Skip to content
SPECIAL

THREATS TO CRITICAL INFRASTRUCTURE IN IRAN CONFLICT

READ MORE

CVE at a crossroads: A blueprint for the next 25 years

(Image by Innova Labs from Pixabay)

By Nicholas Leiserson, Bob Lord, Lauren Zabierek

The Common Vulnerabilities and Exposures (CVE) Program is at a crossroads. Since 1999, it has served as the canonical index of software vulnerability identifiers, a critical function in a world that increasingly relies on software to power every aspect of modern life. Its success over the last quarter century is a testament to the vision of its founders and the dedication of the volunteers who have helped it grow into a core element of global software security.

However, recent funding and contracting issues have laid bare fundamental challenges with the program. Without adaptation, the vulnerability identification landscape will fragment. A quarter-century’s progress driving towards a common lexicon will be undone. Cyber defenders will suffer as the task of deciphering what vulnerability an alert refers to falls on their shoulders. And software makers will lose a vital source of data about the prevalence of software defects, important information to  drive progress in security-by-design.

To prevent fragmentation, the CVE Program must evolve. It needs a broader base of funding from governments, philanthropies, and industry. And it needs a new governance structure with representation from non-U.S. governments and voices from across the entire community of CVE Record producers and users.

Read more at Institute for Security and Technology

Click to listen highlighted text!