CVE project Consumer Working Group

[Olle E Johansson]

Hi!

The CVE program has created a CVE Consumer Working Group. One of the first tasks is to capture use cases for the CVEs. They have meetings on alternating times - one week with a time adapted to EU/ASIA and the other one for Americas.

Read more here and find out how to join
https://www.cve.org/ProgramOrganization/WorkingGroups#CVEConsumerWorkingGroupCWG

I think this will be an important group moving forward.

Regards,
/Olle

[Tom Alrich]

I have attended every US CWG meeting so far (they started up about 3 months ago). I can attest that the group is excellent, and is very well run by Jay Jacobs and Bob Lord. This is the forum where you can bring up every change you would like to see in CVE!

Tom Alrich LLC

312-515-8996

My blog has moved! It's now at https://tomalrich.substack.com/. All 1200+ of my posts since 2013 are accessible there, as well as new posts going forward.

I’m now in the training business! See this post for more information.

---

From: Olle E Johansson <olle.e.j...@owasp.org>
Sent: Thursday, November 13, 2025 3:21 AM
To: c...@owasp.org <c...@owasp.org>
Subject: [OWASP CVE] CVE project Consumer Working Group

 

--
--
Please also join the conversation on OWASP's Slack. https://owasp.org/slack/invite  Join channel #cve-wg.
---
You received this message because you are subscribed to the Google Groups "CVE" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cve+uns...@owasp.org.
To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/cve/7E8DA23A-876D-4B75-A62B-3BC573F4B763%40owasp.org.

[Josh Bressers]

I don't want to be overly negative with this, but it's going to come across as negative

I think it's irresponsible to make the claim

"I think this will be an important group moving forward."

Let's review where things stand

The CVE program is basically a legend at this point for ignoring user feedback. Has this group done anything useful yet? It's easy to claim it's too new to have any meaningful change, but the reality is if their intent is to patch up their image, a group like this needs to take immediate actions to show they are serious.

The future of the CVE program is currently unknown. All we have is a contract document that expires in March 2026 and very hard to interpret statements from CISA. Will this group exist in April? It would be nice if someone could give the users some clarity.

It's very hard to be optimistic when you look at the history of this universe, and the currently chaotic near future

I hope this group manages to create some user driven change in the program, but I don't think it will.

-- 

     Josh

[Tom Alrich]

Josh, it seems you're expecting miracles from the group as soon as they come into existence. Have you attended any of the meetings (which are only every 3 weeks, unfortunately)?  We're going through a very methodical process of identifying issues that need to be addressed and prioritizing them. The repository for those issues is here. Anyone may contribute to that repository, even if you're not part of the group and you don't attend the meetings.

The leaders of the CVE program are members of the CWG. In fact, the CWG was the idea of Chris Coffin of MITRE and Megazone of F5, and they're usually at the meetings. They're the leaders of the CVE Quality Working Group, which drafts all changes to the CVE Record Format (that's a group that you're also welcome to join. In fact, you've always been able to join any of the CVE working groups. Have you ever done that? ). 

You're simply wrong about the future of CVE. It's well assured. The CVE Foundation is run by people who have each had decades of experience with the CVE Program and sit on the CVE Board (including Pete Allor, formerly of Red Hat, Lisa Olson of Microsoft, and Dave Waltermire, formerly of NIST). I have been assured they already have more than enough money committed from governments and private sector groups worldwide to take over the MITRE contract when it expires next March. 

I know CISA says they want to continue the MITRE contract, but the fact is that CISA is being systematically decimated as we speak. Using their own numbers, they will have only 31% of the employees at the end of the year as they had at the beginning of this year. Even if they decided they wanted to continue the contract, there's no way MITRE would work with them, when everyone at CISA who they worked with (such as Bob Lord) has been fired, forced to resign, or voluntarily resigned. Meanwhile, the MITRE people have been working with the CVE Board members for decades.

In fact, the CVE Board members have been dissatisfied with many aspects of the CVE Program for years. But since CISA controlled the contract and since MITRE couldn't get funding for additional initiatives (beyond the ones they're already undertaking) without a contract change, a lot of those couldn't be addressed (although some were. For example, two weeks ago PURL was added as an optional identifier in the CVE Record Format). I know for a fact that the CVE Foundation is already working on their own on improvements they will implement once they own the MITRE contract.

If you want to contact Pete Allor, I'm sure he'll reassure you that the CVE Program is 100% certain to continue next year, and to start to make improvements that couldn't have been made previously. Since the working groups like CWG and QWG will continue after March, I recommend you join them, if you want to have input on the future of CVE.

Tom Alrich

---

From: 'Josh Bressers' via CVE <c...@owasp.org>
Sent: Thursday, November 13, 2025 8:11 AM
To: Olle E Johansson <olle.e.j...@owasp.org>
Cc: c...@owasp.org <c...@owasp.org>
Subject: Re: [OWASP CVE] CVE project Consumer Working Group

 

To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/cve/CAKoP-y_vq4xu0YG6YfKwq-ULn5OUUy0w%2BhecDgM%2BVFWFT1e49A%40mail.gmail.com.

[Art Manion]

I don't disagree with Josh but will nonetheless give a very slightly more optimistic opinion. (I should be less naive after so many years.)

On 2025-11-13 07:11, 'Josh Bressers' via CVE wrote:

> The CVE program is basically a legend at this point for ignoring user
> feedback. Has this group done anything useful yet? It's easy to claim
> it's too new to have any meaningful change, but the reality is if their
> intent is to patch up their image, a group like this needs to
> take immediate actions to show they are serious.

There have been improvements over the years. Perhaps fairly minor and slow to decide and implement, but progress has been made.

I wouldn't put responsibility or blame solely on any single WG. The Board, other WGs, the entire Program, the sponsorship and operation -- all have influence.

If one so chooses to try to push the boulder up hill within the CVE Program, the CWG is at least a fresh option, and having worked with some of the folks involved, I am confident in the CWGs good intentions, which is an important start.

> The future of the CVE program is currently unknown. All we have is a
> contract document that expires in March 2026 and very hard to interpret
> statements from CISA. Will this group exist in April? It would be nice
> if someone could give the users some clarity.

Based on my experience working at a different FFRDC and the way the CVE Program has been funded in the past, my guess for 2026 is that the Program will be funded "as usual" by CISA. It's simply the easiest way to keep the Program running and CISA has repeatedly and publicly announced their commitment. Beyond that, I have no predictions.

- Art