In this episode I chat with Patrick Garrity from VulnCheck. We discuss the chaos that has enveloped the CVE and NVD programs over the past two years. We cover some of the transparency and communication challenges with the existing program. What some of the new things that have started to emerge as well as why they seem to be struggling. We end on the note that the last 3 months haven’t been confidence inspiring. It’s likely in 6 months everyone will be scrambling to deal with a difficult situation.

This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

Episode Transcript

Josh Bressers (00:00) Today, open source security is talking to Patrick Garrity, a security researcher at VulnCheck Patrick and I have known you for quite a while, man. I’m really excited to have you here. So welcome to the show.

Patrick Garrity (00:09) Yeah, thanks for having me on. It’s great to be here.

Josh Bressers (00:10) Yeah, no,

this is good. I decided I need someone to harp about vulnerabilities and just kind of give a status update of what the heck is going on. And I thought, I need Patrick. That’s who I need. So yeah, I’m excited. So I’ll give you the floor. Tell us a little bit about yourself and we’ll kind of go from there, man.

Patrick Garrity (00:25) Yeah.

Yeah, yeah. So I’ve transitioned over the last couple of years into security research. I’ve been building cybersecurity companies, Duo, BlueMirror, Census, Nucleus Security, and then more recently at VulnCheck on the intel side. yeah, kind of, when I got into vulnerabilities, I think it was back in like 2022 when I joined Nucleus Security. Maybe, yeah, I think that was 2022 poking at

and just trying to understand the data and trends and what was going on. ⁓ And naturally started to look at who wear vulnerabilities, what’s being exploited, ⁓ the why, looking at vendors, products, all that fun stuff. And naturally that just kept on the stuff I would share, kept on getting interest from a lot of people that haven’t seen the data.

necessarily visualized. ⁓ so that kind of led me into the vulnerability space and working on intel And out of curiosity, like I’m driven by curiosity. So it’s like the more, you know, you can get to the root of vulnerabilities and exploits and exploitation and learn about it. It’s interesting. So naturally that’s how I ended up ⁓ being a researcher on the intel side, which is a lot of fun.

Josh Bressers (01:58) If for anyone who doesn’t know, Patrick will publish info graphics. I don’t know what to call them. I wouldn’t even call them graphs necessarily. And anyone who’s paid attention to any of the things I publish about like CVE, because I’m like a very armchair data person and I just use Elasticsearch and Kibana. Like I have like the Temu graphs of vulnerabilities and Patrick is like the real deal. His stuff has animations and it looks really nice and he clearly has a certain talent I lack. So it’s very nice. Very nice.

Patrick Garrity (02:25) Yeah, thanks, thanks. You know,

it’s kind of interesting because I’ve like gone in and out of like marketing and sales engineering over my years. And like in some regards, right, it’s like the fact that I can tie kind of the visual elements that come a little bit from marketing into the data that make people like, you know, understand it a little bit more. And a lot of it’s reiteration to like just seeing what is understandable by humans when they look at a chart or a visual.

and trying to make it easy to understand and translate the complex topics.

Josh Bressers (03:02) Yeah. Yeah. And it’s very complicated and, and, and I think super interesting, but okay. So the real reason I kind of wanted you here is I feel like the last probably two years of vulnerabilities has just felt like chaos and madness. And I thought this is a good time, like on the calendar to maybe step back and take a look at what is all happened over the last probably two years, we’ll say maybe a year. don’t know exactly how long it’s been. don’t remember. And kind of what

What maybe we can, we can maybe predict some futures, but we’ll see. So let’s just kind of start with NVD. That’s been what? That’s almost two years now, right? Since NVD had their, we’ll call, I’ll call it a meltdown.

Patrick Garrity (03:38) I think a year and a half,

like February 2024, ⁓ I think was when it had its meltdown right before VulnCon ⁓ And yeah, think everyone was like, they were just like, hey, we don’t have resources, we lost funding, no more information, mystery of when we’re gonna actually be able to do work anymore. ⁓

Josh Bressers (03:43) Yeah, yeah.

