If you are a security nerd, and even if you’re not, you probably heard about the epic CVE mess that happened. It’s a very long story and was covered in many places, but the TL;DR was the funding for CVE fell through, panic ensued, then CISA found some temporary funds to keep the lights, so everything is fine and we can all go back to normal.

Well, some of us won’t go back to normal because the CISA funding is good for 11 months. Will there be more funding in 11 months? Will an asteroid destroy the Earth in 2032? Will society still exists at Christmas? Nobody really knows. Well that asteroid one, we sort of know that. We’ll be fine. Yay science!

So anyway, the point of this article isn’t to pile on CVE, it’s to talk about trust, but not the sort of trust we usually talk about in security. We’re usually talking about trust in the context of “can I trust that session isn’t a Russian trying to steal my cat memes?”. This is human trust, trust with the user story “As a human on Earth, can I ever trust CVE again?”. While I could keep you on the edge of your seat during the entirety of this article, I’ll ruin the ending. You can’t trust CVE ever again, because you are a human, on Earth.

Why can’t we trust CVE?

I’m going to start the story about trusting CVE with NVD and why we also can’t trust them. But that’s fine because nobody trusts them anymore anyway, so it’s a less exciting revelation. That’s why I didn’t ruin this observation in the intro.

At the start of 2024, it became known that NVD had stopped enriching CVE records. There were a few of us who noticed this, and we just sort of assumed there was some sort of ghost in the machine and things would go back to normal in a few days. A few days turned into a little more than a week. That’s when it was pretty clear time to say something. I helped write a blog post, I’m not sure if it was THE post that broke the news, but it was pretty early.

Now before this post, NVD had said nothing. Then once the news broke, they said … nothing. It was weeks before they said anything, and when they did, it was basically “we’ll be back in two weeks”. I mean, OK sure, let’s go with that. Weeks turned into months, that turned into a year. We’re still waiting. Imagine that Futurama episode where Fry’s dog never stopped waiting for him to come home. Except this time the story is sad for a very different reason.

So the point is NVD burned up their trust, nobody believes anything they say. They might not care because fundamentally their customer is the US Government (who conveniently nobody believes anymore either).

What about CVE?

So that brings us to CVE. So if I was going to create a diagram of how the CVE program works, how CISA, MITRE, NVD, DHS, and a bunch of other acronyms are related to the project, it would be something no human could comprehend. We’re talking trying to figure out the Boston subway for the first time, and you’re color blind, and someone stole your shoes, level of confusing. It’s not important how it works to our story. The other act of this story is something called VulnCon. It’s a conference I don’t think should exist, but what I think doesn’t really matter.

Now, a few days before CVE collapsed VulnCon was held, which was filled with all these CVE people, I’m told there were many high fives and planning for what the bright future of CVE was going to look like. Nobody was aware of the disaster lurking just below the surface of the hotel fish tank. And this is the first big flag for trust. The people in charge knew this was coming. Sure, the funding has come down to the wire in the past, but this year is nothing like the past. It doesn’t take some sort of genius to know things could get weird. Instead of using VulnCon to make plans for a possible problem, they played their fiddles.

Next, the bad news went out to the CVE board. Who we are constantly told are in charge of CVE, except when funding goes away CVE would stop functioning, and they found out about the defunding about 12 hours before it was going to happen. Not great optics for supposedly being in charge. Also, the leaked message wasn’t supposed to leak. Some of the CVE board were impressed how fast it got out. So it’s clear there wasn’t going to be some sort of public announcement. So whoever leaked this, you are my hero.

THEN, the next thing we heard was … nothing. We heard nothing from MITRE or CISA, or CVE. Sure there were some lawyer drafted blurbs given to reporters. Those don’t count. They don’t have any actual information in them. The CISA statement was

The CVE Program is invaluable to cyber community and a priority of CISA.
Last night, CISA executed the option period on the contract to ensure
there will be no lapse in critical CVE services,

You can tell it’s a critical service they take very seriously because it lost its funding.

Supposedly the new funding is for 11 months. I don’t think I’ve seen anything official that says it’s 11 months. Mostly stories and rumors. We have no idea what happens in 11 months. Is this funding that can get renewed? Does it vanish? Nobody knows.

