LAS VEGAS — The premier global program that catalogs cybersecurity vulnerabilities is on shaky ground and needs significant reforms, cybersecurity experts said at the DEF CON conference here on Saturday.
The Common Vulnerabilities and Exposures (CVE) program has quietly underpinned the process of finding and fixing software flaws since its creation in 1999. But the program’s database of vulnerabilities, which is managed by the MITRE Corporation under a contract with the Cybersecurity and Infrastructure Security Agency (CISA), almost shut down in April due to an issue with MITRE’s government contract. CISA renewed that contract at the last minute after a public outcry, but the incident reminded the cybersecurity community of the risks inherent in relying on government funding for such an important resource.
“We were all, frankly, freaked out when the CVE program lost funding,” Elizabeth Eigner, a security policy strategist on Microsoft’s Global Cybersecurity Policy team, said during the DEF CON panel. “I’d like to see solidified funding and a guarantee of long-term funding and continuity.”
The CVE program serves as the world’s central repository of detailed information about software vulnerabilities. People who discover vulnerabilities report them to organizations known as CVE Numbering Authorities (CNAs), which validate them, assign them unique CVE identifiers and publish them to the CVE catalog. All subsequent conversations about these vulnerabilities — from vendor patches to proof-of-concept exploits to reports of attacks — reference their CVE numbers and the information in their catalog records.
The database should be considered “critical infrastructure,” said Eigner, who noted that Microsoft reports between 80 and 100 vulnerabilities to the program every month.
The April contract incident renewed discussions within the cybersecurity community — which has long been skeptical of government control of key digital infrastructure — about reducing the CVE program’s reliance on U.S. government funding. When the MITRE contract was on the verge of lapsing, members of the CVE program’s board created a nonprofit group intended to take custody of the program from MITRE.
CISA’s sponsorship of the program has “raised longstanding concerns among members of the CVE board about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor,” the board members wrote.
CISA rushed to reassure its alarmed partners. A top CISA official said the agency was “proud to be the sponsor for the CVE program” and was “very open to reevaluating” its role. At the Black Hat USA cybersecurity conference here on Thursday, CISA officials reiterated that the program was essential to the security community’s work.
“Thankfully, everything is good for the moment,” Madison Oliver, senior manager for advisory database curation at GitHub, said during the DEF CON panel. But the CVE program’s advocates have a new appreciation of its precarity, she said, and they are focused on “ensuring the program can remain resilient, transparent and sustainable.”
Eigner said the incident had created a “trust gap” between the U.S. government and other major participants in the program. (Her employer, Microsoft, is one of the largest CNAs.) Many of those participants are now “looking at each other maybe a little warily,” she said.
Future of the CVE
Whether the CVE database remains a government-funded effort or moves to a nonprofit, experts said the program needs more rigorous governing protocols.
“We need independent governance, free from a single agency or vendor dependency,” Eigner said. “I’d like to see more neutrality and trust in the program [so there isn’t] one single entity [that] controls what’s happening.”
Trey Ford, CISO for the Americas at bug-bounty vendor Bugcrowd, said the cybersecurity community needed to pay closer attention to the program’s stability.
“CVE is a public good, and we need to be thoughtful about that,” he said. “We need to be custodians of that.”
The CVE program has evolved over the years, especially after 2016, when its governing board decided to expand the range of organizations that could become CNAs. At the time, there were 23 CNAs; there are now 463.
During Saturday’s panel, Chandan Nandakumaraiah, head of product security at NETGEAR, argued that the diversification of CNA authority was one reason not to worry about a U.S. government retreat from the CVE program.
“It’s not all doom and gloom,” he said.
The CVE program would have continued if MITRE’s contract had lapsed, Nandakumaraiah said; there simply would have been an interruption in the hosting of its database. Following the April incident, the CVE board created a backup plan for how the database could “fail over” to a non-government system.
Other participants in the CVE ecosystem were less confident.
“I’m thrilled to see a failover plan in place,” Eigner said, describing it as “the first step in alleviating the trust gap” that has arisen. But what’s still missing, she said, is a sense that the program’s “core infrastructure” is accountable to the security community writ large.
CISA’s role
Moving the CVE program into the new nonprofit group could help address those accountability concerns. And as the group’s founders pointed out, there is precedent for such a move in the history of the internet’s infrastructure.
“Regardless of what happens,” Eigner said, “CISA still needs to play a core role, but how can we have other players be accountable and be part of that core infrastructure, not just a contributor?”
Without a major effort to shore up the program’s foundations, Eigner argued, there was a real risk of it crumbling into “balkanization,” with multiple smaller groups disjointedly trying to replace it. “These gaps [would] make us all less safe.” (In May, the European Union launched its own vulnerability database.)
The cybersecurity community should begin planning now for the CVE program’s future, Eigner said, so that “we can avoid this collapse of the Rosetta Stone that we’re all so concerned about.”
Read more news from Black Hat USA 2025 here.
Source link
