CISA vision for the CVE program

[Olle E Johansson]

Hi!

Coming back after an extended leave. In the beginning of this month, CISA published a vision for the CVE program. February is getting closer, so it’s an important statement.

https://www.cisa.gov/news-events/news/cisa-presents-vision-common-vulnerabilities-and-exposures-cve-program

Please read (don’t miss the attached PDF) and give feedback!

Regards,
/O

[Josh Bressers]

Hi Olle,

I'm glad you're back!

The first thing that stood out to me with this document is what's not in it. They don't mention MITRE at all. While I'm no fan of how MITRE has run the CVE program, if they plan to cut those ties there needs to be a nice transition plan to avoid even more confusion.

The other is this sentence: "Privatizing the CVE Program would dilute its value as a public good". It's pretty clear there's no interest in putting this in some sort of foundation.

And lastly I think the paragraph titled "Expansion of Community Partnerships" gives me hope, but the devil will be in the details. This sort of project is hard to coordinate in the best of times, and at the moment the trust level is 0. We shall see.

-- 

     Josh

--
--
Please also join the conversation on OWASP's Slack. https://owasp.org/slack/invite  Join channel #cve-wg.
---
You received this message because you are subscribed to the Google Groups "CVE" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cve+uns...@owasp.org.
To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/cve/5DEBB3C6-9080-42A5-B728-5F61FD1D0BB8%40owasp.org.

[Thomas]

Hi!

I think the roadmap sounds inspiring and has many good initiatives. However, the project funding was and will remain the main concern for a stable, future-proof tool, which is essential for trust. They mention “evaluating potential mechanisms for diversified funding”, but don’t go into any details. So considering the volatile reality in the US (and as you said Olle, February is approaching fast), this doesn’t really ease my mind.

From a GVIP and my personal European perspective, the sole dependence on US needs to be diversified. I feel that short-term, GVIP must focus on presenting a crystal clear vision of exactly how we intend to complement the CVE program and focus on the issue causing this situation in the first place; a solid structure for long-term funding.

Be it conceptual at first, but I’m sure we can iterate our ideas quite fast during the autumn with policy makers, industry leaders and government here in the Nordics at least. Perhaps a good point to discuss during the next meeting.

All the best,

Thomas

To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/cve/CAKoP-y9KB9y3c4fY80U5yqgjD6BFd%3DZX9ehv79GcOz%2BQG7Ox4w%40mail.gmail.com.

[Tom Alrich]

I agree with Josh that it's quite disturbing that MITRE isn't even mentioned in CISA's document. There's simply no way that CISA could even continue the CVE Program in its current form on its own, let alone make any improvements in it (remember, CISA has no current role in operating the program today, other than having one or two seats on the CVE.org board). After all, this is an agency that has already terminated (or forced out) a lot of its best staff members, as well as terminated a number of programs altogether; moreover, they're continuing the destruction as we speak.

The interesting question is why, given that they need to lay so many people off to cut costs, CISA wants to continue paying for the CVE Program, when the CVE Foundation already has more than enough funds committed (from all over the world, including some governments) to pay the full MITRE contract themselves. My guess is CISA thinks the CVE Program is hugely wasteful; they'll drastically shrink the program and spend the savings on people or projects that DHS otherwise wouldn't let them fund.

I elaborated on these ideas in this recent blog post (if you hit a paywall, please let me know).

Tom

Tom Alrich LLC

312-515-8996

My blog has moved! It's now at https://tomalrich.substack.com/. All 1200+ of my posts since 2013 are accessible there, as well as new posts going forward.

---

From: 'Thomas' via CVE <c...@owasp.org>
Sent: Sunday, September 28, 2025 1:58 PM
To: olle.e.j...@owasp.org <olle.e.j...@owasp.org>
Cc: c...@owasp.org <c...@owasp.org>
Subject: Svar: Re: [OWASP CVE] CISA vision for the CVE program

 

To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/cve/WvHIhLGYxrOPSAFIHA3vmDvpEd1lWQ8U3oo7Xn6-qBn_9Uu4RPVtrlgY0RRIxPdEvNx8-2TZAPevjeq0ATmBo7MCyFxim6mfjPfG6aXwZ9I%3D%40proton.me.