Right, I know.

Well, okay, no, no, no, no. I’m going to, I’m going

to pick on them for this. Cause you’re right. I forgot that that was right before VulnCon. And then the CVE meltdown this year was also right before VulnCon, which is, I wonder what happens next year. Like, wait, that’s right. It was after VulnCon. that’s right. Okay.

Patrick Garrity (04:06) Yeah.

Well, right after! It was the week after this year. Yeah. Yeah, we all

went to VulnCon and everything was like perfect, no issues, and then it’s like, oh, the CVE program is about to lose funding. what the… It’s hard not to laugh.

Josh Bressers (04:20) Right?

Right, right. I do remember I

was on a call with someone and I’m like, oh, did you read the CVE news? And they’re like, what’s CVE news? And I showed them. They’re like, I was just talking to them last week and they said everything was great. I’m like, well, maybe it wasn’t, but okay. NVD, this is going to be really hard to stay on track, I think, which is fine. So NVD has, well, we don’t even know what happened, right? It wasn’t a funding issue. I don’t, I don’t remember. I don’t feel like we know why.

Patrick Garrity (04:41) Yeah.

Yeah. ⁓

Yeah,

they came out and were like, we lost funding and then we suddenly got some partial funding back. ⁓ And I think there’s a lot of speculation of where that funding was coming from, but they haven’t been transparent about that. ⁓ so ultimately, I think one of the biggest things and challenges of any of these issues is communication has been ⁓ lacking in a lot of regards, transparency has been lacking.

Josh Bressers (04:59) Okay.

Patrick Garrity (05:23) And the downstream consumers are just left with like, it is what it is, ⁓ which is a real challenge for ⁓ security and organizations.

Josh Bressers (05:34) Yeah, yeah, that’s fair. And so kind of just to fill everyone in. So NVD, the National Vulnerability Database is run by NIST, the National Institute Standards and Technologies in the United States. It is not part of the CVE program, which I know there’s a lot of confusion on that often. And NVD was augmenting CVE data by adding things like CVSS severity scores. They would add CPE information, which is like affected products and versions. And

Anyone who, was, my favorite part is we would all complain about NVD’s data quality like nonstop. And then when it went away, we’re like, we all miss NVD so much.

Patrick Garrity (06:08) Well, dude. Yeah,

yeah. And I think naturally, most people thought CVE was NIST NVD and that’s how they consumed it. ⁓ And so there’s been a transition of having to educate the market like, no, there’s actually an upstream from NVD, which is the CVE program. And so naturally, I think, you know, that that education has happened more so people are aware of that. And especially like,

Josh Bressers (06:18) Yes. Yes.

Patrick Garrity (06:38) A lot of downstream consumers are not spending time like we do in understanding these programs and all the data flow and the nuances. ⁓ so, yeah. And then I think they got some resources starting in the summer and they’re like, we’re going to be all caught up by September.

Josh Bressers (06:43) Right, right.

Yeah.

Patrick Garrity (06:57) I think that’s what this statement was, something of that nature. Yeah. Yeah. Yeah. Yeah. And then it’s like,

Josh Bressers (06:57) Yeah. Like narrator voiceover. That was a lie. They’re still not caught up.

Patrick Garrity (07:07) ⁓ by the end of the year, we’ll be good. And so I think naturally, and being in a position of building products, these government organizations are maintaining products and services. ⁓ It’s better to optimize in communication on the reality.

And I think a lot of times, it’s just you’re over setting expectations, right? That you have little to no control over. And so that’s been a pretty big problem. And then I’m trying to think of what other services, ⁓ you know, I think you had the CVE program ⁓ this year, right after VulnCon as we mentioned, have their ⁓ funding.

