This year at BSides Las Vegas, a panel discussing the CVE program and crisis occurred. I watched the panel discussion after the fact, since I did not attend. For full transparency, something MITRE isn’t fond of, I almost attended as a keynote speaker on the subject of CVE. I was invited to, but personally did not feel I had enough time to prepare a presentation with my current work/life load. If I had a couple extra weeks lead time, it would have been enough and I would have spoken on the topic. I really wish I had after seeing this panel, which to me, was a let-down.
The panel is not very educational or exciting; the people chosen for the discussion are all eager fans of the CVE program and there was no dissenting body present. That said, two of the panelists (Gamblin and Beardsley) did call out shortcomings of the program which was good to hear. That said, I still think that any modern InfoSec panel should have a truly dissenting, but educated, viewpoint. Otherwise you get a lot of patting each other’s backs and it becomes a low-key cheering event. With that, here are some quotes and my thoughts. Note that these are my typed out quotes, so typos and such are mine.
“… excited to engage with you all …” — Chris Butera, CISA
And yet there was no Q&A allowed after the panel, so no actual engagement. Chris said something to this effect more than once, yet when I email CISA about potential mistakes or issues with advisories and the KEV, I rarely get anything other than automated responses, or something that could technically be described as a response, without providing any help or information whatsoever.
“… “there was never a funding issue in April. There was a contract management isuse that we had to get the contract in place. Um, those of you who worked in government know that those things can be tricky. Um, we made it past that. Uh CISA will continue to fund the program. We have ample funding to fund the program and it is a huge priority for CISA to fund this program.” — Butera
So why was it in the last hour that MITRE notified the public? Why didn’t CISA/MITRE issue a statement it was being worked on well in advance, to avoid the appearance of crisis? Why did MITRE literally say there was no funding come the next day? The contract was already in place apparently and needed a signature to authorize a second set of funds is what the public was told days later when CISA “stepped in” to “save the program”.
“… the CVE program is a public good. You know the privatization would lead to potential conflicts of interest, bifurcation and general confusion um that could lead to national security issues.” — Butera
So much to unpack here in that short bit. First, while MITRE is technically a 501c, they are still a profitable entity. The way MITRE runs the program, based on the money they receive, there is either epic levels of waste and mismanagement, and/or, there is an incredible amount of profit being made. Second, there have already been huge conflicts of interest that led MITRE to take actions that were not in the interest of the CVE program as pertains to the greater community good. Third, CISA and MITRE’s lack of transparency has already caused confusion and one of the reasons he is sitting on a panel four months later. Fourth, MITRE’s lack of proper VDB management has already led to national security issues.
“Um so for each of these vulnerabilities that is published in the CVE catalog uh CISA enriches those vulnerabilities with specific indications around exploitation um that could lead to us publishing it in the known exploited vulnerabilities catalog that again then triggers additional workflows for our operational teams where we will uh publish an alert to our different stakeholders alerting them to patch that immediately for our federal stakeholders that means they have to patch it in a very tight timeline.” — Butera
First, CISA does not enrich ‘these’ vulnerabilities, in the context of any appearing in CVE like stated. Rather, CISA enriches a subset of those vulnerabilities, while NVD belatedly enriches others. Second, he just said that there may be ‘indications’ of exploitation in CVE (found in the JSON not web site) that could lead to being added to KEV. Why is that? If there are indications of exploitations enough to add to CVE saying “exploit”, why not add them to the KEV?
Madison Oliver: “… generally I’d love to see things move faster. I’d love to see things be more transparent. I’m a huge advocate of transparency.”
Tod Beardsley: “I’m with Madison. Like things do need to be faster, more transparent, more accountable.”
Over the ten years I was on the board screaming at MITRE to be more transparent in different regards, and now two CVE board members confirm it hasn’t been fixed. MITRE is still not being transparent.
“… we’ve increased the completion, uh, records of the CWE significantly over the last few years, which has been an exciting achievement for this, um, program.”
If that is an ‘exciting achievement’, doing better in adding a single point of metadata, in 2025… CVE is so far behind the curve it is laughable. It is a reminder of how CVE has never been reliable and has not evolved in over 25 years.
“… how we’re trying to enable automation into this vulnerability ecosystem.” — Butera
Sorry, you don’t get to say this because you are actually talking about the CVE ecosystem, which is a subset of the broader vulnerability ecosystem. Nothing you described in your efforts specifically targets the broader vulnerability ecosystem; rather, it is designed for the much more limited CVE ecosystem. These are critical distinctions that anyone in our sphere should understand.
“A patch link in a CVE record is only on about 5% of all CVE records that are published today.” — Jerry Gamblin
I do like that Jerry brought numbers and receipts to this panel! That said, neat stat? But also very misleading I bet because you don’t “link” to a Microsoft patch itself since it is pushed to consumers monthly. If you are talking about OSS, then that starts to mean something, but you also have to first tell us how many CVE cover OSS for a frame of reference. [Gamblin later talks about it more, he is speaking to a patch ‘tag’ that can be used in association with a patch link. Less than 5% use the patch tag, which is a lot more clear.]
Gamblin: “Um, CPE, which people will tell me is terrible or not terrible, but it’s the standard we have.”
Beardsley: “It’s terrible!”
Gamblin: “It is, but it’s the terrible standard we have today is in less than 2% of all CVE records published by CNAs.”
And MITRE as well as the CVE Board, like the broader industry, are held hostage by NVD’s poor stewardship of the CPE program. Think about that statistic; less than 2% of CVE records published by CNAs have associated Common Platform Enumeration (CPE)?! That means it falls on NVD to do that work and as mentioned, they are the only ones that can create official CPE strings.
