CVE Board Meeting Minutes
July 9, 2025 (2:00 p.m. – 4:00 p.m. EST)
CVE Board Attendance
☒Pete Allor
☐Ken Armstrong, EWA – Canada, an Intertek
Company<https://www.intertek.com/cybersecurity/ewa-canada/>
☒Tod Beardsley, Austin Hackers Anonymous<https://takeonme.org/> (AHA!)
☒Chris Coffin (MITRE At-Large), The MITRE Corporation<https://www.mitre.org/>
☐William Cox, Black Duck Software, Inc.
☐Jen Ellis, NextJenSecurity<https://uk.linkedin.com/in/infosecjen>
☒Patrick Emsweller, Cisco Systems, Inc.<https://www.cisco.com/>
☒Jay Gazlay, Cybersecurity and Infrastructure Security Agency
(CISA)<https://www.dhs.gov/cisa/cybersecurity-division/>
☐Tim Keanini
☐Kent Landfield
☐Scott Lawler, LP3<https://lp3.com/>
☒Art Manion
☒MegaZone (CNA Board Liaison), F5, Inc.
☐Tom Millar, Cybersecurity and Infrastructure Security Agency
(CISA)<https://www.dhs.gov/cisa/cybersecurity-division/>
☒Chandan Nandakumaraiah, NETGEAR<https://www.netgear.com/>
☒Kathleen Noble, Intel Corporation<https://www.intel.com/>
☒Madison Oliver, GitHub Security Lab
☒Lisa Olson, Microsoft<https://www.microsoft.com/>
☒Shannon Sabens, CrowdStrike, Inc.<https://www.crowdstrike.com/>, Inc.
☒Christopher Turner, NIST
☐Takayuki Uchiyama, Panasonic Holdings
Corporation<https://holdings.panasonic/global/>
☒ David Waltermire
☒James “Ken” Williams, Broadcom Inc.<https://www.broadcom.com/>
MITRE CVE Team Attendance
☒ Kris Britton
☐ Christine Deal
☒ Matt Power
☐ Bob Roberge
☒ Anthony Singleton
☒ Jo Bazar
☒ Alec J Summers
Agenda
* Introduction
* Topics
* Status Update: SW Identity in CVE Record Format
* GCVE and GNAs
* CVE.MITRE.Org Retirement
* Planning Ahead: Fall Technical Workshop
* CVE Record Enrichment and AI
* Review of Action Items
* Closing Remarks
New Action Items from Today’s Meeting
New Action Item
Responsible Party
Reach out to GCVE about collaboration and encourage participation as CNA
Secretariat
SW Identity in CVE Record Format - an executive summary of the proposal, its
rationale, and its implementation details will be prepared and circulated to
all Board members
Guest Speaker and Secretariat
CISA Questions Follow-Up
Secretariat
CVE Board Meeting – Minutes (Chatham House Version) Date: 30 April 2025 Time:
09: 00 – 10: 30 (US Eastern) Venue: Virtual (Mitre‑hosted platform) Prepared
Draft: 2 May 2025 Note‑taker: AI Assistant — verify before circulation Chatham
House Rule
Status Update: SW Identity in CVE Record Format
A detailed presentation was delivered by a representative from the Quality
Working Group (QWG) outlining a significant proposal to enhance the CVE Record
Format.
* Proposal Overview: The QWG recommended a proposal to expand software
identifier support within CVE Records. The core of the proposal is the addition
of two new optional fields to the affected products object in the CVE JSON 5.x
schema to support two new identifier types: Package URLs (purls) and OmniBOR
Artifact IDs. This proposal aims to directly address long-standing challenges
in the vulnerability management ecosystem by:
* Enhancing Automated Applicability Checking: Providing
machine-readable, structured identifiers to reduce the manual effort and
ambiguity involved in determining if a CVE applies to a specific software
instance.
* Increasing Granularity: Moving beyond the current, often
coarse-grained identifiers (like vendor/product names) to allow for
fine-grained identification of specific packages or even individual files
(artifacts).
* Improving Data Interoperability: Enabling seamless cross-linking
between CVE records and other critical datasets, most notably Software Bills of
Materials (SBOMs), which heavily utilize identifiers like purl.
* Rationale and Justification: The presenter emphasized this proposal is a
direct response to strong and persistent demand from the broader community.
This was evidenced by multiple, heavily attended sessions on software identity
at the recent VulnCon, including a panel discussion that ran for double its
scheduled time due to audience engagement. Furthermore, a recent QWG survey
identified Package URL as the single most desired new data type for inclusion
in the CVE format, with OmniBOR also ranking highly. The proposal is carefully
designed to be an additive change, complementing—not replacing—existing
identifiers like CPEs, and is informed by a foundational CISA paper that frames
the modern software identity landscape as a multi-identifier ecosystem.
* Discussion: A robust discussion followed the presentation.
* A question was raised regarding how the proposal would handle the
identification of specific compiled binaries, a known challenge for traditional
identifiers. It was explained that OmniBOR Artifact IDs are perfectly suited
for this use case, as they are content-based hashes. A CNA could, for example,
list the specific OmniBOR IDs for all vulnerable binary files shipped with a
product, allowing for unambiguous identification by consumers.
* The topic of measuring the proposal’s success was explored. The
presenter explained the QWG's new Request for Discussion (RFD) process, used to
develop this proposal, mandates the inclusion of success metrics. For this
initiative, success will be judged on both the "supply side" (adoption by CNAs
who enrich records with the new identifiers) and the "demand side" (evidence
that downstream consumers are finding value in and using the new data for
automation). The RFD also includes a rollback strategy should the new fields
fail to gain traction or provide value.