⁓ at risk which we could talk a little bit did i miss anything between those two time periods

Josh Bressers (08:00) I mean,

so I don’t think so. I think the interesting thing that happened was NVD had their kind of debacle. And then I think a lot of organizations kind of decoupled themselves from NVD. But one of the things that did happen, one of the really cool things is the CVE program did encourage CNAs to like submit information about versions and products and their severities and things like that, which has been very successful. And I have some graphs that show

If you look at like NVD, CVSS scores and CPE additions it’s abysmal. But then you look at what the CNAs have started doing and they’ve actually been doing a very good job. like kudos to the whole program in that regard. Like I’m very critical of CVE about many, many things, but this is one thing they definitely got.

Patrick Garrity (08:44) Yeah, lot more data, that’s for sure. Upstream is good, better for consumers. And then, yeah, I think a lot of people are trying to consume CPE data more at the source, because now there’s actually more data there in some cases than in NIST NVD I think you have competing formats and structures and things like CPE. That is all a… Yeah, it’s not fun. I mean, that’s a lot of what we work on. ⁓

Josh Bressers (09:07) Ugh, I know.

Patrick Garrity (09:14) you know, for our customers, which is good. But yeah, that’s the reality is like this really started to fragment. It’s kind of the starting foundation of fragmentation of like CVE as a whole. Because most consumers just went to NIST NVD and were satisfied, good enough.

Josh Bressers (09:29) Yeah, yeah.

Well, and from the perspective of being a vendor, it was also very easy to blame NVD of like, oh, that’s bad. It’s NVD’s fault. Like they screwed up the data. We’ll get it fixed. Right. And now like that that’s kind of gone. I can only blame myself, but yeah. So there was kind of a weird year we’ll say. And then the CVE mess started in, was it, was it March or April of 2025? Do you remember?

Patrick Garrity (09:46) Yeah.

I think it was March, yeah, mid-March ⁓ after VonCon. I don’t know, I should look up VonCon, but I think it was like mid-March when, yeah, yes.

Josh Bressers (10:07) Okay, yeah.

It was, I’m pretty sure it was March 16th.

And it was April 16th. Okay. Okay. Okay. All right. April 16th. I know it was the 16th. For some reason I have that number in my head, but I couldn’t remember March or April. So on April 16th then, and this was, this story is so bananas here. So a message was sent to the CVE board, which is, I don’t want to sound like a huge a-hole here, but like, guess they are a group of people that,

Patrick Garrity (10:20) No, it’s April. Sorry, it was April, because VoneCon, yep. Yeah.

Josh Bressers (10:51) clearly have no power or authority over the CVE program. Like there was a perception of power and authority prior to this letter, but they get a letter from MITRE that basically says, we don’t like the funding is gone for CVE and someone leaks the letter, which obviously it’s going to leak. Like if you send a letter like that to more than zero people, it is going to leak like they’re a hundred percent chance, right? This is the classic, if you want to keep it secret, tell it not to a friend. Like,

Patrick Garrity (11:10) Yeah, someone’s gonna wake you.

Josh Bressers (11:18) The letter from, from my understanding, there were CVE board members who saw messages on LinkedIn and mastodon before they read their email receiving the letter. Right. Right. Which is hilarious. But basically it says like, we don’t have any money. The world like lights on fire and we’re all like, what the heck is going on? How does this work? What’s happening? This is insane. This is a travesty. And like what six hours later, CISA is like, okay.

Patrick Garrity (11:26) Email, yeah, that would be me. Email’s the last thing I go to to read stuff, yeah.

We got the CVE

Foundation. sorry, SZA.

Josh Bressers (11:48) Yeah, we owe that well,

yeah, CVE foundation, we can get to that. But like, yeah, CISA finds some money because there’s a, it is not a new contract. There was some sort of extension clause in the original contract, which my understanding from talking to government people, those clauses are not meant to be like long-term funding. They’re usually meant to be like, ⁓ we need two extra weeks because the lawyer’s on vacation. So like here’s, we’ll just use this extension to keep this program alive for two, whatever. Not.

And it lasts for a year. like on, I think it’s March 15th, 2026, like the contract is gone. The money is gone. There is no like legal way for CISA to give MITRE money for CVE at that point, if nothing happens.

