Can We Trust CVE?
a year ago
- #Trust
- #CVE
- #Cybersecurity
- The CVE program faced a funding crisis, temporarily resolved by CISA for 11 months, leaving future uncertain.
- NVD stopped enriching CVE records in early 2024, leading to a loss of trust due to lack of communication.
- VulnCon conference highlighted lack of preparedness among CVE leadership before the funding crisis.
- MITRE, CISA, and CVE failed in communication, eroding trust further with no clear plans or transparency.
- Alternatives to CVE are emerging, including OWASP's Unified Framework for Global Vulnerability Intelligence and EUVD.
- GCVE and the CVE Foundation are other initiatives, but with varying levels of trust and transparency issues.
- Trust in public entities requires transparency, a lesson not heeded by current CVE stakeholders.
- The future of vulnerability management may lie in decentralized, open-source solutions with clear governance.