CVE Board Meeting Minutes December 10, 2025 (9:00 a.m. – 11:00 a.m. EST)
CVE Board Attendance ☒ Pete Allor ☐ Ken Armstrong, EWA – Canada, an Intertek Company<https://urldefense.us/v2/url?u=https-3A__www.intertek.com_cybersecurity_ewa-2Dcanada_&d=DwMFaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=GU_sstYAPV42FoHir4NMu-pDhUFVO4X2GpC0s-b0KgE&m=hNJXIISfGg1UDOyHqXK7J_tixV89yXBSsdKBYul894hD3t4scfica0tSmPAVthYh&s=B1ZPwBAKmWKUjCdXEEsyPN5UP3cmz-1N4Xn8wEqs0x0&e=> ☒ Tod Beardsley, Austin Hackers Anonymous<https://urldefense.us/v2/url?u=https-3A__takeonme.org_&d=DwMFaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=GU_sstYAPV42FoHir4NMu-pDhUFVO4X2GpC0s-b0KgE&m=hNJXIISfGg1UDOyHqXK7J_tixV89yXBSsdKBYul894hD3t4scfica0tSmPAVthYh&s=2p4tRYTfbton32NDQEzNPXXLfMlKddF1JwxnNAnyeN0&e=> (AHA!) ☒ Chris Coffin (MITRE At-Large), The MITRE Corporation<https://www.mitre.org/> ☒ William Cox, Black Duck Software, Inc.<https://urldefense.us/v2/url?u=https-3A__www.blackduck.com_&d=DwMFaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=GU_sstYAPV42FoHir4NMu-pDhUFVO4X2GpC0s-b0KgE&m=hNJXIISfGg1UDOyHqXK7J_tixV89yXBSsdKBYul894hD3t4scfica0tSmPAVthYh&s=JpO9ej7x8FcZI1gSthkjsgd3811SRnVLN97UyrYyfMY&e=> ☐ Jen Ellis, NextJen Security<https://urldefense.us/v2/url?u=https-3A__uk.linkedin.com_in_infosecjen&d=DwMFaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=GU_sstYAPV42FoHir4NMu-pDhUFVO4X2GpC0s-b0KgE&m=hNJXIISfGg1UDOyHqXK7J_tixV89yXBSsdKBYul894hD3t4scfica0tSmPAVthYh&s=PiEyx2bYgw6HCcXzZNgRZeTVx88opxvaKSS-Jw_Ov7I&e=> ☒ Patrick Emsweller, Cisco Systems, Inc.<https://urldefense.us/v2/url?u=https-3A__www.cisco.com_&d=DwMFaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=GU_sstYAPV42FoHir4NMu-pDhUFVO4X2GpC0s-b0KgE&m=hNJXIISfGg1UDOyHqXK7J_tixV89yXBSsdKBYul894hD3t4scfica0tSmPAVthYh&s=iV_qch2XNM01z2jOyFl1MnjnddsfbnLjr5DbjJex1Tk&e=> ☒ Jay Gazlay, Cybersecurity and Infrastructure Security Agency (CISA)<https://urldefense.us/v2/url?u=https-3A__www.dhs.gov_cisa_cybersecurity-2Ddivision_&d=DwMFaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=GU_sstYAPV42FoHir4NMu-pDhUFVO4X2GpC0s-b0KgE&m=hNJXIISfGg1UDOyHqXK7J_tixV89yXBSsdKBYul894hD3t4scfica0tSmPAVthYh&s=saBSEo5i4Pmo79ybVZ6kydsn5eYwxO6cWarOPYnhxBQ&e=> ☐ Tim Keanini ☐ Kent Landfield ☒ Scott Lawler, LP3<https://urldefense.us/v2/url?u=https-3A__lp3.com_&d=DwMFaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=GU_sstYAPV42FoHir4NMu-pDhUFVO4X2GpC0s-b0KgE&m=hNJXIISfGg1UDOyHqXK7J_tixV89yXBSsdKBYul894hD3t4scfica0tSmPAVthYh&s=w1_TlXY3P3SQYcXaTio2oyi9x7id3ZSjbT7BzSt7zVc&e=> ☒ Art Manion ☐ MegaZone (CNA Board Liaison), F5, Inc.<https://urldefense.us/v2/url?u=https-3A__www.f5.com_&d=DwMFaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=GU_sstYAPV42FoHir4NMu-pDhUFVO4X2GpC0s-b0KgE&m=hNJXIISfGg1UDOyHqXK7J_tixV89yXBSsdKBYul894hD3t4scfica0tSmPAVthYh&s=PXALfLwxz5MW27DCUCFqbKYCceH18V_HqWv-7-_yzRU&e=> ☐ Tom Millar, Cybersecurity and Infrastructure Security Agency (CISA)<https://urldefense.us/v2/url?u=https-3A__www.dhs.gov_cisa_cybersecurity-2Ddivision_&d=DwMFaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=GU_sstYAPV42FoHir4NMu-pDhUFVO4X2GpC0s-b0KgE&m=hNJXIISfGg1UDOyHqXK7J_tixV89yXBSsdKBYul894hD3t4scfica0tSmPAVthYh&s=saBSEo5i4Pmo79ybVZ6kydsn5eYwxO6cWarOPYnhxBQ&e=> ☒ Chandan Nandakumaraiah ☐ Kathleen Noble ☒ Madison Oliver, GitHub Security Lab<https://urldefense.us/v2/url?u=https-3A__securitylab.github.com_&d=DwMFaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=GU_sstYAPV42FoHir4NMu-pDhUFVO4X2GpC0s-b0KgE&m=hNJXIISfGg1UDOyHqXK7J_tixV89yXBSsdKBYul894hD3t4scfica0tSmPAVthYh&s=bf6UEaS9p8_r2inrE_PzhKXgk_yrUyJoC_XQ63edv4A&e=> ☒ Lisa Olson, Microsoft<https://urldefense.us/v2/url?u=https-3A__www.microsoft.com_&d=DwMFaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=GU_sstYAPV42FoHir4NMu-pDhUFVO4X2GpC0s-b0KgE&m=hNJXIISfGg1UDOyHqXK7J_tixV89yXBSsdKBYul894hD3t4scfica0tSmPAVthYh&s=kzMVAoGGpIVH8-2wFLbkpmVYFFprXkwIkwA8tRpzVPo&e=> ☒ Shannon Sabens, CrowdStrike, Inc.