Patrick Garrity (12:32) Yeah, it’s a real reality. ⁓ Yeah, yeah, not, not a, not, I think like not talked about enough, like, and I, I’m kind of laughing through this because I’m a little bit cynical. It’s like, this is wild. ⁓ But I think this is part of the reality of like, ⁓ you know, government funded services at times is you have budget conflicts, constraints, conflicting entities. Like we have literally it’s like,

Josh Bressers (12:46) Yeah.

Patrick Garrity (13:02) NVD is involved in this in some ways, not in different ways, right? The CVE program, you have MITRE, you then have CISA and DHS ultimately, which is the parent of CISA. And so yeah, just a lot of cooks in the kitchen as far as people that, and organizations that have controller influence in different ways.

Josh Bressers (13:16) Yep. Yep.

Patrick Garrity (13:29) ⁓ and then I kind of, I kind of laughed. It’s like, yeah, then suddenly the CVE foundation popped up overnight. ⁓ you know, and, and yeah, I think everyone’s like, what is going on? Like, we’re just trying to figure out like, is there going to be a CVE program tomorrow? ⁓

Josh Bressers (13:39) Yes.

Right, right. And it got even sillier because

the EUVD was suddenly like, crap, everyone needs data. I guess we’re live now. And that’s still not working correctly, but like, man.

Patrick Garrity (13:52) Yeah.

Yeah, I

think ENISA tried to step out saying, we’re going to solve this moving forward and none of their data was ready or is still ready. hopefully it gets better. I I’ve reported a ton of things that could be improved and we could talk further about that. But yeah, think all of us are just like, what is going on? This is a critical service that…

Josh Bressers (14:04) Yeah. Yeah.

Patrick Garrity (14:24) globally organizations rely on for security posture. ⁓ And like no one understands or knows like what is the future of this whole program. And a week ago, ⁓ you know, we’re seeing Kumbaya. ⁓

Josh Bressers (14:35) Yes.

Right, which which it should

be added. So there was a I don’t I don’t think we said this on the show is before we hit record So there’s a conference called what is what is a conference called VulnCon right? Yeah, VulnCon happened a week before the announcement that CVE lost its funding and the the explanation that was given is this has happened many times in the past where the renewal of the CVE contract came down to the wire and

Patrick Garrity (14:52) Yeah, VulnCon Yep.

Josh Bressers (15:09) you know, magically money appeared from CISA or DHS, whoever was paying the bill. And so the assumption for MITRE was that’ll just happen again. And it kind of happened again, just six hours later than it should have. And then I want to, I want to also say, so there’s like the CVE foundation, there’s the work ENISA did there’s a bunch of other foundation type things that appeared in the like day or two after this all happened. And I think

Patrick Garrity (15:22) Yeah.

Josh Bressers (15:37) The one common thread is absolutely no one was prepared for any of this and it’s clear everything was thrown together very haphazardly without anywhere close to the proper amount of thought or effort.

Patrick Garrity (15:48) Yeah. Yeah. And I think also you have to consider that like there’s change in administration. There’s external forces on CISA. You ⁓ know, not to get into politics, but like those are realities. Like we’ve seen how many people have left CISA at this point that were in roles functioning in coordination with these programs. And so like that’s a real reality too, you have to consider that’s going on right now.

Josh Bressers (15:57) Yep. Yep.

Yep. Yep.

Patrick Garrity (16:20) as well. And then I thought it was interesting, like a few weeks later, CISA came out and was like, maybe a few weeks or a month, like, hey, we’re going to deprecate CISA alerts, which is like their own alerting program. like, me and Todd Beardsley, instantly we’re on socials, like, this is being spun as a good thing. And it’s a really bad thing. Like, like, this is going to also have downstream implications to consumers once again.

Josh Bressers (16:30) Yes.

Yeah, yeah.

