CVE Board Meeting Minutes October 15, 2025 (2:00 p.m. – 4:00 p.m. EST) CVE Board Attendance ☒Pete Allor ☐Ken Armstrong, EWA – Canada, an Intertek Company<https://www.intertek.com/cybersecurity/ewa-canada/> ☐Tod Beardsley, Austin Hackers Anonymous<https://takeonme.org/> (AHA!) ☒Chris Coffin (MITRE At-Large), The MITRE Corporation<https://www.mitre.org/> ☒William Cox, Black Duck Software, Inc.<https://www.blackduck.com/> ☐Jen Ellis, NextJen Security<https://uk.linkedin.com/in/infosecjen> ☒Patrick Emsweller, Cisco Systems, Inc.<https://www.cisco.com/> ☐Jay Gazlay, Cybersecurity and Infrastructure Security Agency (CISA)<https://www.dhs.gov/cisa/cybersecurity-division/> ☐Tim Keanini ☐Kent Landfield ☒Scott Lawler, LP3<https://lp3.com/> ☒Art Manion ☒MegaZone (CNA Board Liaison), F5, Inc.<https://www.f5.com/> ☐Tom Millar, Cybersecurity and Infrastructure Security Agency (CISA)<https://www.dhs.gov/cisa/cybersecurity-division/> ☒Chandan Nandakumaraiah ☐Kathleen Noble ☒Madison Oliver, GitHub Security Lab<https://securitylab.github.com/> ☒Lisa Olson, Microsoft<https://www.microsoft.com/> ☒Shannon Sabens, CrowdStrike, Inc.<https://www.crowdstrike.com/> ☐Christopher Turner, NIST<https://www.nist.gov/> ☒Takayuki Uchiyama, Panasonic Holdings Corporation<https://holdings.panasonic/global/> ☒ David Waltermire ☒James “Ken” Williams, Broadcom Inc.<https://www.broadcom.com/>
MITRE CVE Team Attendance ☒ Kris Britton ☒ Christine Deal ☐ Bob Roberge ☒ Anthony Singleton ☒ Jo Bazar ☒ Alec J Summers Agenda * Introduction * Fall Technical Workshop * Supplier ADP Pilot * Open Discussion New Action Items from Today’s Meeting New Action Item Responsible Party None ________________________________ Fall Technical Workshop The Board meeting opened with an update on the Fall Technical workshop, for which the agenda has been finalized and speakers confirmed. The event will not be open to the public; rather, it requires a formal invitation through the CVE Program. Ahead of the event, the planning team will conduct two practice sessions to ensure the workshop flows smoothly. The planning team for this year’s workshop has incorporated feedback from last year’s workshop, so the upcoming sessions will allow chat functionalities to be enabled live to increase engagement and improve communication between attendees and presenters. Although the upcoming Workshop will be restricted only to CNAs, the Board discussed the possibility of hosting a separate, larger-scale virtual event that includes non-CNAs in the future. ________________________________ Supplier ADP Pilot The Board received an overview of the Supplier Authorized Data Publisher (SADP) pilot project, which aims to allow supplier CNAs to act as ADPs and add containers to CVE Records, providing information about the impact of upstream vulnerabilities on their products. The pilot will only allow participation from supplier CNAs. The team initially plans to select between three and five CNAs to participate in the first phase. If the pilot is continued, the number of participants may increase. The pilot will involve two technical approaches: one in which the entire container content is added to the record, and another where only a reference to the supplier’s information is added. Keeping the pilot small by only involving a few CNAs initially will help to address scaling concerns and gather feedback. The pilot will begin in November 2025 with an evaluation in March 2026 to determine whether to continue it. The consensus so far is to allow downstream supplier CNAs to modify any parts of their records, with some fields being mandatory. The pilot team is still determining criteria for rejections, possibly for malformed records, and disputes. Based on discussions with the SPWG, rejections may be handled at the record level and disputes at the container level; however, there is a strong case for avoiding the removal of ADP containers because some information is rejected to avoid malfeasance. In some cases, disagreements may require CNAs to intervene and moderate disputes or reject records. In preparation for the pilot, early discussions with CNAs revealed concerns about scaling and that the addition of information to already-published CVE Records may confuse users and drive them to report issues, although they are only recorded as part of the pilot, to the vendor. The Board considered the impact of the pilot, which will reveal program-level coordination for the management of these containers in the record. The Board also discussed concerns raised by open-source CNAs about the SADP pilot, particularly regarding the potential increase in support queries and the need for the information to be par-sable. The Board discussed the location of upstream CVE Records and the impact to curl that the volume of user interactions would have on their small team. Success criteria for the pilot include the content of records, feedback to be gathered, and scaling issues to resolve. The Board recommended adding a section to the pilot document that would address implications related to the Cyber Resilience Act (CRA), which would impact companies’ vulnerability disclosure and documentation processes. Addressing CRA implications may justify the cost of turning the pilot into a full-scale project. The Board also considered the need for a GitHub repo that will list file issues, open discussions, and direct questions to the Strategic Planning Working Group (SPWG). The pilot team will present on the effort at the Fall Workshop. Preparation for the pilot itself is near completion, and the team hopes to finalize the proposal shortly. ________________________________ Open Discussion It was recommended the Board review and discuss a document the Research Working Group (RWG) is developing to describe a CVE “dibs” protocol and processes. This would set a structure to mediate instances when CNAs dispute over vulnerabilities that are publicly disclosed without a CVE ID, creating a framework to balance quick assignments while avoiding duplicate IDs. After holding additional discussions to refine the proposal, the RWG may present the document at the next Board meeting. This document includes content generated with the assistance of Microsoft Teams Copilot, a generative AI tool. Microsoft Teams Copilot was used to generate the initial draft of the meeting minutes and provide suggestions for summarizing key discussion points. All AI-generated content has been reviewed and edited by the CVE Program prior to publishing. Please report any inaccuracies or other issues to the CVE Program.
