CVE Board Meeting Minutes February 4, 2026 (9:00 a.m. – 11:00 a.m. EST) CVE Board Attendance ☒ Pete Allor ☐ Ken Armstrong, EWA – Canada, an Intertek Company<https://urldefense.us/v2/url?u=https-3A__www.intertek.com_cybersecurity_ewa-2Dcanada_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=GU_sstYAPV42FoHir4NMu-pDhUFVO4X2GpC0s-b0KgE&m=ZZqf3STwmhuB7cA62S5xrlyaplrH-9ElfkgGbsBm5C1Fc2-hA61DtX7u5kpKr-WZ&s=MQOEtiFBs_U84V44FE9OU41amYGAuge4QQVo60ocE2Q&e=> ☒ Tod Beardsley, Austin Hackers Anonymous<https://urldefense.us/v2/url?u=https-3A__takeonme.org_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=GU_sstYAPV42FoHir4NMu-pDhUFVO4X2GpC0s-b0KgE&m=ZZqf3STwmhuB7cA62S5xrlyaplrH-9ElfkgGbsBm5C1Fc2-hA61DtX7u5kpKr-WZ&s=no5YflNSzxwzMqLwynmMa_VOSIhXE1pEjUiuU52CB0A&e=> (AHA!) ☒ Chris Coffin (MITRE At Large), The MITRE Corporation<https://www.mitre.org/> ☒ William Cox, Black Duck Software, Inc.<https://urldefense.us/v2/url?u=https-3A__www.blackduck.com_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=GU_sstYAPV42FoHir4NMu-pDhUFVO4X2GpC0s-b0KgE&m=ZZqf3STwmhuB7cA62S5xrlyaplrH-9ElfkgGbsBm5C1Fc2-hA61DtX7u5kpKr-WZ&s=jl9At87WZjc94mRVsJhuCf-k1AdDFNCH4SWndheDFXM&e=> ☒ Jen Ellis, NextJen Security<https://urldefense.us/v2/url?u=https-3A__uk.linkedin.com_in_infosecjen&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=GU_sstYAPV42FoHir4NMu-pDhUFVO4X2GpC0s-b0KgE&m=ZZqf3STwmhuB7cA62S5xrlyaplrH-9ElfkgGbsBm5C1Fc2-hA61DtX7u5kpKr-WZ&s=__G5huGfNao0n_Aii9YdRfqBtQcpIoXPpljFmlpwILk&e=> ☐ Jay Gazlay, Cybersecurity and Infrastructure Security Agency (CISA)<https://urldefense.us/v2/url?u=https-3A__www.dhs.gov_cisa_cybersecurity-2Ddivision_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=GU_sstYAPV42FoHir4NMu-pDhUFVO4X2GpC0s-b0KgE&m=ZZqf3STwmhuB7cA62S5xrlyaplrH-9ElfkgGbsBm5C1Fc2-hA61DtX7u5kpKr-WZ&s=4dyo9rmWL-ejMNfa7eI2pGRnr2aX9eAkkFIXtLLiYKE&e=> ☐ Tim Keanini ☐ Kent Landfield ☒ Scott Lawler, LP3<https://urldefense.us/v2/url?u=https-3A__lp3.com_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=GU_sstYAPV42FoHir4NMu-pDhUFVO4X2GpC0s-b0KgE&m=ZZqf3STwmhuB7cA62S5xrlyaplrH-9ElfkgGbsBm5C1Fc2-hA61DtX7u5kpKr-WZ&s=wOG4mqEoqSleNwoukXO8TekihNXVzs3hdoQY5cIZ7eo&e=> ☒ Art Manion ☒ MegaZone (CNA Board Liaison), F5, Inc.<https://urldefense.us/v2/url?u=https-3A__www.f5.com_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=GU_sstYAPV42FoHir4NMu-pDhUFVO4X2GpC0s-b0KgE&m=ZZqf3STwmhuB7cA62S5xrlyaplrH-9ElfkgGbsBm5C1Fc2-hA61DtX7u5kpKr-WZ&s=4S-_2prQ4U6p8WQ0K4pe8dTJTa_0yptiwHRWDy2iSLA&e=> ☒ Tom Millar, Cybersecurity and Infrastructure Security Agency (CISA)<https://urldefense.us/v2/url?u=https-3A__www.dhs.gov_cisa_cybersecurity-2Ddivision_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=GU_sstYAPV42FoHir4NMu-pDhUFVO4X2GpC0s-b0KgE&m=ZZqf3STwmhuB7cA62S5xrlyaplrH-9ElfkgGbsBm5C1Fc2-hA61DtX7u5kpKr-WZ&s=4dyo9rmWL-ejMNfa7eI2pGRnr2aX9eAkkFIXtLLiYKE&e=> ☒ Chandan Nandakumaraiah ☒ Kathleen Noble ☒ Madison Oliver, GitHub Security Lab<https://urldefense.us/v2/url?u=https-3A__securitylab.github.com_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=GU_sstYAPV42FoHir4NMu-pDhUFVO4X2GpC0s-b0KgE&m=ZZqf3STwmhuB7cA62S5xrlyaplrH-9ElfkgGbsBm5C1Fc2-hA61DtX7u5kpKr-WZ&s=4vFQVVldV0mDyn2vUFj8XdGVUbMZH_9_4UoJgJsSx68&e=> ☒ Lisa Olson, Microsoft<https://urldefense.us/v2/url?u=https-3A__www.microsoft.com_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=GU_sstYAPV42FoHir4NMu-pDhUFVO4X2GpC0s-b0KgE&m=ZZqf3STwmhuB7cA62S5xrlyaplrH-9ElfkgGbsBm5C1Fc2-hA61DtX7u5kpKr-WZ&s=2B7Lk-fIxQRkQ75VAjToHWyrE5DloO-Q8nIqqlUHBr0&e=> ☐ Shannon Sabens, CrowdStrike, Inc.<https://urldefense.us/v2/url?u=https-3A__www.crowdstrike.com_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=GU_sstYAPV42FoHir4NMu-pDhUFVO4X2GpC0s-b0KgE&m=ZZqf3STwmhuB7cA62S5xrlyaplrH-9ElfkgGbsBm5C1Fc2-hA61DtX7u5kpKr-WZ&s=ecz44KqQRbOBijkH8jxTAK8Hwlpnpy3B6fdH8eUcWNw&e=> ☐ Christopher Turner, NIST<https://urldefense.us/v2/url?u=https-3A__www.nist.gov_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=GU_sstYAPV42FoHir4NMu-pDhUFVO4X2GpC0s-b0KgE&m=ZZqf3STwmhuB7cA62S5xrlyaplrH-9ElfkgGbsBm5C1Fc2-hA61DtX7u5kpKr-WZ&s=-LUAXUSLWuP8G8QNmnfcytPlxTJau2DwNk6Dyqcgzo4&e=> ☒ Takayuki Uchiyama, Panasonic Holdings Corporation<https://urldefense.us/v2/url?u=https-3A__holdings.panasonic_global_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=GU_sstYAPV42FoHir4NMu-pDhUFVO4X2GpC0s-b0KgE&m=ZZqf3STwmhuB7cA62S5xrlyaplrH-9ElfkgGbsBm5C1Fc2-hA61DtX7u5kpKr-WZ&s=g3R9eZL45pMZcmSaxQgdZeGrmT7Q805m0kd4jfgWJLM&e=> ☒ David Waltermire ☒ James “Ken” Williams, Broadcom Inc.<https://urldefense.us/v2/url?u=https-3A__www.broadcom.com_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=GU_sstYAPV42FoHir4NMu-pDhUFVO4X2GpC0s-b0KgE&m=ZZqf3STwmhuB7cA62S5xrlyaplrH-9ElfkgGbsBm5C1Fc2-hA61DtX7u5kpKr-WZ&s=l103UBVKkWtOjbIeq8xAt7lutO-Ec2jek-dSyJ6lJtQ&e=>