<https://urldefense.us/v2/url?u=https-3A__www.crowdstrike.com_&d=DwMFaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=GU_sstYAPV42FoHir4NMu-pDhUFVO4X2GpC0s-b0KgE&m=hNJXIISfGg1UDOyHqXK7J_tixV89yXBSsdKBYul894hD3t4scfica0tSmPAVthYh&s=lHuBaY6AvP4y-fPUHkNnlw7QZtvPJoypwmUPwYMzd_c&e=> ☐ Christopher Turner, NIST<https://urldefense.us/v2/url?u=https-3A__www.nist.gov_&d=DwMFaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=GU_sstYAPV42FoHir4NMu-pDhUFVO4X2GpC0s-b0KgE&m=hNJXIISfGg1UDOyHqXK7J_tixV89yXBSsdKBYul894hD3t4scfica0tSmPAVthYh&s=ygd-ePD4PKfGiolFnG8A6iq_C5OXNaQ_LHRGmC1RImI&e=> ☒ Takayuki Uchiyama, Panasonic Holdings Corporation<https://urldefense.us/v2/url?u=https-3A__holdings.panasonic_global_&d=DwMFaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=GU_sstYAPV42FoHir4NMu-pDhUFVO4X2GpC0s-b0KgE&m=hNJXIISfGg1UDOyHqXK7J_tixV89yXBSsdKBYul894hD3t4scfica0tSmPAVthYh&s=lemYneCKJN_zlhRZ9zGnKmWcNG70mzfTPqwhoagfcCs&e=> ☒ David Waltermire ☒ James “Ken” Williams, Broadcom Inc.<https://urldefense.us/v2/url?u=https-3A__www.broadcom.com_&d=DwMFaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=GU_sstYAPV42FoHir4NMu-pDhUFVO4X2GpC0s-b0KgE&m=hNJXIISfGg1UDOyHqXK7J_tixV89yXBSsdKBYul894hD3t4scfica0tSmPAVthYh&s=W92pqIz3BqNtnnPmAMCGUFJGnq8XouwHjT-uNcazDfQ&e=> MITRE CVE Team Attendance ☒ Kris Britton ☒ Christine Deal ☐ Bob Roberge ☒ Anthony Singleton ☒ Jo Bazar ☒ Alec J Summers Agenda • VulnCon 2026 Update and Board Strategic Discussion • Open Discussion New Action Items from Today’s Meeting New Action Item Responsible Party Board will read the Council of Roots blog upon publication and provide feedback via the survey, indicating willingness to participate in a workshop. Board Secretariat will set up a Groups.io mailing list and communicate the transition plan, requesting discontinuation of the old listserv once the crossover period ends. Secretariat VulnCon 2026 Update and Board Strategic Discussion The Board focused on themes and submissions for VulnCon 2026 (April 13-16, 2026), which CVE co-hosts. The current call for speakers closes on December 22 and may be extended, as late proposals typically arrive during the holidays and early January. Program review practices aim to balance representation and avoid overloading any single presenter. An in-person Board meeting on the Friday after the conference (Friday, April 17, 2026) was suggested. Content priorities emphasized both upstream and downstream engagement. Proposed tracks included tutorials and hands-on workshops for CNAs and consumers on key technical topics such as CPE (Common Platform Enumeration), PURL (Package URL), SSVC (Stakeholder Specific Vulnerability Categorization), CVSS (Common Vulnerability Scoring System), and JSON-based enrichment in CVE Records. A “workshopping” track was considered, offering practical guidance on record schema placement and enrichment best practices. Education and adoption are central: Board members observed that fields like CWE grew over time through sustained training and demand; similar growth is sought for CPE and PURL. Working group engagement at VulnCon was encouraged, with ideas for a panel or short updates to raise awareness, recruit Board members, and distribute concise informational materials (“slick sheets”), at the CVE table. A status talk or panel on the Supplier ADP pilot (SADP), is anticipated to be timely in April, ideally featuring active pilot members to share real world experience and early outcomes. A short talk on the “reference archiver” capability, if operational by April, was also proposed. Tooling and reference implementations were identified as a strategic gap. There is currently