I could go on and give many examples of how MITRE, CISA, and CVE have botched the communications and response to all this. But I won’t because that would be boring. The point is, there have been so many chances for any of these groups to say something, anything, useful to reassure us. They chose to say nothing and still have said nothing at the time of this writing.

What does trust look like

OK, so let’s assume for the moment that we can all agree trusting the CVE program, maybe ever again is unlikely. Basically NVD but with some different letters. So what should we put our trust in?

I like open source, a lot. So I’m going to use an example from there. Let’s start with the Eclipse Foundation. I like them, I think it’s a good foundation that does good things. Nobody is perfect, but they get a lot right. If I asked you to tell me are in charge of the Eclipse Foundation, what their funding structure looks like, and who the members are. You could tell me in a few minutes after browsing the website.

When you are a public entity, trust and transparency are two sides of the same coin. You can’t build trust without transparency. If you want to create a new foundation, or a new project, or any sort of collection of people with a common goal, you need trust. You need a lot of trust. But trust is a funny thing. It’s very easy to lose and very hard to build.

So let’s look at some of the new things we’ve seen in the last week that might help deal with the eventual sunset of CVE.

OWASP Unified Framework for Global Vulnerability Intelligence

OWASP announced a project called Unified Framework for Global Vulnerability Intelligence which is a very long name, but is probably well positioned. OWASP is a known and respected foundation. The author of that post is Steve Springett, a known OWASP contributor. There’s an action you can take at the bottom. Sure it’s just an email, but that’s something.

The plan they lay out is a decentralized system, which is bold, but go big or go home. I would give this a 7/10 for being a reasonable and trust inspiring project. I would give it a 10/10 if it had a bit more content and a better call to action.

EUVD

The EUVD is a project from Europe that’s meant to be a European equivalent to CVE. It doesn’t seem to be a public effort, but it is backed by actual European law. So it’s probably something you can put a fair bit of trust in, but it’s still too early to see how it’s going to work out.

No matter what I think about it, it’s going to have legally mandated trust in Europe. So while I could give a 5/10 for having an obtuse website, thanks to regulations it’ll be a solid 10/10 in Europe.

GCVE

There’s a project called GCVE that seems to be run by a group called CIRCL. This effort doesn’t pass my sniff test. It’s sort of a complicated explanation though. I’ll try to keep it simple.

So CIRCL has a banner at the top of their page that says

The Computer Incident Response Center Luxembourg (CIRCL) is a
government-driven initiative designed to gather, review, report
and respond to computer security threats and incidents.

Then at the bottom of the page it says

CIRCL is the CERT (Computer Emergency Response Team/Computer Security
Incident Response Team) for the private sector, communes and
non-governmental entities in Luxembourg.

I feel like these statements are meant for us to think CIRCL is some sort of government CERT for the country of Luxembourg. That sounds great, the country of Luxembourg is running a CVE like program!

Except then I looked up and saw Luxembourg has a CERT. It’s CERT.lu. The wording of those statements could be interpreted in many different ways, this feels pretty dodgy. I give it a trust score of 1/10, I can’t decide if 0/10 should be a score.

Edit: I had someone point out to me that CIRCL is noted on he CERT.lu website https://cert.lu/#members. This is good, it means the GCVE project isn’t as dodgy as a previously thought. I’ll give them a 5/10 for not making this easier to find.

The CVE Foundation

The CVE Foundation was announced shortly after this mess started. They launched with a very vague press release on their web site. They’ve since added a FAQ that is about as helpful as the vague press release was. Here’s a snippet from their FAQ

Will you share your names?

Some members will. Some members are not ready.
We respect all of our community and associated stakeholders.
If folks are not ready, then that's okay.

That’s actually from the FAQ, real actual words. There is one name of a human on the whole site at the of this writing. Apparently none of their members are ready to give us their names. VERY COOL AND TRUSTWORTHY.

I’ve done a bit more digging into the CVE Foundation, and it’s starting to feel like it’s a rogue group of people from the CVE board that has no affiliation or approval from CVE, MITRE, CISA, or anyone really.

It could go up if they add some transparency, but today this is a solid 1/10 for trust.

I’m too sad to write a proper ending

Whoever or whatever fills the CVE vacuum, and it will probably be more than one thing. It has to be high trust. Trust is hard. Probably keep and eye on the OWASP project.

If this is a topic you’re interested in, there’s a discord chocked full of people discussing vulnerability things, feel free to join.