MITRE CVE Team Attendance ☒ Kris Britton ☒ Christine Deal ☐ Bob Roberge ☒ Anthony Singleton ☒ Jo Bazar ☒ Alec J Summers Agenda * Code of Conduct Complaint: Review Board Findings * ADP Enrichment Issue: Request from Kernel.org * SADP Pilot Update * VulnCon Agenda Update * LinkedIn Complaint (Re-Cap) * Open Discussion New Action Items from Today’s Meeting New Action Item Responsible Party Notify the individual and their organization of the Code of Conduct violation (including repeat-violation consequences and explanation of escalation pathways) Secretariat Decide via email on remaining Code of Conduct panel recommendations (posting CoC in Slack, Slack hosting, CoC revisions) Board Draft and publish a “blameless summary” explaining the adjudication process and rule interpretation for the referenced case (e.g., LinkedIn) TWG Code of Conduct Complaint: Review Board Findings The Board reviewed the findings of a Code of Conduct review panel regarding an incident in a program collaboration channel. The panel reported that it reviewed submitted evidence (including screenshots) against the CVE Program Professional Code of Conduct and unanimously found a violation, characterizing the conduct as unprofessional and escalating in tone. The panel proposed notifying both the individual and their organization, requesting an apology, warning that repeated violations could lead to removal from the program, and making broader process improvements (such as posting conduct expectations in community spaces and clarifying escalation pathways). The Board discussion concentrated on balancing enforcement with community openness, noting the risk of discouraging legitimate feedback if community spaces feel overly policed, while also emphasizing that de-escalation and professionalism are required in program forums. Participants also highlighted that underlying frustrations about program rules and outcomes may be contributing to elevated tone, and that clearer channels for non–Code of Conduct complaints and general feedback could reduce pressure on informal social channels. The Board agreed to proceed with notifying the individual and their organization of the violation, and to include that repeated violations may result in removal from the program, as well as clear pointers to escalation pathways for concerns and complaints (including non–Code of Conduct issues). Follow-on panel recommendations were deferred for further discussion via email. ________________________________ ADP Enrichment Issue: Request from Kernel.org The Board discussed an issue raised from kernel.org regarding ADP enrichment practices, specifically objections to assigning and publishing CVSS scores (and related enrichment such as CWE) for Linux kernel vulnerabilities without sufficient deployment context. Participants noted that for upstream components, especially kernels and broadly reused libraries, severity and exploitability can vary significantly by downstream configuration, distribution, exposure, and environment, and that “generic” scoring can be misinterpreted by consumers as universally applicable. Board members emphasized that enrichment can be valuable when it provides clear contextual qualifiers. Members discussed that as the CVE Program functions as a publisher of ADP-provided enrichment, it may define objective publication expectations for what is accepted and how it is represented. The discussion also cautioned against the CVE Program mediating disputes between external parties; instead, the program’s role should focus on consistent rules for enrichment published via CVE mechanisms. Relatedly, members cautioned against creating complex “tiered” classes of ADPs due to manageability and fairness concerns. The Board connected the kernel.org concern to broader ecosystem challenges in which downstream consumers treat certain enrichment sources as authoritative, potentially triggering operational and compliance-driven reactions. Members also noted that