“… one of many areas that I would like to improve with CVE program, is the CVE program does not produce sufficient tooling to describe vulnerabilities in the CVE format. .. we basically have two ways to do it, something called phonogram. It’s a little GitHub project. And then we have CVElib, which I think comes from Red Hat. But we have, we have, of course, two different sets of tooling, both written on a volunteer basis, but they’re open source, neither of which is endorsed by the CVE board, which is insane.” — Beardsley
I think this is very telling that in 26 years, MITRE has insane funding and produced none of this tooling, and once the public does, they don’t endorse or apparently contribute to this tooling either. More and more, the industry needs to demand accounting transparency to figure out what MITRE actually does with the insane money of our taxpayer dollars.
[This was a long segment by Butera, where he talks about between 2016 and 2024 and CVE being in a ‘growth’ era, jumping from 24 to more than 460 CNAs.]
First, no explanation as to why MITRE and/or CISA decided this growth was needed. Spoiler: Congressional oversight after it was pointed out MITRE wasn’t cataloging over 6,000 vulnerabilities a year when others were. Second, 460 CNAs means nothing when a good chunk are inactive, some having never published a vulnerability, let alone one with a CVE. Some CNAs when minted did have vulnerabilities published, but no CVE ID associated with them. It is/was growth for the sake of growth, not for improving the program. Meanwhile, some entities that steadily produce vulnerabilities in high-deployment software still are not CNAs.
“Each of these CNAs requires training to really understand how to do their job, how to do their job effectively.” — Butera
Yet this is literally on the back of Gamblin and Beardsley talking at length about how so few CNAs include the information required. So that training is deficient and/or the CNAs are being negligent, and nothing is done about it.
“And we want to make sure now that we are shifting from that growth era to the quality era really.” — Butera
This is such a MITRE-made Catch-22 though. It was the growth era that stripped away the little quality that was there and made it worse. So they created their own problem by rushing to mint CNAs, not doing it in a logical fashion, not training them correctly, and/or not holding them accountable after minting. And it needs to be clearly stated that CVE was not about quality before this growth era, in the big picture. While Christey-Coley’s CVE era was about quality in descriptions, absolutely, the overall quality of the final product post-NVD enrichment, was not always present. The number of errors in CVSS scoring alone were a concern to many stakeholders.
“Every CVE you read is written by a volunteer.” — Beardsley
This is factually incorrect. I think Steve Christey-Coley might disagree with you since he wrote countless CVEs during his tenure, and he was explicitly paid to do so. Of course, this statement is more true in recent years, due to MITRE getting lazy , stopped authoring CVE descriptions, stopped doing any quality assurance on them, and blindly let any researcher or CNA write the description. But, that speaks strongly to the quality of CVEs which I believe … checks notes… ah yes, Beardsley was complaining about five minutes ago. Further, Madison was quick to point out that she and her team write CVE descriptions, yet they are paid to do it.
After the panel concluded, the panelists quickly exited stage. As he was leaving, the moderator (Bob Lord) replied to someone in the audience “you can come ask me questions”. Then, someone in the audience used a microphone to try to ask a question and the panel walked off without addressing a single question. That includes Butera who opened with his desire to “engage with the community”. From what I was told by organizers of the event, Bob and/or the panel had agreed not to take questions the night before. What a coward.
[8/15/2025 8:45p Update: A friend pointed out that I did not really make the jump from the above, to the picture below. That I had left out a bit and he is right. So here is the update, specifically about Bob and his moderation of the panel. It wasn’t good, and it wasn’t bad, but with all that is going on with the CVE ecosystem right now, that doesn’t cut it. People in the audience and remote had serious questions about the future of CVE. Butera’s pledge that CISA will keep funding it due to its importance does not answer many questions, and it comes on the back of actions that suggest we should take his pledge with a grain of salt.
Bob moderated the panel in a way that steered it away from CVE’s weaknesses, away from the funding crisis (other than what Butera said), steered toward “secure by design” and a lot about other industries and safety. All of those are great points, just not right now, not for that panel. Each person on the panel should have been placed on the spot more, asking hard questions and likely getting hard answers. Ones that paint a real picture of the state of the CVE ecosystem, all the dirty flaws in it, and then ask them “how do we fix it?” Because you had three board members and a person with financial pull there, people that should be in a position to help make these fixes.
The fact that two of the panelists / CVE Board members were candid about their negative experiences with transparency, etc. is a good sign. It’s a step in the right direction, and the moderator should have run with it. Bob should have steered them panelists down that path to reach the very ugly conclusions about why the CVE program is in such bad shape. He could have done that and instead, gently steered them away from the dark places. That’s simply not what we need right now. So while my image and calling Bob a coward already rubbed people the wrong way, I will not apologize for it, and I stand by my assertion.
This ‘Kumbaya’ attitude that if we talk about the warm and fuzzy things, we’ll be A-OK is disgusting to me. That isn’t helping organizations that are being failed on a daily basis by CVE, NVD, and CISA. That isn’t holding MITRE accountable for improper management of the CVE program. That isn’t holding CISA to the fire asking them why they don’t streamline this. And you know what? Butera said that CISA would continue to fund CVE, that’s great for the poor people who rely on it. But I hope the rest of you are reading between the lines and thinking about what else that can mean.
Got it yet? Spoiler: CISA can keep funding CVE, without MITRE being involved. They could drop MITRE fast, transition the program to their own teams, and eliminate the middle-baggage. If they did, Butera would be telling the truth on that panel and it could blindside a lot of people in a short seven months. If they go that route and don’t handle the transition well, the CVE ecosystem is in for another loop on the roller coaster. So yeah, less hugs and daisies and smiling, more hard questions and holding people accountable. That is what this industry needs. Other than an enema of course.]
Leave a Reply