CVE Board Meeting Minutes January 7, 2026 (9:00 a.m. – 11:00 a.m. EST) CVE Board Attendance ☒ Pete Allor ☐ Ken Armstrong, EWA – Canada, an Intertek Company<https://www.intertek.com/cybersecurity/ewa-canada/> ☒ Tod Beardsley, Austin Hackers Anonymous<https://takeonme.org/> (AHA!) ☒ Chris Coffin (MITRE AtLarge), The MITRE Corporation<https://www.mitre.org/> ☒ William Cox, Black Duck Software, Inc.<https://www.blackduck.com/> ☐ Jen Ellis, NextJen Security<https://uk.linkedin.com/in/infosecjen> ☒ Patrick Emsweller, Cisco Systems, Inc.<https://www.cisco.com/> ☐ Jay Gazlay, Cybersecurity and Infrastructure Security Agency (CISA)<https://www.dhs.gov/cisa/cybersecurity-division/> ☐ Tim Keanini ☐ Kent Landfield ☒ Scott Lawler, LP3<https://lp3.com/> ☒ Art Manion ☒ MegaZone (CNA Board Liaison), F5, Inc.<https://www.f5.com/> ☐ Tom Millar, Cybersecurity and Infrastructure Security Agency (CISA)<https://www.dhs.gov/cisa/cybersecurity-division/> ☐ Chandan Nandakumaraiah ☐ Kathleen Noble ☒ Madison Oliver, GitHub Security Lab<https://securitylab.github.com/> ☒ Lisa Olson, Microsoft<https://www.microsoft.com/> ☐ Shannon Sabens, CrowdStrike, Inc.<https://www.crowdstrike.com/> ☐ Christopher Turner, NIST<https://www.nist.gov/> ☒ Takayuki Uchiyama, Panasonic Holdings Corporation<https://holdings.panasonic/global/> ☒ David Waltermire ☒ James “Ken” Williams, Broadcom Inc.<https://www.broadcom.com/>
MITRE CVE Team Attendance ☒ Kris Britton ☒ Christine Deal ☐ Bob Roberge ☒ Anthony Singleton ☒ Jo Bazar ☒ Alec J Summers Agenda * CVE Dispute * Open Discussion New Action Items from Today’s Meeting New Action Item Responsible Party Draft an educational board statement explaining CVE Program rules and the coordinated vulnerability disclosure process. Secretariat CVE Dispute[1] The board discussed a recent CVE Record dispute involving a vulnerability report submitted to a vendor CNA (CNA1) and the subsequent CVE assignment process. Participants discussed the overall handling of the case, including the communication between the reporting CNA (CNA2), CNA1, and the MITRE TL-Root. The dispute was initiated by CNA2 on behalf of a researcher to the MITRE TL-Root, after which the MITRE TL-Root established a communications thread between CNA1 and CNA2. Initial investigation suggested lack of alignment on the vulnerability determination and requested additional time to review the issue and work with the researcher and the OSS maintainer. The issue was resolved through established CVE Program policy and practice, and a CVE Record was published by the disputing CNA (CNA2). A core question of vulnerability determination was discussed. Some participants emphasized deciding whether a particular issue constitutes a vulnerability can be complex and ambiguous, especially when existing guidance does not clearly cover the scenario. In this case, CNA1 initially did not regard the reported issue as a vulnerability, which contributed to tension with the researcher and CNA2. Members discussed how differing interpretations increase the likelihood of disputes and frustration, particularly for researchers who may not have insight into internal decision processes. Clarification was provided on how CVE assignment timelines apply in such cases. For example, widely referenced 72‑hour expectation for CVE assignment is intended to begin only after a vulnerability determination has been made, not from the initial report. It was acknowledged that ambiguous language and incomplete explanations of the determination process can easily lead to misunderstandings about when timelines start and what obligations exist at each stage. There was broad agreement that clearer documentation of determinations and supporting rationale – at least at a program level – would likely prevent similar misunderstandings in the future. A member repeated a request to obtain access to MITRE’s contract with CISA concerning the CVE Program. It was repeated that the Secretariat is unable to fulfill that request. Open Discussion In the broader open discussion, participants focused on structural challenges facing the CVE Program, especially around standards of practice, technical infrastructure, and the realities of operating a federated system. There was general agreement that existing processes for coordination – heavily reliant on email threads across multiple organizations – are inefficient, difficult to scale, and increase participation costs. These limitations hinder timely dispute resolution and make it difficult to track the status and history of individual cases in a systematic way. Several participants argued a more robust, federated technical solution is needed to support dispute tracking, assignment history, and clear delineation of responsibilities across CNAs and other stakeholders. It was suggested that such an infrastructure could enable better measurement of performance, more consistent application of rules, and more transparent oversight of how disputes are handled. It was also noted that designing and maintaining such systems would require sustained investment and cooperation across multiple organizations. The conversation then turned to the governance model and expansion of the federation of Root organizations within the CVE Program. Participants described ongoing efforts to onboard additional Root entities to further distribute operational responsibilities. While there is support for this approach, it was emphasized that scaling a federated model requires both operational capacities, goodwill, and long-term resources from participating organizations. There was a suggestion to convene an open-working group focused on requirements for these efforts. This group would involve board members and interested volunteers to define what is needed for effective dispute coordination, auditability, and support of the federated environment. Participants also examined the relationship between policy and technology. There was consensus that technology alone cannot resolve disputes about vulnerability determinations or address all community concerns. Clearer policies, well-understood standards of practice, and consistent application of those standards are equally necessary. The group concluded that future work should proceed on both fronts: improving technical tooling while simultaneously revisiting and refining policies and norms. This document includes content generated with the assistance of Microsoft Teams Copilot, a generative AI tool. Microsoft Teams Copilot was used to generate the initial draft of the meeting minutes and provide suggestions for summarizing key discussion points. All AI-generated content has been reviewed and edited by the CVE Program prior to publishing. Please report any inaccuracies or other issues to the CVE Program. ________________________________ [1] CNAs will be listed as CNA1, CNA2, etc., for purposes of anonymity
