Despite challenges, the CVE program is a public-private partnership that has shown resilience – CyberScoop
In 1999, Dave Mann and Steve Christey, two researchers from the nonprofit R&D corporation MITRE, debuted a concept for security vulnerabilities that laid the groundwork for the common vulnerability and exposures framework (CVE) that organizes information around computer vulnerabilities.
Twenty-five years later, the CVE program, which assigns a unique record to each reported vulnerability, is in its fifth iteration. It has become a highly valued and integral aspect of how cybersecurity defenders can consistently share information about vulnerabilities and achieve interoperability across threat databases. There are now 413 organizations from over 40 countries reporting CVEs, with new reported vulnerabilities soaring to over 40,000, and total CVE records climbing to 270,768 in 2024.
“The underlying value of CVE continues to resonate, which is: how do we make sure that two or more people in different organizations can look at a vulnerability and know they’re talking about the same thing?” Peter Sheingold, senior principal and senior manager of cybersecurity and infrastructure security at MITRE, which runs the CVE program, told CyberScoop.
But along the way, the program has weathered challenges and dealt with changes that have enabled it to retain its status as the premier global go-to mechanism for understanding cybersecurity vulnerabilities. Ben Edwards, principal research scientist at Bitsight, likens the CVE system to Winston Churchill’s famous quote, “Democracy is the worst form of government, except for all the others.”
Like democracy, the CVE program, despite its flaws, is still the best way to identify and deal with vulnerabilities, he told CyberScoop.
Growing pains from CNA system growth
The CVE system has several key components, but few are more integral to understanding some of the program’s current challenges than the CVE numbering authority (CNA). CNAs are the entities that get to assign CVE IDs and publish the corresponding records.
In 2016, the CVE program expanded the number of entities that can become CNAs. “What has happened since then is, as we’ve gained more CNAs who can all issue their own CVEs at their own rate, they’re just able to catalog all the flaws there are,” Edwards said. “And we’ve seen this exponential increase. I don’t think this is a bad thing or necessarily means we should be worried that we’re more insecure. Probably the opposite in the sense that the more visibility we have into these CVEs, the better we can protect ourselves,” he said.
Not everyone wholeheartedly embraces the rapid growth in the number of CNAs. Some professionals who work with the data suspect that there are software providers who joined the CNA ranks specifically to hide the vulnerabilities they find or to shade the data in the most flattering light.
“The dirty secret is a lot of companies become CNAs now to hide vulnerabilities,” Tom Pace, co-founder and CEO of NetRise, told Cyberscoop. “For example, if [a company] is a CNA, then if you are a researcher and you find a vulnerability or a zero day and you want to disclose it properly, the only route you have is to go through [the company].”
Experts acknowledge this incentive exists. Jay Jacobs, founder of Empirical Security, told Cyberscoop, “It’s a tricky spot to be in because there is the notion that the more information the CNAs make public, the easier it could be to exploit it. There is a theory that if you don’t disclose all information, maybe the number of attackers can be reduced or contained, or maybe it’s zero if you have very little information. I don’t think that’ll ever be the case, but that’s one of the theories that CNAs may be considering.”
However, Alec Summers, MITRE’s principal cybersecurity engineer and group lead of cybersecurity operations and integration, told Cyberscoop that the federated nature of the CVE ecosystem helps limit how often CNAs can hide vulnerabilities.
“There are plenty of things in the ecosystem to prevent that from happening,” he said, particularly when outside researchers discover a flaw the CNA denies. “You go to that CNA, and they say, ‘Oh, that’s not a vulnerability.’ And they fight, and they go back and forth. We have a dispute policy. The CVE program has a dispute policy and has an escalation policy” to deal with precisely these situations.
CNAs are governed by a hierarchy, with the highest level considered a root CNA, meaning that it can impose sanctions on lower-level CNAs if they are non-compliant with the system’s community-developed rules. The top-level root CNAs are the Cybersecurity and Infrastructure Security Agency (CISA) for industrial control systems and medical devices and MITRE for all other organizations.
Data quality and complexity issues arise
Experts also point to several issues regarding the adequacy or complexity of the data reported by CNAs.
“The biggest thing I run into is data quality,” Jacobs said. “The amount of completeness and the quality of the records can vary enormously. ” He adds, “We do see an increase in the CNAs stepping up on their data quality, their completeness of data. It’s not perfect. We’re still missing data.”
Other experts argue that the growing number of CVEs is actually leading to improvements in CVE records, as the software suppliers who are most familiar with their flaws are best equipped to describe them.
“What is exciting about the CVE program and some of its recent programmatic evolution is the enabling of and the empowering of its hierarchical structure of roots and CNAs to start providing more of these kinds of metric information in the record itself,” MITRE’s Summers says. “So, you have people who are enabled through the CVE record format being closest to the product and having the knowledge of, for example, the root cause.”
Edwards and other cybersecurity researchers have pointed out another issue: over the past 25 years, the data has grown more complex, making it sometimes challenging to interpret and still not useful for some consumers.
“The format has maybe expanded to where it’s a little unwieldy and maybe doesn’t fit exactly the purposes that everybody needs,” Edwards said. “But at the same time, it’s what we’ve got. And it is certainly better than starting from scratch trying to do a new standard and trying to build something else and potentially fracture the landscape.”
A recent stress test
The US federal government funds all three major CVE players: the National Institute of Standards and Technology (NIST), CISA, and MITRE. Last year, NIST lacked sufficient funding to process CVEs on time, resulting in a backlog of their entering CVE records into a widely-used enriched CVE database called the National Vulnerability Database (NVD).
This lag created concern among defenders and prompted CISA and other organizations to help fill in the gaps. NIST has been digging its way out of the backlog with the help of a vendor, ANALYGENCE Labs.
Michael Roytman, co-founder of Empirical Security, told CyberScoop that although concerning, the NVD backlog was “actually a good stress test to try to understand what happens to the ecosystem in the event that any of these databases go down, and the reasons could be numerous, the reasons could be administrative changes, could be funding, could be technical.”
The CVE program might undergo yet another stress test as the Trump administration’s DOGE initiative shrinks headcount and reduces funding of not only NIST, which has already laid off 500 employees, but also CISA, which has lost hundreds of employees in at least three rounds of layoffs.
Most CVE experts argue that even with the current climate, the cuts would have to be highly draconian to mar the program. Bitsight’s Edwards said, “I think that there is sufficient information within the MITRE CVE list that we can certainly get by” if funding were to be significantly reduced.
“We have 1,500 cybersecurity experts on staff ready to keep building,” before a worst-case scenario would materialize, Lisa Fasold, public relations principal and group lead at MITRE Enterprise Communications, told CyberScoop.
Optimism for the future
Despite glitches and possible funding potholes along the road, experts have nothing but praise and optimism for the CVE program’s future. “It’s not perfect by any means, but it has stood the test of time,” Art Manion, a longtime CVE expert and deputy director of ANALYGENCE Labs, speaking in his personal capacity, told CyberScoop. “A world without CVE in it would get pretty ugly.”
MITRE’S Summers says, “It’s been 25 years of this program, and I don’t know if it’s possible to name another such public-private partnership program that has lasted that long and has continued to be so impactful in an ongoing way. I’m excited about the opportunity to continue evolving in ways that bring value to the community.”
Empirical Security’s Roytman echoes the enthusiasm of his peers when he says, “The fact that we’ve gotten together as an industry and have this public good and vendors build whole products off of it is wonderful and excellent and should continue to improve.”
The post Despite challenges, the CVE program is a public-private partnership that has shown resilience appeared first on CyberScoop.
–
Read More – CyberScoop