CVE Board Meeting Minutes November 12, 2025 (9:00 a.m. – 11:00 a.m. EST) CVE Board Attendance ☐ Pete Allor ☐ Ken Armstrong, EWA – Canada, an Intertek Company<https://www.intertek.com/cybersecurity/ewa-canada/> ☐ Tod Beardsley, Austin Hackers Anonymous<https://takeonme.org/> (AHA!) ☒ Chris Coffin (MITRE At-Large), The MITRE Corporation<https://www.mitre.org/> ☐ William Cox, Black Duck Software, Inc.<https://www.blackduck.com/> ☐ Jen Ellis, NextJen Security<https://uk.linkedin.com/in/infosecjen> ☒ Patrick Emsweller, Cisco Systems, Inc.<https://www.cisco.com/> ☐ Jay Gazlay, Cybersecurity and Infrastructure Security Agency (CISA)<https://www.dhs.gov/cisa/cybersecurity-division/> ☐ Tim Keanini ☐ Kent Landfield ☒ Scott Lawler, LP3<https://lp3.com/> ☒ Art Manion ☐ MegaZone (CNA Board Liaison), F5, Inc.<https://www.f5.com/> ☐ Tom Millar, Cybersecurity and Infrastructure Security Agency (CISA)<https://www.dhs.gov/cisa/cybersecurity-division/> ☐ Chandan Nandakumaraiah ☐ Kathleen Noble ☒ Madison Oliver, GitHub Security Lab<https://securitylab.github.com/> ☐ Lisa Olson, Microsoft<https://www.microsoft.com/> ☒ Shannon Sabens, CrowdStrike, Inc.<https://www.crowdstrike.com/> ☐ Christopher Turner, NIST<https://www.nist.gov/> ☒ Takayuki Uchiyama, Panasonic Holdings Corporation<https://holdings.panasonic/global/> ☒ David Waltermire ☐ James “Ken” Williams, Broadcom Inc.<https://www.broadcom.com/> MITRE CVE Team Attendance ☒ Kris Britton ☒ Christine Deal ☐ Bob Roberge ☒ Anthony Singleton ☒ Jo Bazar ☒ Alec J Summers Agenda
* Researcher Working Group (RWG) "Dibs" Process and Protocol * Working Group (WG) Update Discussion New Action Items from Today’s Meeting New Action Item Responsible Party Working Group Update Process Improvement: Consolidate the ideas into an alternative proposal for final asynchronous deliberation and report back to Board. Secretariat ________________________________ RWG "Dibs" Process and Protocol The RWG Chair updated the Board on the "Dibs" process, an experimental, GitHub-based channel designed for coordinating certain CVE ID assignments. The purpose of this protocol is to drastically reduce assignment lag time and minimize the risk of collision when a high-profile, publicly disclosed vulnerability lacks a CVE identifier. The RWG Chair explained the need for this process arises when multiple CNAs frequently point at each other (the "Spider-Man" effect) without clear coordination, often in urgent situations such as when vulnerabilities are being exploited in the wild or highlighted by vendors without a corresponding CVE ID. The Dibs process encourages participation from CNAs with appropriately broad scopes, such as research organizations, open-source groups, bug bounty programs, and CNAs of Last Resort. Initial feedback suggests success in coordinating over ten such instances, and the next step involves expanding CNA participation and making the underlying coordination discussions public for greater community transparency. A Board member endorsed the work and noted the need for synchronization with the Strategic Planning Working Group (SPWG). The SPWG is currently addressing minor CNA rule refinements, including clearer definitions of appropriate scope and definitive assignment timelines. Given that the Dibs process touches upon expedited timelines, the RWG Chair was encouraged to engage directly with the SPWG to ensure full alignment and prevent setting conflicting public expectations for assignment processes. ________________________________ Working Group Updates The discussion focused on the current process for managing and delivering Working Group updates to the Board and the broader program. The Secretariat flagged cascading issues caused by WGs not consistently submitting the requested updates. The lack of WG updates creates problems not only for the board’s situational awareness, but also for mandatory program reporting. Furthermore, external WG chairs frequently express confusion over the threshold required for a topic to be elevated for formal Board discussion, leading to missed opportunities for engagement. To solve this problem, the Secretariat proposed reverting to mandatory bi-weekly updates, structured as tightly time-boxed presentations (2-5 minutes max) that focus exclusively on defined metrics: key outcomes, upcoming milestones, dependencies, and risks. This model aims for efficiency and situational awareness without permitting the updates to become long, tangential discussions. Two alternatives were raised during the discussion: * External Foundation Examples: One member presented the model of external foundations, like OpenSSF, which schedules quarterly updates a year in advance and mandates submission via templated Pull Requests that require formal Board approval. This method, acknowledged as best practice for organizations with WGs, provides greater enforcement and simplifies long-term tracking. * AI Tools: To assist WG chairs with composing updates to the Board and reduce meeting time, the use of generative AI tools (LLMs) was discussed. The idea is to automate the creation of routine, one-page status reports by feeding the Secretariat’s existing, recorded WG meeting minutes into a template. This would offload the burden of routine status reporting from the volunteer chairs. However, caution was expressed that relying on automated minutes could lead to a loss of direct engagement and Board awareness, especially regarding nuance that might be filtered out of an AI-generated summary. The consensus was the two problems, routine status updates and strategic topic engagement, must be decoupled. The goal is to find a balance where Chairs feel comfortable escalating critical "hot topics" without feeling obliged to give a book report every two weeks. Given the complexity and need for wider input, the Board agreed to suspend further discussion, with the Secretariat tasked to consolidate the ideas (including the AI-automation and standardized compliance) into an alternative proposal for final asynchronous deliberation. ________________________________ Open Discussion No other topics were discussed.