[Josh Bressers]

On Sun, Sep 28, 2025 at 2:40 PM Tom Alrich <t...@tomalrich.com> wrote:

The interesting question is why, given that they need to lay so many people off to cut costs, CISA wants to continue paying for the CVE Program, when the CVE Foundation already has more than enough funds committed (from all over the world, including some governments) to pay the full MITRE contract themselves. My guess is CISA thinks the CVE Program is hugely wasteful; they'll drastically shrink the program and spend the savings on people or projects that DHS otherwise wouldn't let them fund.

I don't think the CVE Foundation is a plausible solution.

They've been misleading, enigmatic, and evasive since their inception. I trust them even less than I trust MITRE. This also feels like one of those cases where "What Got You Here Won't Get You There". I don't think a bunch of the people who are responsible for turning CVE into what it is today can solve this.

There's also the CVE trademark problem, they're violating a trademark. Committed funds will vanish quickly if legal action is taken against the group.

If the CVE Foundation wants to be seen as a possible solution, they need transparency. A lot of transparency.

-- 

     Josh

[Tom Alrich]

The CVE Foundation will take over MITRE's contract. However, all the leaders of the Foundation are longtime CVE.org board members (including Pete Allor, formerly of Red Hat,  Dave Waltermire of NIST, and Lisa Olson of Microsoft); Pete has been involved with the CVE program since literally the beginning in 2000. I know for a fact they've all been pushing against MITRE to improve all along, but they didn't have control of the contract - CISA did. They already have a bunch of plans for improving the program, since as I said the Foundation already has more than enough funds committed next year to do more than just operate the program as it is now.

The Foundation will also continue the working groups, which are open to anybody  (despite what the website says). I've been participating in some of the Quality WG meetings (which makes improvements to the CVE Schema), as well as the new Consumer WG, which -finally! - is looking at what end users of CVE need (i.e., both developers and non-developers); these meetings are quite good. If you have improvements you'd like to see, you should bring them up in the WGs. 

The Foundation's inception was rough because they weren't planning on going public so quickly, but when CISA tried to cancel MITRE's contract they had to come forward literally that day. Their website doesn't have any specifics on what they will do with the program, but I know that the people who are working full time (including Pete and Dave and probably others) are doing nothing but making plans - and fundraising of course. Fortunately, the fundraising is going very well.

I assume MITRE owns the CVE trademark, since their people came up with the idea in the first place. In any case, I can't see the trademark being a showstopper.

I think if you contact any of the Board members or staff listed on the website, you'll get all the transparency you want. Pete did a great podcast in early May, which I recommend you listen to.

Tom

Tom Alrich LLC

312-515-8996

My blog has moved! It's now at https://tomalrich.substack.com/. All 1200+ of my posts since 2013 are accessible there, as well as new posts going forward.

---

From: 'Josh Bressers' via CVE <c...@owasp.org>
Sent: Sunday, September 28, 2025 3:40 PM
To: c...@owasp.org <c...@owasp.org>
Subject: Re: Re: [OWASP CVE] CISA vision for the CVE program

 

--

--
Please also join the conversation on OWASP's Slack. https://owasp.org/slack/invite Join channel #cve-wg.
---
You received this message because you are subscribed to the Google Groups "CVE" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cve+uns...@owasp.org.

To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/cve/CAKoP-y8pnXsB3so-x_GGyvM79hBH3CWG%3DPy6%3D3q31yfpabb%3DaQ%40mail.gmail.com.

[Rob van der Veer]

Chiming in here, to share my concern that CWE seems to be missing in these plans. Granted, CWE is not as hot and operational as CVEs, but this continuously evolving taxonomy is the cornerstone of security standards,  guidelines and tools, as well as the link between CVEs and what type of vulnerability is involved. 

Did any of you hear about plans revolving around CWE?