Patrick Garrity (16:46) And literally within like 24 hours, they came out and said like, we’re not going to do that right now. We’re going to actually do some due diligence and rethink about it. And so naturally, like we’re just continuing to see, you know, like all of a sudden, sudden changes to programs that have been existing for decades or multi years, CISA hasn’t been around for decades, but they have under.

DHS run some of these programs. ⁓ And so naturally, like it just makes an unpredictable state continually with these different ⁓ entities and programs. And that’s why I think you see like Europe so active right now, trying to compensate for this, ⁓ which I think is a good thing. I think there’s a lot of positive momentum and efforts because like, you know,

The US essentially through some of these different programs is just so uncertain at this point. ⁓

Josh Bressers (17:48) Yeah, for sure.

And Patrick doesn’t know this yet, but the episode coming out before this episode, I talked to the GCVE folks, which is a fascinating discussion about the things they’re doing in Luxembourg around vulnerabilities. So I won’t spoil anything, but if you haven’t listened, you should totally go listen to it. But yeah. And so I also want to talk about the fabled, we’ll call it the, the CVE foundation, as well as the way the CVE program is currently operating, which

Patrick Garrity (18:04) Yeah.

Yeah.

Josh Bressers (18:19) is basically everything is fine when everything probably isn’t fine. And we, so we had the CVE foundation appear, which was a bunch of CVE board members created a rogue foundation that does not have the approval or blessing of the CVE program. And I feel like there’s also a lot of confusion and disarray with that thing, which I find extremely frustrating.

Patrick Garrity (18:46) Hey, but there was an update yesterday I haven’t read yet, so we need to go back and check that out. Yeah, yeah, I was just like, I’m going to pull up the page real quick, it’s like, oh, a new update. Yeah, I think the aspect is similar. It’s like, okay, you have all these projects, and think what we’re moving towards is very fragmented… Just vulnerability data is fragmenting.

Josh Bressers (18:52) from the CVE Foundation? ⁓

Let’s read it together.

Patrick Garrity (19:15) at an incredible pace. And ⁓ that’s not necessarily a bad thing, but that just creates more challenges. And so naturally, I think there’s more information, there’s more sources for information. You have to question whether that information is accurate. The quality of the information, it complete? Like all these different things every time a new source or a new program spins up.

Josh Bressers (19:38) Yes.

Patrick Garrity (19:43) ⁓ Which is a real challenge for the consumer. ⁓ In that respect. I’m not reading this verbatim, it doesn’t seem like it says that much. ⁓

Josh Bressers (19:48) Yes.

Okay, and that doesn’t totally surprise me,

which I think is part of the challenge here is a lot of people in this ecosystem are kind of operating as if everything is fine. And I don’t think everything is fine because I think it is highly, there is a high probability the CVE program runs out of money in six months from the time we’re talking. And if that happens, like there is no plan B at the moment, which is terrifying.

Patrick Garrity (20:24) Yeah,

really feels like that. mean, like we know there’s one person that funded it, which was CISA. ⁓ And I think MITRE is the one that does the work. so, yeah, with understanding what we know of MITRE saying like this program is going to get shut down without this funding. It’s like, yeah, it makes sense to come to the table and have these discussions. do think that, ⁓ you know, I do think there’s more

Josh Bressers (20:36) Yes.

Patrick Garrity (20:54) effort maybe in areas where there’s not visibility into of discussions going on. But I think that’s another challenge with these programs is like, these are very open programs, yet the communication is a lot of times limited. And so like, it’s hard to understand, like, is there really an effort? Is there not?

Josh Bressers (21:12) Yes.

Patrick Garrity (21:21) you know, to fix the program and is it inside the program or is it outside and are people open to other funding vehicles? Yeah, lots of questions.

