CVE at a crossroads: A blueprint for the next 25 years
The Common Vulnerabilities and Exposures (CVE) Program is at a crossroads. Since 1999, it has served as the canonical index of software vulnerability identifiers, a critical function in a world that increasingly relies on software to power every aspect of modern life. Its success over the last quarter century is a testament to the vision of its founders and the dedication of the volunteers who have helped it grow into a core element of global software security.
However, recent funding and contracting issues have laid bare fundamental challenges with the program. Without adaptation, the vulnerability identification landscape will fragment. A quarter-century’s progress driving towards a common lexicon will be undone. Cyber defenders will suffer as the task of deciphering what vulnerability an alert refers to falls on their shoulders. And software makers will lose a vital source of data about the prevalence of software defects, important information to drive progress in security-by-design.
To prevent fragmentation, the CVE Program must evolve. It needs a broader base of funding from governments, philanthropies, and industry. And it needs a new governance structure with representation from non-U.S. governments and voices from across the entire community of CVE Record producers and users.
Read more at Institute for Security and Technology