CVE Board Meeting Minutes October 1, 2025 (2:00 p.m. – 4:00 p.m. EST) CVE Board Attendance ☒Pete Allor ☐Ken Armstrong, EWA – Canada, an Intertek Company<https://www.intertek.com/cybersecurity/ewa-canada/> ☐Tod Beardsley, Austin Hackers Anonymous<https://takeonme.org/> (AHA!) ☒Chris Coffin (MITRE At-Large), The MITRE Corporation<https://www.mitre.org/> ☒William Cox, Black Duck Software, Inc.<https://www.blackduck.com/> ☐Jen Ellis, NextJen Security<https://uk.linkedin.com/in/infosecjen> ☒Patrick Emsweller, Cisco Systems, Inc.<https://www.cisco.com/> ☐Jay Gazlay, Cybersecurity and Infrastructure Security Agency (CISA)<https://www.dhs.gov/cisa/cybersecurity-division/> ☐Tim Keanini ☐Kent Landfield ☒Scott Lawler, LP3<https://lp3.com/> ☒Art Manion ☒MegaZone (CNA Board Liaison), F5, Inc.<https://www.f5.com/> ☐Tom Millar, Cybersecurity and Infrastructure Security Agency (CISA)<https://www.dhs.gov/cisa/cybersecurity-division/> ☒Chandan Nandakumaraiah ☐Kathleen Noble ☐Madison Oliver, GitHub Security Lab ☒Lisa Olson, Microsoft<https://www.microsoft.com/> ☒Shannon Sabens, CrowdStrike, Inc.<https://www.crowdstrike.com/>, Inc. ☐Christopher Turner, NIST<https://www.nist.gov/> ☒Takayuki Uchiyama, Panasonic Holdings Corporation<https://holdings.panasonic/global/> ☒ David Waltermire ☒James “Ken” Williams, Broadcom Inc.<https://www.broadcom.com/>
MITRE CVE Team Attendance ☒ Kris Britton ☒ Christine Deal ☐ Bob Roberge ☒ Anthony Singleton ☒ Jo Bazar ☒ Alec J Summers Agenda * Introduction * CVE AI Working Group Draft Playbook * VulnCon Status Update * CNA Fall Workshop Update * Working Group Updates New Action Items from Today’s Meeting New Action Item Responsible Party Compile a list of all open disputed records for review and potential resolution SPWG Develop and share a public roadmap for addressing CNA-LR issues and improvements Secretariat ________________________________ CVE AI Working Group Draft Playbook The Board meeting began with an update from the CVE AI Working Group, which has developed a draft playbook to guide organizations releasing AI-enabled products. The playbook focuses on issues such as model deserialization bugs and prompt injection, aiming to clarify when vulnerabilities in AI systems should be assigned CVE IDs. The group emphasized that most issues arise in the applications of AI models rather than in the models themselves. Feedback from the Board was requested to ensure the document is clear and relevant, particularly regarding CVE assignment criteria for AI-related vulnerabilities. There was discussion about the most effective format for publication, whether as a white paper or a blog post, and the need for precise guidance distinguishing vulnerabilities from weaknesses or exploits. Collaboration with other groups was encouraged, including participation in PSIRT SIG discussions to address CVE assignment and triage tooling for AI. A related proposal was made to add case studies to the CVE website, with the goal of helping the community better understand different types of CVEs and providing practical examples of assignments. This idea received broad support, and it was suggested that CNAs could contribute examples, with further discussion planned for the upcoming CNA Fall Technical Workshop in October. A template for case studies was offered for Board review, and there was interest in sharing and presenting it at relevant SIG meetings. ________________________________ VulnCon Status Update The Board received an update on the planning for the CVE/FIRST VulnCon, which will take place April 13-16, 2026, in Scottsdale, AZ. The program committee is active, and the event webpage and call for papers are expected to be published by the end of the week. Sponsorship opportunities will be available once the webpage is live, and there is optimism about the event’s organization and participation. ________________________________ CNA Fall Workshop Update Planning for the CNA Fall Workshop is well underway, with a draft agenda shared and most speakers confirmed. The workshop will feature guided listening sessions to foster collaborative discussion and engagement. Registration numbers are strong, with over 110 participants (representing 71 organizations) already signed up, and Board members were reminded to register to receive the event link. ________________________________ Working Group Updates Working group updates highlighted ongoing efforts to improve processes and transparency within the CVE Program. The Researcher Working Group (RWG) is actively piloting a "dibs" approach, which aims to streamline and accelerate CVE assignment for publicly disclosed vulnerabilities, while also considering updates to CNA rules to support this process. The Strategic Planning Working Group (SPWG) reported that the supplier ADP pilot document is nearing completion and will be shared with the Board soon. There was a robust discussion about dispute policy and transparency, with recognition of remaining challenges in the current policy and process in terms of permanently disputed records. Suggestions included a federated approach to dispute resolution involving a group with multiple perspectives making final determinations, while others offered that there is greater value in the current policy presenting both perspectives on the CVE Record for downstream users to determine response based on their operational context. ________________________________ Open Discussion Several follow-up actions were identified, including compiling open disputed records for review and resolution (SPWG). The development and sharing of a public roadmap for CNA of last resort improvements was also recommended.
