CVE Board Meeting Minutes October 29, 2025 (2:00 p.m. – 4:00 p.m. EST) CVE Board Attendance ☒Pete Allor ☐Ken Armstrong, EWA – Canada, an Intertek Company<https://www.intertek.com/cybersecurity/ewa-canada/> ☒Tod Beardsley, Austin Hackers Anonymous<https://takeonme.org/> (AHA!) ☒Chris Coffin (MITRE At-Large), The MITRE Corporation<https://www.mitre.org/> ☐William Cox, Black Duck Software, Inc.<https://www.blackduck.com/> ☒Jen Ellis, NextJen Security<https://uk.linkedin.com/in/infosecjen> ☒Patrick Emsweller, Cisco Systems, Inc.<https://www.cisco.com/> ☐Jay Gazlay, Cybersecurity and Infrastructure Security Agency (CISA)<https://www.dhs.gov/cisa/cybersecurity-division/> ☐Tim Keanini ☐Kent Landfield ☒Scott Lawler, LP3<https://lp3.com/> ☒Art Manion ☐MegaZone (CNA Board Liaison), F5, Inc.<https://www.f5.com/> ☐Tom Millar, Cybersecurity and Infrastructure Security Agency (CISA)<https://www.dhs.gov/cisa/cybersecurity-division/> ☒Chandan Nandakumaraiah ☒Kathleen Noble ☒Madison Oliver, GitHub Security Lab<https://securitylab.github.com/> ☒Lisa Olson, Microsoft<https://www.microsoft.com/> ☐Shannon Sabens, CrowdStrike, Inc.<https://www.crowdstrike.com/> ☐Christopher Turner, NIST<https://www.nist.gov/> ☒Takayuki Uchiyama, Panasonic Holdings Corporation<https://holdings.panasonic/global/> ☒ David Waltermire ☒James “Ken” Williams, Broadcom Inc.<https://www.broadcom.com/>
MITRE CVE Team Attendance ☒ Kris Britton ☒ Christine Deal ☐ Bob Roberge ☒ Anthony Singleton ☒ Jo Bazar ☒ Alec J Summers Agenda * Hot Wash of CNA Fall Technical Workshop * Working Group Updates (if not provided in PowerPoint template) New Action Items from Today’s Meeting New Action Item Responsible Party Follow up survey respondents to clarify nuanced feedback about the Fall Workshop Secretariat Report back to the CVE Board, how many people and CNAs attended the Fall Workshop Secretariat Hot Wash of CNA Fall Technical Workshop The Board conducted a reflection on the Fall Technical Workshop. Attendance and registration were strong across more than 150 organizations, with many registrants joining during the event. Survey participation improved notably over prior years. The Teams platform performed well for most attendees, as well as the interactive format, live Q&A and polling—was seen as a clear improvement. Attendees highlighted VEX/data quality, forthcoming CVE record/service changes, scoring and analytics, and foundational practices as most valuable. Several areas were flagged for deeper coverage next time, including program governance, international alignment, AI-related vulnerabilities, working group roadmap visibility, researcher perspectives, and clearer paths for smaller entities to participate. Recognizing the mixed maturity of the community, the Board discussed multiple tracks with labeled difficulty and more explicit session descriptions. Short instructional materials (videos and one‑pagers) before or after workshops, plus recorded training modules (e.g., CWE, CVSS), were suggested to seed day‑one training. Members agreed that “evergreen” topics should remain, with refreshed context for new entrants. Time‑zone accommodations through repeated sessions were considered, albeit with mixed results in other groups. Near term actions include targeted follow‑ups with survey respondents to clarify nuanced feedback, scoping a virtual educational series with labeled difficulty after the April conference 2026, and coordinating topics across relevant working groups. ________________________________ Working Group Updates The VCEWG Chair provided an update on the CVE Program’s collaboration with FIRST for VulnCon 2026 and the Annual CNA Summit in April (Scottsdale). Logistics are in good order; registration and sponsorship are open, with the call for papers planned for early November. Adjustments to program leadership were made to ensure continuity and European representation. The Board discussed the Program’s presence at VulnCon, expressing support for a visible role that balances engagement with budget constraints. Options under consideration include sponsoring a reception or hosting “listening” sessions to gather direct community input. The group discussed adding an additional (virtual) workshop during the summer timeframe. The intent is to improve inclusivity, avoid fragmentation, and complement, not compete with, FIRST’s rotating conference. Related European efforts focused on measurement and forecasting were noted as potential areas of cooperation if scopes remain distinct. Next steps include amplifying the call for papers via CVE Program channels, and refining options and costs for a CVE Program-hosted event at VulnCon 2026. ________________________________ Open Discussion The Pacific CNA Organization of Peers (COOP) call was reported to have strong momentum, with growing participation from newer CNAs. The Board discussed the rising volume of low quality or unconfirmed vulnerability reports, among them AI assisted findings, black box web scans, duplicates, student assignment driven submissions, and claims against end-of-life software that are hard to validate. While CVE remains attestation based, participants emphasized the need to protect data quality and reduce noise. Ideas noted for further discussion included signaling validation status distinctly from “disputed,” clarifying baseline requirements for ID assignment in edge cases, encouraging stronger evidence (e.g., exploitability) where practical, and piloting a public issue/correction tracker to improve transparency and crowd review, acknowledging the scale and governance challenges. The Board agreed to route the topic to the AI working group and the broader CNA community, and to consider pilots for tagging and feedback mechanisms alongside clearer guidance on dispute handling. This document includes content generated with the assistance of Microsoft Teams Copilot, a generative AI tool. Microsoft Teams Copilot was used to generate the initial draft of the meeting minutes and provide suggestions for summarizing key discussion points. All AI-generated content has been reviewed and edited by the CVE Program prior to publishing. Please report any inaccuracies or other issues to the CVE Program.
