CVE Board Meeting Minutes
June 10, 2026 (2:00 p.m. – 4:00 p.m. EDT)

CVE Board Attendance
☒ Pete Allor
☐ Ken Armstrong, EWA – Canada, an Intertek 
Company<https://www.intertek.com/cybersecurity/ewa-canada/>
☒ Tod Beardsley, Austin Hackers Anonymous<https://takeonme.org/> (AHA!)
☒ Chris Coffin (MITRE At Large), The MITRE Corporation<https://www.mitre.org/>
☒ William Cox, Black Duck Software, Inc.<https://www.blackduck.com/>
☐ Jen Ellis, NextJen Security<https://uk.linkedin.com/in/infosecjen>
☐ Jay Gazlay, Cybersecurity and Infrastructure Security Agency 
(CISA)<https://www.dhs.gov/cisa/cybersecurity-division/>
☐ Tim Keanini
☐ Kent Landfield
☒ Scott Lawler, LP3<https://lp3.com/>
☒ Art Manion
☒ MegaZone (CNA Board Liaison), F5, Inc.<https://www.f5.com/>
☐ Tom Millar, Cybersecurity and Infrastructure Security Agency 
(CISA)<https://www.dhs.gov/cisa/cybersecurity-division/>
☒ Chandan Nandakumaraiah
☒ Kathleen Noble
☒ Madison Ficorilli, GitHub Security Lab<https://securitylab.github.com/>
☒ Lisa Olson, Microsoft<https://www.microsoft.com/>
☐ Shannon Sabens, CrowdStrike, Inc.<https://www.crowdstrike.com/>
☐ Christopher Turner, NIST<https://www.nist.gov/>
☒ Takayuki Uchiyama, Panasonic Holdings 
Corporation<https://holdings.panasonic/global/>
☒ David Waltermire
☒ James “Ken” Williams, Broadcom Inc.<https://www.broadcom.com/>

MITRE CVE Team Attendance
☐ Kris Britton
☒ Christine Deal
☐ Bob Roberge
☒ Anthony Singleton
☒ Jo Bazar
☒ Alec J Summers
Agenda

  1.  Executive-Session Readout on Draft CVE/NVD Bill
  2.  CVE Program Response to High-Volume Vulnerability Ecosystem Pressures and 
July 30 Virtual Forum
  3.  Open Discussion

New Action Items from Today’s Meeting
New Action Item
Responsible Party
Prepare and circulate consolidated Board feedback on the draft CVE/NVD bill and 
send to legislative staff by June 18th (June 19th Federal Holiday)
Board/Secretariat
Continue email discussion on whether and how the program should respond to 
public CVE bundling practices, including gathering additional context from the 
vendor before any public statement.
Board/Secretariat

Executive Session Readout: Draft CVE/NVD Bill
The Board received an update on ongoing discussions about draft legislation 
related to the future of the CVE and NVD Programs. The discussion focused on 
shared goals such as strengthening the long-term sustainability and 
modernization of the programs, while recognizing that the proposed legislation 
is still evolving.

Board members also emphasized the importance of preserving the collaborative, 
community-driven nature of the CVE Program and ensuring that any future 
governance structure reflects the way the program has successfully operated 
over many years. The Board expects to continue providing feedback as the 
legislative process moves forward.
________________________________
CVE Program Response to High-Volume Vulnerability Ecosystem Pressures and July 
30 Virtual Forum
The Secretariat summarized work on a draft CVE Program paper responding to 
pressure points in the vulnerability ecosystem, including high report volume, 
AI-assisted discovery, CNA capacity, and downstream vulnerability-management 
impacts. The document had been developed from a prior Board discussion, refined 
through TWG input, and restructured to make the call to action more prominent 
and the paper more accessible.
The planned publication would invite community participation in a July 30 
virtual forum. The forum is intended to gather input from relevant parts of the 
ecosystem, identify lines of work, and help determine whether follow-up should 
be routed to working groups or other program activities. The Secretariat 
proposed publishing the paper through CVE Program channels, including the 
website, Medium, and social media. Participants supported a minor edit to 
distinguish CNA and Root responsibilities more clearly, particularly around 
content development, governance, and dispute handling.

Participants discussed whether current CVE infrastructure and APIs can scale to 
significantly higher record volume. The Secretariat noted that the team is 
investigating scenarios for different future record volumes and that bulk 
download dissemination may become a scaling issue at some threshold. The same 
concern was noted for SADP data if participation grows substantially.
Participants shared metrics illustrating the pressure. One CNA reported that 
its CVE volume is doubling monthly, while another participant noted that one 
organization’s numbers were about 1,000 times higher than the prior year. 
Another participant reported that 9,000 scan reports in the prior 30 days 
produced about 200 internal tickets and about 50 validated issues so far, 
highlighting the low validity rate of many automated findings. Participants 
also noted estimates that one out of seven CVEs in the corpus came from 2025 
and that one out of five may come from 2026, with the caveat that these 
estimates may not fully account for frontier-model effects.

Open Discussion
CVE Bundling and One-ID-per-Vulnerability Discussion
The Board discussed the use of bundled or "roll-up" CVE identifiers and the 
operational challenges that have led some organizations to consider this 
approach. Members reaffirmed the importance of assigning one CVE ID per 
vulnerability to support effective vulnerability management, analysis, and 
defensive operations, while recognizing the broader ecosystem pressures that 
organizations face. The Board also discussed opportunities for continued 
community engagement on scalable approaches and agreed that the program should 
provide public guidance reinforcing established CVE principles.

CPE Summit, Vulnerability Definitions, and SPWG Rule Changes
The Secretariat flagged an upcoming NIST CPE workshop focused on product 
identity and potential federation of CPE data so that product owners can manage 
identifiers for their own products. Participants also noted that definitional 
and terminology issues remain a recurring challenge, including what constitutes 
a vulnerability and how much information is needed in a CVE Record.

SPWG CNA Operational Rules Changes
SPWG provided heads-up that it has been debating several CNA Operational Rules 
changes. Most of the proposed changes have reached consensus and are expected 
to be sent to the Board as a bundled vote with tracked changes. One unresolved 
issue will be separated from that bundle and documented for broader Board input.

This document includes content generated with the assistance of Microsoft Teams 
Copilot, a generative AI tool. Microsoft Teams Copilot was used to generate the 
initial draft of the meeting minutes and provide suggestions for summarizing 
key discussion points. All AI-generated content has been reviewed and edited by 
the CVE Program prior to publishing. Please report any inaccuracies or other 
issues to the CVE Program.

Reply via email to