CVE Board Meeting Minutes January 21, 2026 (2:00 p.m. – 4:00 p.m. EST) CVE Board Attendance ☒ Pete Allor ☐ Ken Armstrong, EWA – Canada, an Intertek Company<https://urldefense.us/v2/url?u=https-3A__www.intertek.com_cybersecurity_ewa-2Dcanada_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=oKwbSNNG4ptpwMOrA52FpQ&m=hFDKG5wguSCWH6vEC9ywSlIr62bxHtrOWGuFDgM5-0sM0KgvmDobkIiO5CeQXnTg&s=MmUMCu7ndTcJiYH1-2p-be-ImBuLehzZLf59VqMcP7g&e=> ☒ Tod Beardsley, Austin Hackers Anonymous<https://urldefense.us/v2/url?u=https-3A__takeonme.org_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=oKwbSNNG4ptpwMOrA52FpQ&m=hFDKG5wguSCWH6vEC9ywSlIr62bxHtrOWGuFDgM5-0sM0KgvmDobkIiO5CeQXnTg&s=vI0g5bwlo0gBvf4EvQ4mUs7rgWY79ZeChDk4mrywAtY&e=> (AHA!) ☒ Chris Coffin (MITRE At Large), The MITRE Corporation<https://www.mitre.org/> ☒ William Cox, Black Duck Software, Inc.<https://urldefense.us/v2/url?u=https-3A__www.blackduck.com_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=oKwbSNNG4ptpwMOrA52FpQ&m=hFDKG5wguSCWH6vEC9ywSlIr62bxHtrOWGuFDgM5-0sM0KgvmDobkIiO5CeQXnTg&s=kIBgdystlEcwyPBGw0IC5NYQxYDuegH-h1Flz7B6dV0&e=> ☒ Jen Ellis, NextJen Security<https://urldefense.us/v2/url?u=https-3A__uk.linkedin.com_in_infosecjen&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=oKwbSNNG4ptpwMOrA52FpQ&m=hFDKG5wguSCWH6vEC9ywSlIr62bxHtrOWGuFDgM5-0sM0KgvmDobkIiO5CeQXnTg&s=inUpjVBIRCG64mrYNeOrco8A6Fvl8cqeIBQFeTS-QG4&e=> ☒ Patrick Emsweller, Cisco Systems, Inc.<https://urldefense.us/v2/url?u=https-3A__www.cisco.com_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=oKwbSNNG4ptpwMOrA52FpQ&m=hFDKG5wguSCWH6vEC9ywSlIr62bxHtrOWGuFDgM5-0sM0KgvmDobkIiO5CeQXnTg&s=FjqifjPGq6nPLOlh0GQQmHMs-ReyB9hINANJvOcIDCA&e=> ☐ Jay Gazlay, Cybersecurity and Infrastructure Security Agency (CISA)<https://urldefense.us/v2/url?u=https-3A__www.dhs.gov_cisa_cybersecurity-2Ddivision_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=oKwbSNNG4ptpwMOrA52FpQ&m=hFDKG5wguSCWH6vEC9ywSlIr62bxHtrOWGuFDgM5-0sM0KgvmDobkIiO5CeQXnTg&s=NJG9CX_XQYRlrYp8Cc7aVSVGBpVVlYtsGEdSJJ6wxqE&e=> ☐ Tim Keanini ☐ Kent Landfield ☒ Scott Lawler, LP3<https://urldefense.us/v2/url?u=https-3A__lp3.com_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=oKwbSNNG4ptpwMOrA52FpQ&m=hFDKG5wguSCWH6vEC9ywSlIr62bxHtrOWGuFDgM5-0sM0KgvmDobkIiO5CeQXnTg&s=VIPAHDrczIaIs-_TO0kQKCh5kSsAu8PFtZD5qN6Akkw&e=> ☒ Art Manion ☒ MegaZone (CNA Board Liaison), F5, Inc.<https://urldefense.us/v2/url?u=https-3A__www.f5.com_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=oKwbSNNG4ptpwMOrA52FpQ&m=hFDKG5wguSCWH6vEC9ywSlIr62bxHtrOWGuFDgM5-0sM0KgvmDobkIiO5CeQXnTg&s=A6nY1FOSyotHQ2HeZmPP2a8_5vP_YsnNrdWT5ToP30g&e=> ☒ Tom Millar, Cybersecurity and Infrastructure Security Agency (CISA)<https://urldefense.us/v2/url?u=https-3A__www.dhs.gov_cisa_cybersecurity-2Ddivision_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=oKwbSNNG4ptpwMOrA52FpQ&m=hFDKG5wguSCWH6vEC9ywSlIr62bxHtrOWGuFDgM5-0sM0KgvmDobkIiO5CeQXnTg&s=NJG9CX_XQYRlrYp8Cc7aVSVGBpVVlYtsGEdSJJ6wxqE&e=> ☒ Chandan Nandakumaraiah ☐ Kathleen Noble ☒ Madison Oliver, GitHub Security Lab<https://urldefense.us/v2/url?u=https-3A__securitylab.github.com_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=oKwbSNNG4ptpwMOrA52FpQ&m=hFDKG5wguSCWH6vEC9ywSlIr62bxHtrOWGuFDgM5-0sM0KgvmDobkIiO5CeQXnTg&s=UHJUFyIaTR39gmDmGEIV2hdzgrlEDj0sTQFWBI7II5A&e=> ☐ Lisa Olson, Microsoft<https://urldefense.us/v2/url?u=https-3A__www.microsoft.com_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=oKwbSNNG4ptpwMOrA52FpQ&m=hFDKG5wguSCWH6vEC9ywSlIr62bxHtrOWGuFDgM5-0sM0KgvmDobkIiO5CeQXnTg&s=6863XK0HQTQG-XbdPm9qkX71KjQZKbE815Basyabflk&e=> ☐ Shannon Sabens, CrowdStrike, Inc.<https://urldefense.us/v2/url?u=https-3A__www.crowdstrike.com_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=oKwbSNNG4ptpwMOrA52FpQ&m=hFDKG5wguSCWH6vEC9ywSlIr62bxHtrOWGuFDgM5-0sM0KgvmDobkIiO5CeQXnTg&s=t-ACRivaOZVgu9yX1_aPq51By-nToYDY5BdGbQEOPog&e=> ☐ Christopher Turner, NIST<https://urldefense.us/v2/url?u=https-3A__www.nist.gov_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=oKwbSNNG4ptpwMOrA52FpQ&m=hFDKG5wguSCWH6vEC9ywSlIr62bxHtrOWGuFDgM5-0sM0KgvmDobkIiO5CeQXnTg&s=MrgHxbx_Fg7elkcWjNOHWZYBPMN6MewwclETilKeBIw&e=> ☒ Takayuki Uchiyama, Panasonic Holdings Corporation<https://urldefense.us/v2/url?u=https-3A__holdings.panasonic_global_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=oKwbSNNG4ptpwMOrA52FpQ&m=hFDKG5wguSCWH6vEC9ywSlIr62bxHtrOWGuFDgM5-0sM0KgvmDobkIiO5CeQXnTg&s=6soklSToj4XLTzMGZcX_OjjQa4IEQf6PTmknWcv8cuE&e=> ☒ David Waltermire ☐ James “Ken” Williams, Broadcom Inc.<https://urldefense.us/v2/url?u=https-3A__www.broadcom.com_&d=DwMGaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=oKwbSNNG4ptpwMOrA52FpQ&m=hFDKG5wguSCWH6vEC9ywSlIr62bxHtrOWGuFDgM5-0sM0KgvmDobkIiO5CeQXnTg&s=KkyAvJss5BWbtIbfCIhnkwLXf91cOyCupVfuP3gWFyM&e=>
