CVE Board Meeting Minutes April 29, 2026 (9:00 a.m. – 11:00 a.m. EDT) CVE Board Attendance ☒ Pete Allor ☐ Ken Armstrong, EWA – Canada, an Intertek Company<https://urldefense.us/v2/url?u=https-3A__www.intertek.com_cybersecurity_ewa-2Dcanada_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=oKwbSNNG4ptpwMOrA52FpQ&m=JzuuFfxxrmv92v6eWLiXUFgwbEzM4OdYY3nLuHn-q6YmUtrWGyUyensnObV7TQRg&s=A2hsfO0DJDzw3pKgcyCvVS6PApQG1LkUizqAae-8oac&e=> ☒ Tod Beardsley, Austin Hackers Anonymous<https://urldefense.us/v2/url?u=https-3A__takeonme.org_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=oKwbSNNG4ptpwMOrA52FpQ&m=JzuuFfxxrmv92v6eWLiXUFgwbEzM4OdYY3nLuHn-q6YmUtrWGyUyensnObV7TQRg&s=sT6eMjnl48QkgNOpunPLunYox3FWKqYhL0yxK9BD928&e=> (AHA!) ☒ Chris Coffin (MITRE At Large), The MITRE Corporation<https://www.mitre.org/> ☒ William Cox, Black Duck Software, Inc.<https://urldefense.us/v2/url?u=https-3A__www.blackduck.com_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=oKwbSNNG4ptpwMOrA52FpQ&m=JzuuFfxxrmv92v6eWLiXUFgwbEzM4OdYY3nLuHn-q6YmUtrWGyUyensnObV7TQRg&s=dGhYnSGMBXTA3p26bzjCCgfhj93MM8uZdAhHwLEXWgo&e=> ☒ Jen Ellis, NextJen Security<https://urldefense.us/v2/url?u=https-3A__uk.linkedin.com_in_infosecjen&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=oKwbSNNG4ptpwMOrA52FpQ&m=JzuuFfxxrmv92v6eWLiXUFgwbEzM4OdYY3nLuHn-q6YmUtrWGyUyensnObV7TQRg&s=EBzup3uORrTsEYT5kbHlGXVqNTgUk2tLvai_tLSjvTw&e=> ☐ Jay Gazlay, Cybersecurity and Infrastructure Security Agency (CISA)<https://urldefense.us/v2/url?u=https-3A__www.dhs.gov_cisa_cybersecurity-2Ddivision_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=oKwbSNNG4ptpwMOrA52FpQ&m=JzuuFfxxrmv92v6eWLiXUFgwbEzM4OdYY3nLuHn-q6YmUtrWGyUyensnObV7TQRg&s=3_aJW1LjX0o9oGO9Rciq5bh5tCgOgHy6RydU4O0BA7c&e=> ☐ Tim Keanini ☐ Kent Landfield ☒ Scott Lawler, LP3<https://urldefense.us/v2/url?u=https-3A__lp3.com_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=oKwbSNNG4ptpwMOrA52FpQ&m=JzuuFfxxrmv92v6eWLiXUFgwbEzM4OdYY3nLuHn-q6YmUtrWGyUyensnObV7TQRg&s=G5FxpEyZgboETvpoBtpkXhiP69CEGnFV0O-uAjjtl7o&e=> ☒ Art Manion ☐ MegaZone (CNA Board Liaison), F5, Inc.<https://urldefense.us/v2/url?u=https-3A__www.f5.com_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=oKwbSNNG4ptpwMOrA52FpQ&m=JzuuFfxxrmv92v6eWLiXUFgwbEzM4OdYY3nLuHn-q6YmUtrWGyUyensnObV7TQRg&s=kCyxXTCqRWpgamNRoxEOLbHfUZNJrVSBbYWcR_Sdip4&e=> ☒ Tom Millar, Cybersecurity and Infrastructure Security Agency (CISA)<https://urldefense.us/v2/url?u=https-3A__www.dhs.gov_cisa_cybersecurity-2Ddivision_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=oKwbSNNG4ptpwMOrA52FpQ&m=JzuuFfxxrmv92v6eWLiXUFgwbEzM4OdYY3nLuHn-q6YmUtrWGyUyensnObV7TQRg&s=3_aJW1LjX0o9oGO9Rciq5bh5tCgOgHy6RydU4O0BA7c&e=> ☒ Chandan Nandakumaraiah ☒ Kathleen Noble ☐ Madison Ficorilli, GitHub Security Lab<https://urldefense.us/v2/url?u=https-3A__securitylab.github.com_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=oKwbSNNG4ptpwMOrA52FpQ&m=JzuuFfxxrmv92v6eWLiXUFgwbEzM4OdYY3nLuHn-q6YmUtrWGyUyensnObV7TQRg&s=CFjk1tG2lnLFJbxrKqDchesl8o4Z1JUZuFI9de4FZrM&e=> ☒ Lisa Olson, Microsoft<https://urldefense.us/v2/url?u=https-3A__www.microsoft.com_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=oKwbSNNG4ptpwMOrA52FpQ&m=JzuuFfxxrmv92v6eWLiXUFgwbEzM4OdYY3nLuHn-q6YmUtrWGyUyensnObV7TQRg&s=CTWjSj6nhRNHa5YlaeIXYKY1emxh0SV_zqCShjm9LjM&e=> ☒ Shannon Sabens, CrowdStrike, Inc.