CVE Board Meeting Minutes August 20, 2025 (9:00 a.m. – 11:00 a.m. EST) CVE Board Attendance ☒Pete Allor ☐Ken Armstrong, EWA – Canada, an Intertek Company<https://www.intertek.com/cybersecurity/ewa-canada/> ☒Tod Beardsley, Austin Hackers Anonymous<https://takeonme.org/> (AHA!) ☒Chris Coffin (MITRE At-Large), The MITRE Corporation<https://www.mitre.org/> ☒William Cox, Black Duck Software, Inc. ☒Patrick Emsweller, Cisco Systems, Inc.<https://www.cisco.com/> ☒Jay Gazlay, Cybersecurity and Infrastructure Security Agency (CISA)<https://www.dhs.gov/cisa/cybersecurity-division/> ☐Tim Keanini ☐Kent Landfield ☒Scott Lawler, LP3<https://lp3.com/> ☒Art Manion ☒MegaZone (CNA Board Liaison), F5, Inc. ☐Tom Millar, Cybersecurity and Infrastructure Security Agency (CISA)<https://www.dhs.gov/cisa/cybersecurity-division/> ☒Chandan Nandakumaraiah ☐Kathleen Noble ☒Madison Oliver, GitHub Security Lab ☒Lisa Olson, Microsoft<https://www.microsoft.com/> ☒Shannon Sabens, CrowdStrike, Inc.<https://www.crowdstrike.com/> ☐Christopher Turner, National Institute of Standards and Technology (NIST)<https://www.nist.gov/> ☒Takayuki Uchiyama, Panasonic Holdings Corporation<https://holdings.panasonic/global/> ☒ David Waltermire ☒James “Ken” Williams, Broadcom Inc.<https://www.broadcom.com/>
MITRE CVE Team Attendance ☒ Kris Britton ☒ Christine Deal ☒ Bob Roberge ☒ Anthony Singleton ☒ Jo Bazar ☒ Alec J Summers Agenda * Introduction * Topics * CISA CVE Q&A * CVE Record Enrichment and AI * Evolution of ADPs * Closing Remarks New Action Items from Today’s Meeting New Action Item Responsible Party Working Group Chairs to begin using the new written update (ppt. template) process via the collaborative Teams channel for the next cycle in board meetings, first set of slides due 9/3/25 Board Supplier ADP Pilot Outreach: The Secretariat will reach out to potential pilot participants with concrete details about the pilot's goals and requirements. Secretariat Introduction The meeting began with a review of a new process for Working Group (WG) updates. To streamline meetings and focus on board-level discussions, WG updates will transition to a written format submitted prior to board meetings. * A collaborative Microsoft Teams channel has been established for WG chairs to submit their updates using a standardized template. The template will distinguish between general status updates and items requiring the Board's attention. * The schedule for these updates will shift from the middle of the month to the beginning of the month to better align with other routine program communications and quarterly updates. * It was noted the automated invitation to join the new Teams channel was not user-friendly from a cybersecurity perspective. A follow-up communication was sent to members with a screenshot to verify the legitimate invitation. * The group agreed to share feedback on the new model and workflow, and to make changes where necessary to improve the process. ________________________________ CISA CVE Q&A A portion of the meeting was dedicated to a question-and-answer session with a representative from CISA. The discussion provided clarity on CISA's perspective regarding the program's funding, strategic importance, and future. The CISA representative affirmed the U.S. government’s strong commitment to the CVE Program as a foundational public good that underpins the global vulnerability ecosystem. The CISA representative emphasized the program’s strategic importance and confirmed long-term support to its continued success. The discussion also highlighted the importance of ensuring the program remains resilient and sustainable over time. A key theme was the need to continue addressing technical debt and modernizing so that the program can more quickly adapt to the community’s needs and deliver services with greater efficiency and reliability. This includes improvements to the technology stack and infrastructure that support record publishing, enrichment, and data access. Other themes included data quality and the importance of ensuring that CVE Records remain accurate, actionable, and relevant for defenders worldwide. Board members also discussed how the program can continue to evolve to meet emerging ecosystem needs, reinforcing the unique role CVE plays in enabling cybersecurity awareness, defense, and coordination. Lastly, a broader challenge was raised for strategic attention: threat actors increasingly using configuration-related exposures for post-exploitation activities, an area where the industry lacks the same level of large-scale automated identification and communication that CVE provides for software vulnerabilities. ________________________________ CVE Record Enrichment and AI The Board discussed the role of Artificial Intelligence (AI) in the context of CVE Record enrichment. It was acknowledged that the use of AI for enrichment is inevitable, and the program must be thoughtful about establishing guidelines for its application. A robust discussion on the current state of AI revealed several key perspectives. One viewpoint expressed caution, suggesting that while AI is a valuable tool for research and initial triage, it may not yet be mature enough to be fully relied upon for complex enrichment tasks, which require a deep understanding of component interactions. In contrast, another perspective highlighted that human error is also a factor in data quality and that the focus should be on defining the desired outcomes and quality standards for enrichment, regardless of the method used. There was a consensus that the quality of AI output is heavily dependent on the quality of the input and training data. Before AI can be effectively applied, the program needs to clearly define what constitutes high-quality, useful data and establish benchmark data sets. The goal is to determine if and how enrichment can be reliably automated as part of the content production pipeline. ________________________________ Evolution of ADPs A significant portion of the meeting was dedicated to the evolution of ADPs, with a specific focus on establishing a pilot program for "Supplier ADPs" (SADPs). The objective of the SADP concept is to create a formal mechanism for a software supplier, acting as a CNA, to provide authoritative information about the status of their products in relation to vulnerabilities in upstream, third-party components they utilize. A list of potential organizations that have previously expressed interest in such a pilot was noted. The next step will be to formalize the pilot details and reach out to these potential participants. It was emphasized that the current CVE JSON schema does not support the necessary data fields to convey upstream-downstream inheritance and VEX-like status information. A key task for the pilot will be to define and test experimental schema changes to accommodate this data. This work will require significant input from the Quality Working Group (QWG). ________________________________ Open Discussion None. Review of Action Items Deferred. This document includes content generated with the assistance of Microsoft Teams Copilot, a generative AI tool. Microsoft Teams Copilot was used to generate the initial draft of the meeting minutes and provide suggestions for summarizing key discussion points. All AI-generated content has been reviewed and edited by the CVE Program prior to publishing. Please report any inaccuracies or other issues to the CVE Program.
