In this episode of the “We Speak CVE” podcast, MITRE’s CVE and CWE Project Lead Alec Summers chats with Yves Younan of Cisco, Alex Kreilein of Qualys, Pedro Sampaio of Red Hat, and Anthony Singleton of the MITRE Top-Level Root, about the CVE Record dispute process.

Topics include how the dispute policy came to exist and the two types of CVE Record disputes; a walk-through of the process for disputing a CVE Record, including what steps to take and what to expect; why some disputes persist indefinitely; whether all CVE Record disputes need to be resolved; why some disputes remaining visible to the downstream consumer is healthy; an overview of how the CVE Record Dispute Policy was created and how it continues to updated over time; how the CVE Program continuously seeks community input on the dispute process; and more.

Resources mentioned in the podcast include:

• CVE Record Disputes Explained blog
• CVE Program Dispute Policy (PDF)
• Dispute Policy Feedback survey form
• CVE Record Disputes panel discussion at VulnCon 2026

“We Speak CVE” podcast host Shannon Sabens chats with CVE Consumer Working Group (CWG) co-chairs, Jay Jacobs and Bob Lord, and CVE™ Project Lead Alec Summers, about how the CWG was created to address the needs and perspectives of those who use CVE data — ranging from enterprise security teams to tool developers and managed security service providers — recognizing that their requirements and pain points often differ from those of upstream data providers.

Topics include the CWG’s goals to systematically capture and organize consumer feedback, identify common and unique challenges across different user types, and inform improvements in the CVE Program; the diversity and international participation among sign-ups, including organizations outside the usual sphere, such as medical companies; and the concept of “patch smarter, not harder,” stressing the importance of prioritization and high-quality data to help defenders manage the overwhelming volume of vulnerabilities. In addition, listeners are encouraged to join the CWG for meetings scheduled to accommodate global involvement and help participate in shaping the future of CVE.

“We Speak CVE” podcast host Shannon Sabens chats with CVE™/CWE™ Project Lead Alec Summers and CWE Top 25 task lead/CWE Root Causes Mapping Working Group lead Connor Mullaly about the importance of mapping CVE Records (vulnerabilities) to their technical root causes using Common Weakness Enumeration (CWE). 

Additional topics include the benefits of RCM for CVE Numbering Authorities (CNAs) and consumers of CVE data, Common Vulnerability Scoring System (CVSS) and other vulnerability metadata and their differences with CWE, the CWE Top 25 Most Dangerous Software Weaknesses list, and the tools and guidance available to improve the RCM process (e.g., examples of mappings and best practices on the CWE website, mapping usage labels on CWE entry pages on the website, the RCM WG, and an LLM tool), and more. 

Host Shannon Sabens speaks with fellow CVE Board members Kent Landfield and Madison Oliver and CVE Program Lead Alec Summers about the 25th anniversary of the CVE Program. Topics include the history of the program, the program today, and what’s next.

Shannon Sabens of CrowdStrike chats with Dave Morse, program coordination lead for the CVE Program, about the myths and facts of the CVE Numbering Authority (CNA) partner onboarding process.

Truth and facts about the following topics are discussed: duration and complexity of the onboarding process; the fact that there is no fee to participate; ease of incorporating assigning CVE Identifiers (CVE IDs) and publishing CVE Records into an organization’s existing coordinated vulnerability disclosure (CVD) processes; availability of automated tools for CNAs; the CVE JSON Record format and available guidance; role of Roots and Top-Level Roots and how they help CNAs; importance of CNAs determining their own scopes; disclosure policies; the community aspect of being a CNA and the availability of peer support; the value of CNAs participating in one or more CVE Working Groups, especially the CNA Organization of Peers (COOP); and much more!

Host Shannon Sabens speaks with Art Manion and Kent Landfield, all three of whom are CVE Board members and CVE Working Group (WG) chairs, about the all-new “CVE® Numbering Authority (CNA) Operational Rules Version 4.0.” 

Topics discussed include the new fundamental concept embedded throughout the rules called the “right of refusal”; how CVE assignment is technology neutral (i.e., cloud, artificial intelligence, etc.); end-of-life assignments; the dispute process; how CNAs can add additional data to their CVE Records such as CVSS, CWE, and CPE information at the time of disclosure for use by downstream consumers; and the expected positive impact of the rules on CNAs and the vulnerability management ecosystem. 

CNA Rules v4.0 - https://www.cve.org/ResourcesSupport/AllResources/CNARules 

Host Shannon Sabens of CrowdStrike chats with Benjamin Edwards and Sander Vinberg, both of Bitsight, about analyzing vulnerability data in the CVE List. This is a follow-on to their “CVE Is The Worst Vulnerability Framework (Except For All The Others)” talk at CVE/FIRST VulnCon 2024.

Topics discussed include the types of vulnerabilities and vulnerability intelligence they reviewed and the different ways they approached the data; how CVE is a really good framework for compiling information about, and communicating effectively about, vulnerabilities; how increasing the number of CVE Numbering Authorities (CNAs) through federation has improved the quantity and quality of data produced by the program over time; how the overall quality of CVE List data will improve for the entire vulnerability management ecosystem as more CNAs include CVSS, CWE, CPE, etc., information when their CVE Records are published; and much, much, more! 

In this episode — recorded live at “CVE/FIRST VulnCon 2024” — CVE Board member and CVE podcast host Shannon Sabens of CrowdStrike chats with the three newest CVE Board members: Madison Oliver of GitHub Security Lab, Tod Beardsley of Austin Hackers Anonymous (AHA!), and MegaZone of F5 who joins as the new CVE Numbering Authority (CNA) Liaison to the Board.

Topics include how and why each new member joined the board, the impact that participating in CVE Working Groups had on their decisions to become Board members, how federation and the ongoing addition of new CNA partners has significantly improved the CVE Program, how the program is voluntary, and how those who participate have the ability to make significant impacts in improving vulnerability management at an international level, and more.

Host Shannon Sabens speaks with Art Manion and Kent Landfield, all three of whom are CVE Board members and CVE Working Group (WG) chairs, about CVE Records.  Discussion topics include the CVE Record Lifecycle, the three “states” of CVE Records (RESERVED, PUBLISHED, and REJECTED), the current “tags” in use with CVE Records (EXCLUSIVELY-HOSTED-SERVICE; UNSUPPORTED-WHEN-ASSIGNED; and DISPUTED), the difference between the REJECTED state and the DISPUTED tag, how a DISPUTED tag can be temporary or indefinite, and much more. 

Learn how CVE Numbering Authority (CNA) partners—ranging from large to small organizations, proprietary and open-source products or projects, disparate business sectors, and different geographic locations—are overseen and supported within the CVE Program by “Top-Level Roots” and “Roots.” Topics include the roles and responsibilities of the two different types of Roots; how their work benefits the CNAs under their care; how they recruit new CNA partners, including suggestions for addressing upper management concerns if a CNA prospect organization is hesitant to partner as a CNA; how they work with and support their CNAs over time; how the “Council of Roots” works together to enhance and help improve the program overall; and much more. All current CVE Program Top-Level Roots and Roots are represented in this podcast.

In addition to host Shannon Sabens of CrowdStrike, speakers include Julia Turkevich of the CISA Top-Level Root and CISA ICS Root, Dave Morse of the MITRE Top-Level Root, Cristian Cadenas Sarmiento of the INCIBE Root, Paul Dev of the Google Root, Tomo Ito of the JPCERT/CC Root, and Yogesh Mittal of the Red Hat Root.

LINKS:

• Benefits of being a CNA partner 
• How to become a CNA partner 
• Partner onboarding process 
• List of current CNA partners