<https://urldefense.us/v2/url?u=https-3A__www.crowdstrike.com_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=oKwbSNNG4ptpwMOrA52FpQ&m=JzuuFfxxrmv92v6eWLiXUFgwbEzM4OdYY3nLuHn-q6YmUtrWGyUyensnObV7TQRg&s=fzrcN4HydO2gtGlTW8qLaex8R0EX9_ZtM-LGeIFcBYQ&e=> ☐ Christopher Turner, NIST<https://urldefense.us/v2/url?u=https-3A__www.nist.gov_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=oKwbSNNG4ptpwMOrA52FpQ&m=JzuuFfxxrmv92v6eWLiXUFgwbEzM4OdYY3nLuHn-q6YmUtrWGyUyensnObV7TQRg&s=uEyY8GLx5uwgtnA9ErvB8zqNN-v7qc65gCIdNt2vazM&e=> ☐ Takayuki Uchiyama, Panasonic Holdings Corporation<https://urldefense.us/v2/url?u=https-3A__holdings.panasonic_global_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=oKwbSNNG4ptpwMOrA52FpQ&m=JzuuFfxxrmv92v6eWLiXUFgwbEzM4OdYY3nLuHn-q6YmUtrWGyUyensnObV7TQRg&s=_OwaCf14eWKocXwLVdTWFDNkS0NcVQuYanPh9iIgu8U&e=> ☒ David Waltermire ☒ James “Ken” Williams, Broadcom Inc.<https://urldefense.us/v2/url?u=https-3A__www.broadcom.com_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=oKwbSNNG4ptpwMOrA52FpQ&m=JzuuFfxxrmv92v6eWLiXUFgwbEzM4OdYY3nLuHn-q6YmUtrWGyUyensnObV7TQRg&s=fcckEag4mxM9lbHV3XV0BN9QDn53W5gjWpVT-2QfZW8&e=>
MITRE CVE Team Attendance ☒ Kris Britton ☒ Christine Deal ☒ Bob Roberge ☒ Anthony Singleton ☒ Jo Bazar ☒ Alec J Summers Agenda 1. AI-Assisted Vulnerability Discovery and CVE Program Considerations 2. Open Discussion (Code of Conduct Updates) New Action Items from Today’s Meeting New Action Item Responsible Party Blog Post Outline: Draft an outline for a short paper or blog post summarizing the Board’s discussion on AI/LLM-driven vulnerability discovery, CVE reservation timing, transfer, operational impacts, and possible community engagement mechanisms; circulate it for Board review. Secretariat Board Composition Survey: Finalize the draft Board survey, convert it to a Google Form, and request distribution once ready. Board Code of Conduct Updates: Re-circulate the draft Code of Conduct updates draft, provide access in a broadly readable format if needed, and ask if ready for formal Board vote. Secretariat AI-Assisted Vulnerability Discovery and CVE Program Considerations The Board discussed how increasing use of AI-assisted vulnerability discovery may affect existing CVE Program workflows and processes. Participants considered whether aspects of vulnerability identification and CVE assignment timing may need to evolve as discovery scales increase. The discussion included operational considerations related to coordination, validation, record management, and communication with downstream consumers, while emphasizing the continued importance of human oversight and coordination in vulnerability handling processes. Members also discussed how organizations using AI-enabled tooling may engage with existing program participation models and requirements, as well as the growing importance of metadata, validation, and filtering capabilities as vulnerability reporting volume increases. The Board agreed the topic would benefit from broader community engagement and discussed possible public outreach materials and discussion forums. The Secretariat will prepare an outline for future review. ________________________________ Open Discussion Code of Conduct updates were also discussed briefly. The Secretariat noted that draft language reflecting an earlier Board-approved handling approach had been prepared but had not yet been formally adopted into policy. The Board supported re-circulating the draft, making it available in an accessible format if needed, and moving the update forward through a formal vote by email. This document includes content generated with the assistance of Microsoft Teams Copilot, a generative AI tool. Microsoft Teams Copilot was used to generate the initial draft of the meeting minutes and provide suggestions for summarizing key discussion points. All AI-generated content has been reviewed and edited by the CVE Program prior to publishing. Please report any inaccuracies or other issues to the CVE Program.
