CVE Board Meeting Minutes September 17, 2025 (2:00 p.m. – 4:00 p.m. EST) CVE Board Attendance ☒Pete Allor ☐Ken Armstrong, EWA – Canada, an Intertek Company<https://www.intertek.com/cybersecurity/ewa-canada/> ☒Tod Beardsley, Austin Hackers Anonymous<https://takeonme.org/> (AHA!) ☐Chris Coffin (MITRE At-Large), The MITRE Corporation<https://www.mitre.org/> ☐William Cox, Black Duck Software, Inc.<https://www.blackduck.com/> ☒Jen Ellis, NextJen Security<https://uk.linkedin.com/in/infosecjen> ☒Patrick Emsweller, Cisco Systems, Inc.<https://www.cisco.com/> ☒Jay Gazlay, Cybersecurity and Infrastructure Security Agency (CISA)<https://www.cisa.gov/about/divisions-offices/cybersecurity-division> ☐Tim Keanini ☐Kent Landfield ☒Scott Lawler, LP3<https://lp3.com/> ☒Art Manion ☐MegaZone (CNA Board Liaison), F5, Inc.<https://www.f5.com/> ☐Tom Millar, Cybersecurity and Infrastructure Security Agency (CISA)<https://www.dhs.gov/cisa/cybersecurity-division/> ☒Chandan Nandakumaraiah ☒Kathleen Noble ☒Madison Oliver, GitHub Security Lab<https://securitylab.github.com/> ☒Lisa Olson, Microsoft<https://www.microsoft.com/> ☒Shannon Sabens, CrowdStrike, Inc.<https://www.crowdstrike.com/>, ☐Christopher Turner, NIST<https://www.nist.gov/> ☐Takayuki Uchiyama, Panasonic Holdings Corporation<https://holdings.panasonic/global/> ☒ David Waltermire ☒James “Ken” Williams, Broadcom Inc.<https://www.broadcom.com/>
MITRE CVE Team Attendance ☐ Kris Britton ☒ Christine Deal ☐ Bob Roberge ☒ Anthony Singleton ☒ Jo Bazar ☒ Alec J Summers Agenda * Listening Session: CISA Vision Paper * EOL Assignments * Supplier ADP Pilot Update * Fall Workshop Agenda New Action Items from Today’s Meeting New Action Item Responsible Party Chair to circulate the Fall Workshop draft agenda and solicit volunteers for speaking roles. Secretariat ________________________________ Listening Session: CISA Vision Paper The board moderator began the meeting by welcoming attendees and acknowledging the recent rescheduling of this meeting from the morning to the afternoon, expressing appreciation for members’ flexibility and understanding. The first agenda item focused on the recent publication of the CISA Strategic Focus: CVE Quality for a Cyber Secure Future document (hereafter called the ‘Vision Paper’). A representative from CISA provided an overview as an introduction and solicited feedback. A board member noted the characterization of the board in the Vision Paper as advisory in nature and suggested clarifying the language in the Vision Paper based on previous roles and responsibilities. It was also suggested that the Vision Paper could more clearly acknowledge the role of nonprofit and private sector partners, and the historical precedent for adaptability and evolution in the CVE Program when necessary. The CISA representative reiterated a steadfast commitment to funding the CVE Program, noting that this support had been confirmed by leadership. The representative also stated that a fragmented vulnerability ecosystem would not serve the broader community well, and that maintaining a unified approach was a priority. The discussion concluded with a consensus that the Board and CISA share similar goals for the CVE Program, and that ongoing collaboration and open dialogue would be essential to achieving them. ________________________________ EOL Assignments The second agenda item addressed the management of end-of-life (EOL) software and hardware. A board member initiated a discussion on the possibility of issuing CVEs for EOL products, with the aim of helping organizations better manage risk. The board member noted the federal government’s particular concern with inconsistent identification of EOL products and the operational challenges this presents. Board members outlined several challenges with this approach, including the potential for a dramatic increase in the number of CVEs, concerns about the signal-to-noise ratio, and the scalability of managing EOL information across all suppliers. It was noted that every major version of a product could become an EOL situation, potentially outpacing the number of vulnerabilities tracked annually. The complexity of defining EOL for open-source software was discussed in detail. Members highlighted the lack of explicit statements from maintainers and the difficulty in achieving community consensus on what constitutes EOL or end-of-service. Suggestions for addressing the EOL challenge included exploring automation strategies, leveraging growing efforts such as EOX, and considering partnerships with federal programs like FedRAMP to encourage vendor reporting of EOL products. The need for authoritative and scalable approaches to EOL identification was emphasized, along with the importance of community agreement on clear definitions. The discussion also touched on the broader issue of how the CVE Program might evolve to address related concerns, such as misconfigurations, insecure defaults, and vulnerabilities in cloud and AI services. Members noted that these topics are increasingly relevant and may require future consideration within the CVE framework. ________________________________ Supplier ADP Pilot Update The third agenda item focused on the Supplier ADP pilot project. The Supplier ADP pilot aims to address dependencies on open-source software in vendor products, with a particular focus on improving the management and communication of vulnerability information. The pilot is likely to involve vendors who are already producing VEX files or working on VEX solutions, with the goal of learning from their experiences and identifying best practices. An example was provided of how major vendors, such as Microsoft, track and communicate the integration of open-source components and associated vulnerabilities in their products. Members were reminded of a related paper that had been circulated for feedback and encouraged to review and contribute their thoughts. The importance of sharing notes and questions from open-source CNA user group discussions with the broader team was highlighted as a means of fostering collaboration and continuous improvement. ________________________________ Fall Workshop Agenda The final agenda item was the upcoming Fall Workshop. The board moderator presented the draft agenda that is structured around the current and future CNA topics and invited feedback and suggestions from members. The draft included sessions on quality, formatting, scoring, schema updates, and technical elements, as well as opportunities for participants to volunteer as speakers. The importance of including sessions on the CVE Program’s vision and roadmap was emphasized, along with the need for guided listening sessions to capture CNA community concerns and suggestions. Members were urged to propose additional topics and assist in finalizing the agenda promptly, given the approaching date of the workshop. Board members were encouraged to volunteer for speaking roles and to suggest other potential speakers, noting that the agenda was not set in stone and could be adapted to reflect the community’s interests and priorities. The value of hearing directly from CNA community members and consumers of CVE information was highlighted as a means of empowering participants and fostering accountability. ________________________________ This document includes content generated with the assistance of Microsoft Teams Copilot, a generative AI tool. Microsoft Teams Copilot was used to generate the initial draft of the meeting minutes and provide suggestions for summarizing key discussion points. All AI-generated content has been reviewed and edited by the CVE Program prior to publishing. Please report any inaccuracies or other issues to the CVE Program.