Best,

Rob van der Veer

OpenCRE.org

From: c...@owasp.org <c...@owasp.org> on behalf of Tom Alrich <t...@tomalrich.com>
Date: Monday, 29 September 2025 at 01:08
To: Josh Bressers <jo...@bress.net>, 'Starr Brown' via CVE <c...@owasp.org>
Subject: Re: Re: [OWASP CVE] CISA vision for the CVE program

You don't often get email from t...@tomalrich.com. Learn why this is important

To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/cve/SJ0PR11MB4941523C28DF2EC5DB499079A818A%40SJ0PR11MB4941.namprd11.prod.outlook.com.

[Tom Alrich]

Rob, this is exactly the sort of issue the CVE Consumer Working Group (CWG) is addressing. In fact, that group, which was just formed a couple of months ago, is now trying to prioritize issues we wish to discuss. For information on the 8 or 9 CVE Working Groups, go here.

Tom Alrich LLC

312-515-8996

My blog has moved! It's now at https://tomalrich.substack.com/. All 1200+ of my posts since 2013 are accessible there, as well as new posts going forward.

---

From: Rob van der Veer <rob.van...@softwareimprovementgroup.com>
Sent: Monday, September 29, 2025 3:14 AM
To: Tom Alrich <t...@tomalrich.com>; Josh Bressers <jo...@bress.net>; 'Starr Brown' via CVE <c...@owasp.org>

[Christian Folini]

Dear all,

Thanks for that perspective Rob on CWE. That brings us to CAPEC, that gets
even less attention than CWE.

CAPEC (TM!) is the "Common Attack Pattern Enumerations and Classification" and
it describes exactly what OWASP CRS - an OWASP flagship project and globally
dominating open source WAF rule set - detects. CAPEC is underdeveloped and
somewhat outdated, but it is exactly what CRS needs. We really want it to
get a new life.

So below CVE there are a series of other associated initiatives, that should
not be forgotten or the community and the community projects will suffer
even more.

Best,

Christian Folini, former OWASP

On Mon, Sep 29, 2025 at 08:14:09AM +0000, 'Rob van der Veer' via CVE wrote:
> Chiming in here, to share my concern that CWE seems to be missing in these plans. Granted, CWE is not as hot and operational as CVEs, but this continuously evolving taxonomy is the cornerstone of security standards, guidelines and tools, as well as the link between CVEs and what type of vulnerability is involved.
> Did any of you hear about plans revolving around CWE?
> Best,
> Rob van der Veer
> OpenCRE.org
>
> From: c...@owasp.org <c...@owasp.org> on behalf of Tom Alrich <t...@tomalrich.com>
> Date: Monday, 29 September 2025 at 01:08
> To: Josh Bressers <jo...@bress.net>, 'Starr Brown' via CVE <c...@owasp.org>
> Subject: Re: Re: [OWASP CVE] CISA vision for the CVE program
>

> You don't often get email from t...@tomalrich.com. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>

> The CVE Foundation will take over MITRE's contract. However, all the leaders of the Foundation are longtime CVE.org board members (including Pete Allor, formerly of Red Hat, Dave Waltermire of NIST, and Lisa Olson of Microsoft); Pete has been involved with the CVE program since literally the beginning in 2000. I know for a fact they've all been pushing against MITRE to improve all along, but they didn't have control of the contract - CISA did. They already have a bunch of plans for improving the program, since as I said the Foundation already has more than enough funds committed next year to do more than just operate the program as it is now.
>
> The Foundation will also continue the working groups, which are open to anybody (despite what the website says). I've been participating in some of the Quality WG meetings (which makes improvements to the CVE Schema), as well as the new Consumer WG, which -finally! - is looking at what end users of CVE need (i.e., both developers and non-developers); these meetings are quite good. If you have improvements you'd like to see, you should bring them up in the WGs.
>

> The Foundation's inception was rough because they weren't planning on going public so quickly, but when CISA tried to cancel MITRE's contract they had to come forward literally that day. Their website<https://www.thecvefoundation.org/> doesn't have any specifics on what they will do with the program, but I know that the people who are working full time (including Pete and Dave and probably others) are doing nothing but making plans - and fundraising of course. Fortunately, the fundraising is going very well.

