CVE Board Meeting Minutes June 10, 2026 (2:00 p.m. – 4:00 p.m. EDT) CVE Board Attendance ☒ Pete Allor ☐ Ken Armstrong, EWA – Canada, an Intertek Company<https://www.intertek.com/cybersecurity/ewa-canada/> ☒ Tod Beardsley, Austin Hackers Anonymous<https://takeonme.org/> (AHA!) ☒ Chris Coffin (MITRE At Large), The MITRE Corporation<https://www.mitre.org/> ☒ William Cox, Black Duck Software, Inc.<https://www.blackduck.com/> ☐ Jen Ellis, NextJen Security<https://uk.linkedin.com/in/infosecjen> ☐ Jay Gazlay, Cybersecurity and Infrastructure Security Agency (CISA)<https://www.dhs.gov/cisa/cybersecurity-division/> ☐ Tim Keanini ☐ Kent Landfield ☒ Scott Lawler, LP3<https://lp3.com/> ☒ Art Manion ☒ MegaZone (CNA Board Liaison), F5, Inc.<https://www.f5.com/> ☐ Tom Millar, Cybersecurity and Infrastructure Security Agency (CISA)<https://www.dhs.gov/cisa/cybersecurity-division/> ☒ Chandan Nandakumaraiah ☒ Kathleen Noble ☒ Madison Ficorilli, GitHub Security Lab<https://securitylab.github.com/> ☒ Lisa Olson, Microsoft<https://www.microsoft.com/> ☐ Shannon Sabens, CrowdStrike, Inc.<https://www.crowdstrike.com/> ☐ Christopher Turner, NIST<https://www.nist.gov/> ☒ Takayuki Uchiyama, Panasonic Holdings Corporation<https://holdings.panasonic/global/> ☒ David Waltermire ☒ James “Ken” Williams, Broadcom Inc.<https://www.broadcom.com/>
MITRE CVE Team Attendance ☐ Kris Britton ☒ Christine Deal ☐ Bob Roberge ☒ Anthony Singleton ☒ Jo Bazar ☒ Alec J Summers Agenda 1. Executive-Session Readout on Draft CVE/NVD Bill 2. CVE Program Response to High-Volume Vulnerability Ecosystem Pressures and July 30 Virtual Forum 3. Open Discussion New Action Items from Today’s Meeting New Action Item Responsible Party Prepare and circulate consolidated Board feedback on the draft CVE/NVD bill and send to legislative staff by June 18th (June 19th Federal Holiday) Board/Secretariat Continue email discussion on whether and how the program should respond to public CVE bundling practices, including gathering additional context from the vendor before any public statement. Board/Secretariat Executive Session Readout: Draft CVE/NVD Bill The Board received an update on ongoing discussions about draft legislation related to the future of the CVE and NVD Programs. The discussion focused on shared goals such as strengthening the long-term sustainability and modernization of the programs, while recognizing that the proposed legislation is still evolving. Board members also emphasized the importance of preserving the collaborative, community-driven nature of the CVE Program and ensuring that any future governance structure reflects the way the program has successfully operated over many years. The Board expects to continue providing feedback as the legislative process moves forward. ________________________________ CVE Program Response to High-Volume Vulnerability Ecosystem Pressures and July 30 Virtual Forum The Secretariat summarized work on a draft CVE Program paper responding to pressure points in the vulnerability ecosystem, including high report volume, AI-assisted discovery, CNA capacity, and downstream vulnerability-management impacts. The document had been developed from a prior Board discussion, refined through TWG input, and restructured to make the call to action more prominent and the paper more accessible. The planned publication would invite community participation in a July 30 virtual forum. The forum is intended to gather input from relevant parts of the ecosystem, identify lines of work, and help determine whether follow-up should be routed to working groups or other program activities. The Secretariat proposed publishing the paper through CVE Program channels, including the website, Medium, and social media. Participants supported a minor edit to distinguish CNA and Root responsibilities more clearly, particularly around content development, governance, and dispute handling. Participants discussed whether current CVE infrastructure and APIs can scale to significantly higher record volume. The Secretariat noted that the team is investigating scenarios for different future record volumes and that bulk download dissemination may become a scaling issue at some threshold. The same concern was noted for SADP data if participation grows substantially. Participants shared metrics illustrating the pressure. One CNA reported that its CVE volume is doubling monthly, while another participant noted that one organization’s numbers were about 1,000 times higher than the prior year. Another participant reported that 9,000 scan reports in the prior 30 days produced about 200 internal tickets and about 50 validated issues so far, highlighting the low validity rate of many automated findings. Participants also noted estimates that one out of seven CVEs in the corpus came from 2025 and that one out of five may come from 2026, with the caveat that these estimates may not fully account for frontier-model effects. Open Discussion CVE Bundling and One-ID-per-Vulnerability Discussion The Board discussed the use of bundled or "roll-up" CVE identifiers and the operational challenges that have led some organizations to consider this approach. Members reaffirmed the importance of assigning one CVE ID per vulnerability to support effective vulnerability management, analysis, and defensive operations, while recognizing the broader ecosystem pressures that organizations face. The Board also discussed opportunities for continued community engagement on scalable approaches and agreed that the program should provide public guidance reinforcing established CVE principles. CPE Summit, Vulnerability Definitions, and SPWG Rule Changes The Secretariat flagged an upcoming NIST CPE workshop focused on product identity and potential federation of CPE data so that product owners can manage identifiers for their own products. Participants also noted that definitional and terminology issues remain a recurring challenge, including what constitutes a vulnerability and how much information is needed in a CVE Record. SPWG CNA Operational Rules Changes SPWG provided heads-up that it has been debating several CNA Operational Rules changes. Most of the proposed changes have reached consensus and are expected to be sent to the Board as a bundled vote with tracked changes. One unresolved issue will be separated from that bundle and documented for broader Board input. This document includes content generated with the assistance of Microsoft Teams Copilot, a generative AI tool. Microsoft Teams Copilot was used to generate the initial draft of the meeting minutes and provide suggestions for summarizing key discussion points. All AI-generated content has been reviewed and edited by the CVE Program prior to publishing. Please report any inaccuracies or other issues to the CVE Program.
