CVE Board Meeting Minutes September 3, 2025 (2:00 p.m. – 4:00 p.m. EST)
CVE Board Attendance ☒Pete Allor ☐Ken Armstrong, EWA – Canada, an Intertek Company<https://www.intertek.com/cybersecurity/ewa-canada/> ☒Tod Beardsley, Austin Hackers Anonymous<https://takeonme.org/> (AHA!) ☒Chris Coffin (MITRE At-Large), The MITRE Corporation<https://www.mitre.org/> ☐William Cox, Black Duck Software, Inc.<https://www.blackduck.com/> ☐Jen Ellis, NextJen Security<https://uk.linkedin.com/in/infosecjen> ☒Patrick Emsweller, Cisco Systems, Inc.<https://www.cisco.com/> ☐Jay Gazlay, Cybersecurity and Infrastructure Security Agency (CISA)<https://www.cisa.gov/about/divisions-offices/cybersecurity-division> ☐Tim Keanini ☐Kent Landfield ☐Scott Lawler, LP3<https://lp3.com/> ☒Art Manion ☐MegaZone (CNA Board Liaison), F5, Inc.<https://www.f5.com/> ☒Tom Millar, Cybersecurity and Infrastructure Security Agency (CISA)<https://www.dhs.gov/cisa/cybersecurity-division/> ☐Chandan Nandakumaraiah ☒Kathleen Noble ☒Madison Oliver, GitHub Security Lab<https://securitylab.github.com/> ☒Lisa Olson, Microsoft<https://www.microsoft.com/> ☒Shannon Sabens, CrowdStrike, Inc.<https://www.crowdstrike.com/>, Inc. ☐Christopher Turner, NIST<https://www.nist.gov/> ☒Takayuki Uchiyama, Panasonic Holdings Corporation<https://holdings.panasonic/global/> ☒ David Waltermire ☒James “Ken” Williams, Broadcom Inc.<https://www.broadcom.com/> MITRE CVE Team Attendance ☐ Kris Britton ☒ Christine Deal ☐ Bob Roberge ☒ Anthony Singleton ☒ Jo Bazar ☒ Alec J Summers Agenda * Working Group Updates * Code of Conduct * FOIA Request * WG Updates * Continuation of AI Discussion * Open Discussion New Action Items from Today’s Meeting New Action Item Responsible Party Form a small group to review and revise the current Code of Conduct policy to address ambiguities and improve clarity. Board Develop guidelines for the responsible use of AI-generated content for CNAs and ADPs, using existing frameworks as a potential reference. Board Establish and publish criteria for the ADP pilot, including a statement that the criteria may evolve based on pilot results. SPWG ________________________________ Working Group Updates The Secretariat addressed the new method for collecting working group updates via a public Teams instance. It was acknowledged that there have been some initial technical issues and pain points with the new process. A key challenge identified is the coordination required to bring non-Board working group chairs into Board meetings for discussions. It was suggested that starting meetings with these updates could allow external chairs to join their segment and then depart. Board members provided feedback, suggesting alternatives like Google Workspace or Groups.io for easier collaboration and proposing that chairs who cannot access the primary platform should be able to submit their updates via email. ________________________________ Code of Conduct Policy A Board member presented a summary document analyzing the recent issues surrounding the Code of Conduct policy. The core problem identified was the policy's ambiguity, which led to different interpretations and frustration among Board members. It was emphasized that the goal is not to re-litigate the past incident but to improve the policy for the future. The Board agreed that the policy needs to be reviewed and updated for clarity. Several members volunteered to form a working group to revise the document. A broader question was also raised about the need to define how a "Board opinion" is formed and under what conditions members can speak on behalf of the Board, which should inform the policy revision. As part of this effort, it was suggested that a clear description of the roles and responsibilities of all participants in the CVE Program be written to reduce public confusion. ________________________________ FOIA Request A Board member provided an update on a Freedom of Information Act (FOIA) request they filed for information on MITRE’s work and payment related to the CVE Program. The request was denied for lacking sufficient detail. A representative from CISA explained that government employees, including those in the FOIA office, are prohibited from providing guidance on how to successfully file a request, as it is outside their remit. Board members expressed disappointment that the FOIA process was necessary to obtain this information, highlighting a need for greater transparency. ________________________________ Continuation of AI Discussion The topic of using Artificial Intelligence for CVE enrichment was revisited. Board members emphasized the need for guidelines and criteria for CNAs and Authorized Data Publishers (ADPs) that use AI-generated content. The discussion highlighted the importance of first defining what constitutes a "quality" CVE Record before establishing rules for AI-generated data, as the program currently has a lot of human-produced data of varying quality. A member shared GitHub's community code of conduct regarding the responsible use of AI-generated content as a potential reference. It was agreed that establishing general ADP criteria and developing AI guidelines should happen in parallel, as the use of AI by CNAs is likely already occurring. ________________________________ Open Discussion Supplier ADP Pilot: An update was provided on the Supplier Authorized Data Publisher (SADP) pilot program. The plan will allow suppliers (e.g., Microsoft) to add their own status information to existing CVE Records for upstream components (e.g., curl). The Strategic Planning Working Group (SPWG) is developing criteria for what qualifies an entity to be a supplier CNA. A key consideration is ensuring that upstream projects are not surprised by ADP containers appearing on their records and that there is proper coordination. It was noted that while the pilot does not require a formal Board vote, the Board must be kept informed of major developments. Assignment Overlapping Scopes: A discussion was held on the ongoing efforts to address overlapping scopes in CVE assignments, particularly for high-profile vulnerabilities. A "claiming dibs" protocol is being tested to allow CNAs to signal their intent to assign a CVE, aiming to improve coordination and reduce conflicts. This experimentation is being conducted in a private GitHub repository, and the work is expected to lead to proposed changes to the CNA rules. CVE Record Format Update: The Board was informed that the release candidate for version 5.2.0 of the CVE Record format is now available. This update includes changes to the affected array and product object. It was also noted that the Board should consider issuing a public response or blog post to address the findings from the recent CVE survey. Consumer Working Group: The Board was reminded that the new Consumer Working Group held its first meeting. Members were encouraged to participate and promote the group, as its feedback is intended to help inform the program's strategic focus.