>
> I assume MITRE owns the CVE trademark, since their people came up with the idea in the first place. In any case, I can't see the trademark being a showstopper.
>

> I think if you contact any of the Board members or staff listed on the website, you'll get all the transparency you want. Pete did a great podcast<https://www.youtube.com/watch?v=LRbHiB5Jn4k> in early May, which I recommend you listen to.

> Tom
>
>
> Tom Alrich LLC
>
> 312-515-8996
>
> My blog has moved! It's now at https://tomalrich.substack.com/. All 1200+ of my posts since 2013 are accessible there, as well as new posts going forward.
>
> ________________________________
> From: 'Josh Bressers' via CVE <c...@owasp.org>
> Sent: Sunday, September 28, 2025 3:40 PM
> To: c...@owasp.org <c...@owasp.org>
> Subject: Re: Re: [OWASP CVE] CISA vision for the CVE program
>
>
>
> On Sun, Sep 28, 2025 at 2:40 PM Tom Alrich <t...@tomalrich.com<mailto:t...@tomalrich.com>> wrote:
>
> The interesting question is why, given that they need to lay so many people off to cut costs, CISA wants to continue paying for the CVE Program, when the CVE Foundation already has more than enough funds committed (from all over the world, including some governments) to pay the full MITRE contract themselves. My guess is CISA thinks the CVE Program is hugely wasteful; they'll drastically shrink the program and spend the savings on people or projects that DHS otherwise wouldn't let them fund.
>
>
> I don't think the CVE Foundation is a plausible solution.
>
> They've been misleading, enigmatic, and evasive since their inception. I trust them even less than I trust MITRE. This also feels like one of those cases where "What Got You Here Won't Get You There". I don't think a bunch of the people who are responsible for turning CVE into what it is today can solve this.
>
> There's also the CVE trademark problem, they're violating a trademark. Committed funds will vanish quickly if legal action is taken against the group.
>
> If the CVE Foundation wants to be seen as a possible solution, they need transparency. A lot of transparency.
>
> --
> Josh
> --
> --
> Please also join the conversation on OWASP's Slack. https://owasp.org/slack/invite Join channel #cve-wg.
> ---
> You received this message because you are subscribed to the Google Groups "CVE" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to cve+uns...@owasp.org<mailto:cve+uns...@owasp.org>.
> To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/cve/CAKoP-y8pnXsB3so-x_GGyvM79hBH3CWG%3DPy6%3D3q31yfpabb%3DaQ%40mail.gmail.com<https://groups.google.com/a/owasp.org/d/msgid/cve/CAKoP-y8pnXsB3so-x_GGyvM79hBH3CWG%3DPy6%3D3q31yfpabb%3DaQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.

> --
> --
> Please also join the conversation on OWASP's Slack. https://owasp.org/slack/invite Join channel #cve-wg.
> ---
> You received this message because you are subscribed to the Google Groups "CVE" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to cve+uns...@owasp.org<mailto:cve+uns...@owasp.org>.
> To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/cve/SJ0PR11MB4941523C28DF2EC5DB499079A818A%40SJ0PR11MB4941.namprd11.prod.outlook.com<https://groups.google.com/a/owasp.org/d/msgid/cve/SJ0PR11MB4941523C28DF2EC5DB499079A818A%40SJ0PR11MB4941.namprd11.prod.outlook.com?utm_medium=email&utm_source=footer>.

>
> --
> --
> Please also join the conversation on OWASP's Slack. https://owasp.org/slack/invite Join channel #cve-wg.
> ---
> You received this message because you are subscribed to the Google Groups "CVE" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to cve+uns...@owasp.org.

> To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/cve/AM6PR04MB4245F26C39A4BDF957300F41F21BA%40AM6PR04MB4245.eurprd04.prod.outlook.com.