CVE Board Meeting Minutes July 23, 2025 (9:00 a.m. – 11:00 a.m. EST) CVE Board Attendance ☒Pete Allor, Red Hat, Inc.<https://www.redhat.com/> ☐Ken Armstrong, EWA – Canada, an Intertek Company<https://www.intertek.com/cybersecurity/ewa-canada/> ☐Tod Beardsley, Austin Hackers Anonymous<https://takeonme.org/> (AHA!) ☒Chris Coffin (MITRE At-Large), The MITRE Corporation<https://www.mitre.org/> ☒William Cox, Black Duck Software, Inc. ☐Patrick Emsweller, Cisco Systems, Inc.<https://www.cisco.com/> ☐Jay Gazlay, Cybersecurity and Infrastructure Security Agency (CISA)<https://www.dhs.gov/cisa/cybersecurity-division/> ☐Tim Keanini ☐Kent Landfield ☒Scott Lawler, LP3<https://lp3.com/> ☐Art Manion ☒MegaZone (CNA Board Liaison), F5, Inc. ☒Tom Millar, Cybersecurity and Infrastructure Security Agency (CISA)<https://www.dhs.gov/cisa/cybersecurity-division/> ☒Chandan Nandakumaraiah, Palo Alto Networks<https://www.paloaltonetworks.com/> ☐Kathleen Noble, Intel Corporation<https://www.intel.com/> ☒Madison Oliver, GitHub Security Lab ☒Lisa Olson, Microsoft<https://www.microsoft.com/> ☒Shannon Sabens, CrowdStrike, Inc.<https://www.crowdstrike.com/>, Inc. ☐Christopher Turner, NIST ☐Takayuki Uchiyama, Panasonic Holdings Corporation<https://holdings.panasonic/global/> ☒ David Waltermire ☒James “Ken” Williams, Broadcom Inc.<https://www.broadcom.com/>
MITRE CVE Team Attendance ☐ Kris Britton ☒ Christine Deal ☒ Bob Roberge ☒ Anthony Singleton ☒ Jo Bazar ☒ Alec J Summers Agenda * Introduction * Topics * Working Group Updates * CVE Program Funding * Fall Workshop Planning * Review of Action Items * Closing Remarks New Action Items from Today’s Meeting New Action Item Responsible Party Schedule an out-of-cycle board meeting with sponsor to discuss program funding. Secretariat Send out a "hold the date" announcement for the Fall Workshop (October 22-23) Secretariat Working Group Updates Automation Working Group (AWG): An update was provided on two primary initiatives: * CVE Reference Archive: The pilot application, designed to archive web page content linked in CVE Records for historical preservation, is in a review phase. The community has been asked to test the application locally, but feedback is still pending. Final permissions are being updated to make archived content available, after which the pilot will run for 6-12 months to gather community feedback on its value before it is considered for official support. * User Registry: Following a recent round of testing, proposals were made to improve the user registry. A key suggestion was to decouple users from their organizations to allow a single user to belong to multiple organizations without needing separate credentials. A design team will be formed to finalize the requirements for this feature. Additionally, documentation detailing record validation performed by CVE services (apart from schema validation) has been completed and published. AI Working Group (AIWG): The group is finalizing a "playbook" to provide detailed guidance on identifying, triaging, and handling AI-related bugs. A draft of the document is undergoing final review and is expected to be shared with the board around the time of the next meeting. Outreach & Communications Working Group (OCWG): OCWG reported on its recent activities, including: * Publishing and promoting three blog posts. * Recording a new podcast episode on Root Cause Mapping of CVE Records. * Continuing work on CNA onboarding videos, with the "Becoming a CNA" video nearing completion. * Planning to help promote the upcoming Fall Workshop. Quality Working Group (QWG): The QWG update covered several strategic topics: * Software ID Proposal: The board was reminded of the proposal to add support for additional software identifiers (Package URLs and OMNIBOIR). Board feedback on this proposal is still being sought. * Need for a 6.0 Release: It was explained that a major version release of the CVE Record format (6.0) would be necessary to implement significant improvements, particularly to the "affected" products array and versioning capabilities, which cannot be achieved in a backward-compatible manner. A discussion was raised about the program's readiness and timeline for such a major release. * Guiding Principles: A document is being developed to establish guiding principles for updating the CVE Record format, and the board's input will be valuable in defining these principles to ensure alignment with the program's strategy. * Transparency: To improve visibility, the QWG has created a project work board on GitHub to track its activities. Strategic Planning Working Group (SPWG): It was announced that a new Co-chair has been selected for the group, which will help with redundancy and ongoing operations. Tactical Working Group (TWG): The group’s recent discussions have focused on operational coordination between the working groups and the board. Key topics include the organization of the Fall Workshop and monitoring the progress of CVE services development to ensure the community remains informed. Vulnerability Conference and Events Working Group (VCEWG): Plans for the upcoming Fall Workshop were discussed. * Date: The workshop is tentatively scheduled for October 22-23, 2025. * Announcements: It was agreed that a "hold the date" announcement would be sent to the community soon to allow participants to mark their calendars. * Presentations: A call for presentations will be issued. * Coordination: A coordination meeting will be scheduled to finalize the agenda and logistical details. ________________________________ CVE Program Funding It was noted that the sponsor representatives scheduled to discuss this topic had to leave the call for an urgent matter before the agenda item was reached. Board members expressed a desire to prioritize this discussion. A proposal was made and agreed upon to schedule a dedicated, out-of-cycle meeting focused solely on this topic to ensure the relevant parties could attend and a thorough discussion could take place. ________________________________ Fall Workshop Planning This topic was covered during the VCEWG and TWG updates. The next steps are to send a "hold the date" announcement for the October 22-23, 2025, event and to convene a coordination meeting to plan the call for presentations and finalize the agenda. ________________________________ Open Discussion Discussion on Meeting Format and Process A discussion was held regarding the format of working group updates during board meetings. Several members expressed the view that verbal reports on routine activities were not the most strategic use of the board's time. It was proposed and generally agreed that the process should be changed: * Working groups will submit written updates in advance of the board meeting. * Time on the live meeting agenda will be reserved for working groups that have a specific strategic issue to discuss, a decision to be made, or a request for the board. Review of Action Items Deferred.
