVE system lacks clarity on how to treat vulnerabilities in 
unsupported or forked projects when the original CNA does not engage.
  *   There was debate over whether new CVEs should be issued for forks or 
whether ADPs (Authorized Data Providers) should enrich the original CVEs with 
downstream impact.
  *   A clear appetite emerged for policy evolution, with strong interest in:
     *   Clarifying the dispute policy for EOL software
     *   Exploring models from other ecosystems (e.g., Ubuntu kernel forks)
     *   Formalizing enrichment mechanisms via ADPs
A subgroup will follow up with HeroDevs and internal contacts to explore a 
feasible CVE path for the issue.
________________________________
Working Group Updates
Automation Working Group (AWG)

  *   The AWG provided an update on the minimum viable product (MVP) of the 
user registry, confirming that it is collecting feedback until July 12, when it 
will adjudicate the comments on the MVP.
  *   AWG also recently completed Phase 3 of the enhanced search capabilities 
for the cve.org website.
  *   Recent topics included discussion of an MCP framework. Upcoming work may 
focus on automated access control, data attribution logging, and open APIs for 
vulnerability metadata.
AI Working Group (AIWG):

  *   The AI WG compiled a sample set of existing AI-related CVEs to support 
collaboration with the CWE AI Working Group and the CVSS Special Interest Group.
  *   The group also received input from the QWG on how to better inform 
consumers about AI-related vulnerabilities, particularly through enhanced CWE 
guidance.
  *   Work continued developing a playbook for triaging and assigning CVE IDs 
for AI-related vulnerabilities. The first draft is expected by the next AI WG 
meeting on July 7, 2025.
Outreach & Communications Working Group (OCWG):
No members were available to speak about the OCWG’s recent activities.
Quality Working Group (QWG):

  *   The QWG is finalizing a Request for Discussion (RFD) process to better 
document and manage changes to the CVE record format; with implementation 
expected soon. A link to the proposal and template will be shared.
  *   Initial conversations have also begun on how to handle remediation and 
fix information, with updates to come as ideas solidify.
  *   Summary slides of recent survey feedback are being drafted and will be 
reviewed by the group before presentation to the Board.
Strategic Planning Working Group (SPWG):

  *   The SPWG has finalized revisions to the CVE dispute policy, including 
three additions to the CVE glossary. The policy is currently under a formal 
vote. Updates reflect feedback that strengthened the document beyond its 
original form.


  *   The group’s next area of focus is revisiting the concept and scope of 
Authorized Data Publishers (ADPs). Discussions have begun around redefining the 
ADP model to allow greater flexibility and scalability, moving away from 
earlier assumptions that limited ADP roles to a small number of highly vetted 
entities. Ideas included support for more diverse data enrichment and CNA 
participation levels, as well as reevaluation of how ADP technology and 
automation can be better leveraged.
  *   Considerations are also being made regarding how these changes might 
affect ongoing efforts like the user registry. Coordination with related 
efforts, such as automation requirements, will be explored further in upcoming 
meetings.
Tactical Working Group (TWG):

  *   TWG’s recent discussion focused primarily on the HeroDevs EOL topic. The 
group explored how the project’s open-source nature impacts its classification, 
with consensus emerging that it should be treated as a distinct product and 
assigned a separate CVE.
Vulnerability Conference and Events Working Group (VCEWG):

  *   The VCEWG remains on hiatus but is expected to resume activity in late 
July. A meeting is planned to align participation and identify the right 
individuals to support the group’s future efforts.

________________________________
CVE Program Funding and Governance
The Board discussed the criticality of CVE Program funding for core functions 
and services.
Several members voiced their concerns over funding stability.
Members discussed the idea of diversifying funding through various methods 
(e.g., interagency, intergovernmental collaboration, international government 
support).
Members discussed the importance of CVE’s public neutrality and independence in 
considering alternative funding.
Members called to continue discussing these and other governance matters in 
future meetings.
________________________________
GCVE and GNAs
The designated speaker was not present. No discussion took place during this 
session item. Topic will be carried over to a future meeting. Relevant 
resources were shared via links in the agenda.
________________________________
Open Discussion
None.
Review of Action Items
Deferred.



Reply via email to