* There was a consensus this proposal represents a positive and
necessary evolution for the program. One member noted that while this change is
additive and optional, it is far less controversial than the previous Board
vote on CPE integration, which involved aligning with a decades-long history
from an external partner. Nonetheless, maintaining a formal and transparent
process was seen as crucial.
* Next Steps: The discussion turned to the formal approval process. It was
agreed that because this change constitutes a minor version update to the
official CVE Record Format, a formal Board vote is the appropriate path
forward, ensuring consistency with past precedent. To facilitate an informed
vote, an executive summary of the proposal, its rationale, and its
implementation details will be prepared and circulated to all Board members.
The Board will aim to hold the vote during the next meeting to keep the schema
release on schedule.
________________________________
GCVE and GNAs
A Board member raised a concern regarding the emergence of the Global CVE
(GCVE) program and its potential to cause fragmentation in the vulnerability
identifier space. The core issue presented was the risk of creating a parallel
vulnerability database where vulnerabilities are assigned a GCVE identifier but
are not tracked in the main CVE database, forcing organizations to monitor
separate, potentially conflicting, sources of information. This, it was argued,
would be a regression to the pre-1999 state of inconsistency that the CVE
Program was created to solve.
* Discussion: The conversation expanded into a broader debate about the
underlying causes of such fragmentation. One perspective offered was that these
new initiatives are a symptom of deep-seated community fears about the CVE
Program's long-term stability. It was argued that "perception is reality," and
if key stakeholders fear the CVE Program going away, they will naturally begin
to create and support alternative systems as a hedge. In contrast, others
suggested that while these fears exist in some circles, they are not universal.
Evidence was cited of high levels of engagement and interest in joining the CVE
Program from new entities, including approximately 18 national CERTs at a
recent conference, indicating continued confidence in the program's value and
future.
* Suggestions and Next Steps: Despite the differing views on the root
cause, there was agreement on the need for proactive engagement.
* A suggestion was made for the CVE Program to consider making a strong
public statement against the fragmentation of vulnerability identifiers,
reaffirming its central role and mission.
* An action item was established: the program will formally reach out to
the leadership of the GCVE program. The goal of this outreach is to open a
dialogue, better understand their objectives, and strongly encourage them to
participate directly in the CVE ecosystem by becoming a CNA, which would ensure
their vulnerability findings are properly integrated into the global CVE
database.
________________________________
CVE.MITRE.Org Retirement
A status update was provided regarding the planned retirement of the legacy
cve.mitre.org website.
* Timeline and Technical Details: The project remains on schedule for
completion in late August / early September. The physical hardware hosting the
old site is being decommissioned. All historical site content and data are
being migrated to a new AWS instance to ensure preservation. Key technical
work, such as decoupling the old search functionality, has been completed. A
redirect strategy using AWS CloudFront is being coded to ensure that all legacy
URLs seamlessly redirect users to the correct content on the modern cve.org
site.
* Data Preservation: It was confirmed that all historical content,
including the full archive of Board meeting minutes, working group documents,
and other community resources, will be preserved and remain accessible through
the new site.
* Communication: The group discussed messaging around the final
switch-over. While a prominent banner on the legacy site has provided ample
notice, it was agreed that a final communication push through official channels
would be a prudent step to minimize any potential disruption for users with old
bookmarks or links.
________________________________
Planning Ahead: Fall Technical Workshop
The Board initiated planning for the 2025 Fall Technical Workshop, a key event
for the CNA community.
* Format and Dates: There was strong consensus to retain the successful
virtual format from recent years: a two-day event, with each day consisting of
a four-hour session. This structure was well received for its ability to
accommodate attendees across European and American time zones and for
preventing the "virtual fatigue" of a full-day event. The tentative dates of
October 22-23, 2025, were proposed.
* Enhancing Community Engagement: A significant point of discussion was the
desire to improve direct interaction among attendees. Feedback from past
virtual events indicated that CNAs want more opportunities to connect and
collaborate. To address this, several ideas were brainstormed, including:
* Hosting dedicated breakout rooms for specific topics.
* Organizing informal, track-specific "happy hours" or networking
sessions at the end of each day.
* Ensuring the virtual platform's chat functionality is fully enabled to
allow for open communication among all attendees, a limitation noted in a
previous workshop.
* Next Steps: The Events Working Group will coordinate the event planning
across various stakeholders. As in years past, the TWG and COOP may help with
planning as well. A key priority is to finalize and announce the dates as soon
as possible – tentative dates were identified as October 22 and 23. This early
announcement is seen as critical for attracting a diverse range of speakers and
ensuring maximum participation from the global CNA community.
________________________________
CVE Record Enrichment and AI
A member proposed the Board dedicate time at a future meeting to discuss the
strategic implications of Artificial Intelligence (AI) for the CVE Program.
Although the members had to depart early, they framed the topic as an emerging
priority, suggesting the discussion could explore how AI might be used to
enrich CVE Records, either by providing a "first crack" at enrichment for human
review or by generating an "AI-enhanced" alternative view of a CVE Record. The
topic was formally added to the agenda for the next Board meeting.
________________________________
Open Discussion
None.
________________________________
Review of Action Items
Deferred.
________________________________
Next CVE Board Meetings
* Wednesday, July 23, 2025, 9:00am – 11:00am (EST) - Working Group Updates
* Wednesday, August 6, 2025, 2:00pm – 4:00pm (EST)
* Wednesday, August 20, 2025, 9:00am – 11:00am (EST) - Working Group Updates
* Wednesday, September 3, 2025, 2:00pm – 4:00pm (EST)
* Wednesday, September 17, 2025, 9:00am – 11:00am (EST) - Working Group
Updates