MITRE CVE Team Attendance ☒ Kris Britton ☒ Christine Deal ☐ Bob Roberge ☒ Anthony Singleton ☒ Jo Bazar ☒ Alec J Summers Agenda * Code of Conduct Complaint and Discussion * Status Update: Timestamp Normalization and SADP Pilot * Discussion: Board Nomination Next Steps New Action Items from Today’s Meeting New Action Item Responsible Party Constitute Code of Conduct review subgroup Secretariat/Board Proceed with Board nomination interview Secretariat/Board Code of Conduct Complaint and Discussion A Code of Conduct complaint was presented for discussion by a Board member. The nature of the complaint required drafting modifications to aspects of the existing Code of Conduct policy and related procedures to appropriately handle it. A proposal was presented to clarify enforcement responsibility and establish a defined protocol for cases involving potential conflicts of interest. The proposed approach included notifying the Board when a conflict arises, forming a small, subgroup of Board members with no potential conflicts of interest to review the complaint, aiming for timely handling, and ensuring the reporting party is informed of outcomes. Discussion emphasized that the individuals with conflicts should be fully removed from review and decision-making. The proposed subgroup was viewed as a necessary corrective action to ensure objectivity, transparency, and confidence in the process. Participants discussed whether investigative or fact-gathering support could be provided by Roots or Top-Level Roots (TLRs), separate from adjudication, to reduce burden on the Secretariat and Board. It was generally agreed that investigative support could be appropriate depending on the nature of the complaint, while final deliberation should remain with the designated Board subgroup. Documentation and transparency were also discussed. Participants favored managing Code of Conduct updates through a version-controlled process (e.g., markdown in a documents repository) to clearly show changes over time, while maintaining an authoritative published version (such as a PDF) on the program website. The importance of avoiding confusion between “working drafts” and the officially enforced policy was emphasized. The group agreed that updating policy should not delay handling the current complaint. Timeliness and clear communication with the reporting individual were highlighted as priorities. Status Update: Timestamp Normalization and SADP Pilot Timestamp Normalization A status update was provided on planned normalization of date formats across mandatory date fields in historical CVE Records. Participants were reminded that formatting for newly published records had already been standardized, while this effort focuses on historical records. The change was characterized as a quality improvement initiative with no alteration to semantic meaning or compliance. The goal is to reduce ambiguity for downstream analytics, improve data consistency, and support more reliable historical searches. The maintenance activity is scheduled to begin February 16. It was emphasized that many records will appear as modified, including updates to modification timestamps, and that these changes will surface in GitHub history and delta files. This effect was highlighted as the primary downstream impact. Extensive outreach efforts were described, including blog posts, direct CNA communications, working group briefings, repository announcements, targeted engagement with PSIRTs and scanning vendors, and recurring open sessions for questions. Early feedback has not indicated material