supplier-asserted, product-specific context (as being explored through the SADP pilot) may help reduce confusion by clearly indicating when a vulnerability affects a particular product line and under what conditions. No policy decision was made during the meeting. The Board agreed to table the topic pending the outcome of ongoing discussions by the relevant enrichment authority (discussed in-meeting as CISA engagement on this issue) and to continue addressing the topic through appropriate working groups and forums. ________________________________ SADP Pilot Update An update was provided on the Supplier ADP (SADP) Pilot, focused on enabling supplier-asserted impact information to be added using the existing ADP container structure already supported by the current schema, rather than changing the core CVE Record Data Format. The update covered technical readiness steps (including a demonstration environment for participants to build and test their clients), onboarding and coordination cadence, and early messaging being delivered through working groups. The pilot approach was described as intentionally experimental, with minimal mandatory fields and flexibility for participants to add structured content within defined scope, and with an explicit plan to evaluate usefulness after an initial pilot period (described as roughly 120 days). Decision and next steps: The Board supported continuing the pilot on the proposed schedule. It was noted that external communications will be complex and should be staged, including messaging about the pilot itself, examples for community review, and any transition to production; a communications plan will be developed. A near-term milestone meeting with pilot participants was noted, and publishing example/test container files for reference was discussed as helpful. ________________________________ VulnCon Agenda Update The Board received an update on VulnCon planning from the VCEWG, noting that registrations are rising. Talk selection was reported as complete, with speaker notifications in progress and a small number of pending confirmations; the plan is to publish a public list of accepted sessions/topics on the website soon to support registration decisions, with the detailed agenda to follow once confirmations are finalized. Travel approval uncertainty remains a material planning risk. The VulnCon Planning Committee will proceed with notifying speakers and publishing the accepted-session list while maintaining contingency plans for travel and attendance variability (e.g., keeping scheduling flexible, and identifying backup coverage for sessions if travel is not approved). ________________________________ LinkedIn Complaint (Re-Cap) The Board revisited a community issue that had been discussed publicly on social media and included requests for additional review and a “blameless postmortem.” The conversation emphasized that the recurring problem is often not the need to re-argue prior determinations, but that the adjudication rules and decision points are not well understood externally, and that a clear, accessible explanation would reduce misunderstanding and repeated escalation into public forums. The Board did not reopen the underlying adjudication for re-litigation during the meeting. The Board supported preparing a written, blameless summary or postmortem that explains the applicable rules, the adjudication process and timing, and how community members should raise questions or concerns going forward, with the goal of improving understanding and reducing confusion. ________________________________ Open Discussion In open discussion, the Board returned to cross-cutting concerns about feedback channels and escalation pathways. Participants noted that bringing every dispute to the full Board is inefficient, but that the program also needs a clearer “how to get help” or “how to escalate” model that does not depend on informal social media pressure. Ideas raised included more visible conduct expectations in community spaces, clearer publication of where and how to submit non–Code of Conduct feedback, and potential listening-session style forums or office hours to provide constructive outlets for community concerns. A member repeated a request to obtain access to MITRE’s contract with CISA concerning the CVE Program. It was repeated that the Secretariat is unable to fulfill that request.