no official CVE Record generation client, and existing tools (e.g., Vulnogram, cvelib) provide inconsistent support to new features. Board members discussed options ranging from community hackathons (with caution that hackathons are best for refining approaches rather than solving large challenges) to structured requirements workshops. A “coding prompts” workshop was suggested to channel AI-assisted development, contingent on clear requirements and comprehensive testing. Coordination among Board members on proposed submissions to the VulnCon CFP was encouraged to reduce duplication and build coherent panels with multiple speakers. Conference logistics are proceeding smoothly; registrations typically rise after a tentative agenda is published, often in late January. ________________________________ Open Discussion Technical improvements to the CVE Program were discussed, centering on the CNA of Last Resort (CNA-LR) function and the dated cveform.mitre.org support system. A webform integrated with the CVE Record format is in development to improve transparency into request state, enable updating submissions without opaque email loops, support structured enrichment fields, and strengthen CNA-LR operations. Requirements have been informed by researchers, Board feedback, and observed pain points. While the initial implementation may primarily alleviate MITRE CNA-LR pressures, the goal is a capability that other CNA-LRs can adopt, improving consistency across the ecosystem. Scaling the CNA-LR function was considered. Many CNAs under the MITRE Top-Level Root (TL-Root) defer escalation to the MITRE CNA-LR, creating centralization and capacity strain. Board members discussed gradually federating CNA-LR responsibilities across multiple Roots as they build capacity (e.g., ENISA) under a clearer strategy for Top-Level Roots and their roles. The need to articulate this federation strategy, geographically and across different systems domains (IT, open source, OT/ICS), was highlighted. Record format and software identity were revisited. CPE’s centralized dictionary model poses well-known challenges; PURL provides identity without a central authority, but adoption in CVE Records remains low. Board members emphasized education, consumer demand signals, and tooling support to drive CNA adoption. CVE Services can help with syntax checks and other validation, but downstream consumers and auditors need clearer guidance on interpreting record enrichments and disputed status. The status of the current dispute policy generated active discussion. A Council of Roots blog post is scheduled for next Tuesday (December 17) as part of a website update. It explains current policy intent, outlines pain points (including long-lived disputes), and invites feedback via a short survey with an option to join a workshop in the new year. Data suggests a small fraction of CVE Records move from dispute to rejection, but even a small, disputed population can create significant operational and compliance burden for suppliers, vendors, and customers. Some argued for an adjudicative or appellate authority to resolve disputes; others cautioned about the difficulty of achieving consensus and the risk of false negatives/positives. Several Board members noted end users often treat the presence of a CVE (or a reserved or disputed status), as binary evidence that action is required, which can misalign with nuanced vulnerability determinations; better education and auditor involvement were strongly encouraged. The policy remains a living document, and time-bound pathways and clearer categorization of dispute types were discussed as potential improvements. A panel including major end users and auditors at VulnCon was suggested to surface practical realities and expectations.