opposition, and most downstream users are already accustomed to handling date inconsistencies. The overarching messaging objective is to avoid surprise, misinterpretation, or external concern by clearly communicating that the change is formatting-only. SADP Pilot An update was provided on the Supplier ADP (SADP) pilot, which is intended to test the ability of downstream suppliers to publish ADP containers indicating their product status relative to upstream vulnerabilities. Participants reiterated that the pilot is designed to move beyond theoretical discussion and generate operational learning. A two-phase approach is being used: * Phase 1 will rely on a demonstration environment, scheduled to be available February 3, allowing participants to test workflows using synchronized data without impacting production. * Phase 2 would transition participants to production accounts, enabling supplier ADP data to be visible to the community. Early expectations suggest Phase 2 could begin in early March, subject to readiness. Broader infrastructure and scalability considerations were acknowledged but intentionally excluded from the pilot’s scope. The group noted that while the pilot is limited to supplier ADPs, this does not preclude other ADP types in the future. Discussion: Board Nomination Next Steps The Board discussed whether to proceed with a pending Board nomination interview considering draft congressional committee language shared earlier by email. Participants agreed that draft legislation does not constitute enacted law and should not, by itself, interrupt standard Board processes. Concerns were raised regarding optics and potential perceptions of organizational concentration or conflicts of interest, particularly where nominees may be associated with organizations already represented on the Board. The nominating Board member clarified that the nomination was based on the individual’s qualifications and history of contribution, not organizational entitlement. Several participants emphasized the importance of being able to clearly articulate this rationale if questioned externally. A snap vote was conducted to determine whether to proceed with the interview. The Board unanimously agreed to move forward. ________________________________ Open Discussion Participants discussed the draft congressional language more broadly, noting that, to their knowledge, the program and relevant operational teams were not consulted during its drafting. Attribution and intent remain unclear. Several members cautioned against overreaction prior to understanding the source and motivation behind the language. It was noted that some concepts raised, such as broader international participation, have appeared previously in public discussions and may warrant consideration independent of legislative mechanisms. The group discussed general discomfort with highly prescriptive legislation governing program operations, noting that flexibility has historically been important to program effectiveness. A brief exchange addressed the status of CISA 2015 authorities. Members shared informal awareness of potential short-term extension efforts. A member repeated a request to obtain access to MITRE’s contract with CISA concerning the CVE Program. It was repeated that the Secretariat is unable to fulfill that request. Members referenced some external discussions and public reporting as to a perceived funding cliff in the program’s operations. It was clarified that there is no funding cliff in March, and that ongoing operations and planning extend well beyond that timeframe. With no further topics raised, the moderator closed the discussion and adjourned the meeting early, returning time to participants. ________________________________ This document includes content generated with the assistance of Microsoft Teams Copilot, a generative AI tool. Microsoft Teams Copilot was used to generate the initial draft of the meeting minutes and provide suggestions for summarizing key discussion points. All AI-generated content has been reviewed and edited by the CVE Program prior to publishing. Please report any inaccuracies or other issues to the CVE Program.