Josh Bressers (21:31) Well, I mean, so

here’s the challenge. This is the thing that is not well understood. So MITRE is like a special corporation that takes federal funds and does stuff for the government. They’re like a special research organization, right? And the CVE program exists inside of this thing called an FFRDC, which is what a federally funded research corporation, I believe it stands for. And they can’t legally like…

take money from someone else. Like FFRDCs have to take government money and only government money. Like that is legally how they work. And so like that’s one of the challenges here is people are saying, you should give MITRE money for CVE. I remember that was something that happened when this all came out. It’s like, even if they wanted to take it, which they probably don’t, but even if they wanted to, they can’t like take your check and put it into the CVE budget. That’s not how this works, which is one of the enormous challenges this program has is

Patrick Garrity (22:20) in the

Yeah. Yeah.

Josh Bressers (22:27) just legally speaking, it can’t be airlifted somewhere else today, which is, I think, one of the many problems it has.

Patrick Garrity (22:34) Yeah, hey, by the way, I did look at the CVE Foundation as we were talking and what they’re promoting is a document that was created by the Center for Cybersecurity Policy and Law, which I’ve read came out I think earlier this week or late last week. And generally, it’s just a good synopsis of the scenario of what’s going on with the CVE program. So ⁓ yeah, highly suggest checking that out. It’s Center for Cybersecurity Policy and Law. It’s called ensuring the longevity of the CVE program. ⁓

Josh Bressers (22:52) cool.

I’ll put a link in the show notes.

Patrick Garrity (23:04) Yeah, it highlights a ton of the limitations and areas of concern, which I think is good. It’s not prescriptive in saying this is how we should solve the problem. It just lays a really good foundation of this problem exists and here’s why. Yeah, yeah, so check it out.

Josh Bressers (23:12) Ha ha ha!

Yeah. Cool. That’s good.

Nice. Now I also, want to kind of close us out on you brought up fragmentation and I have a feeling that the world of vulnerabilities is fragmented forever, irreparably so, versus I think a couple of years ago, you could argue that like everything is CVE, right? And that’s it. There’s nothing else. And I think now at the very least, I see CVE and the GitHub security advisories, but I also think we’re going to see more and more

organizations either just going it alone because they can’t be bothered to deal with this crap or working with some other entity like the GCVE program is an example out of Luxembourg where you can get a I don’t I don’t know what there is it is GCVE either prefix I actually don’t know what their prefix is on their IDs but you like

Patrick Garrity (24:09) Well, think

it’s GCVE and GCVE and then it’s your number that you’re assigned. think we got 404 as VulnCheck which I thought was funny. We’re in error. Yeah, just random, I guess.

Josh Bressers (24:15) Okay.

Right, right.

That’s awesome. That’s so good. Holy cow. That’s brilliant. But yeah, and

at the same time, I feel like if you are in this universe and you’re not already dealing with multiple vulnerability sources, you’re probably way behind, right? I just think it’s the way it is.

Patrick Garrity (24:43) I think it depends. yes, open source focused things are going to go consume more of GitHub security advisories or package URLs. I’m trying to think of other… There’s a few different databases. OSV, yeah. And then I think naturally you have source data. like…

Josh Bressers (24:59) Well, like Google OSV is a really good one, right? OSV is huge.

Patrick Garrity (25:09) the places that are issuing security advisories. ⁓ But ultimately, right now, it’s like the CVE program is the best general source of truth for most bad things, most bad vulnerabilities. naturally, the really positive thing about CVE is generally, if something is bad and exists out there, it’s getting a CVE very fast and quick, generally speaking. ⁓ So it’s not perfect.

Josh Bressers (25:21) Yes.

Patrick Garrity (25:36) but it does tend to be like and continue to be the best source of data, ⁓ you know, from a broad perspective.

Josh Bressers (25:43) Well, okay, I’m going to say

no because it is not the best source of data. They create an ID at this point. And I think the actual source of data is generally not coming from them. You have to go seek it out. And this is where companies like VulnCheck are aggregating this interesting data and turning it into something that is usable. Cause let’s face it, most of the data we have to deal with is like human written prose. It is horrible to unwind.

Patrick Garrity (25:58) Yeah.

Yes. Yeah.

Yeah, What

I think I talk about is like this, single public source that like, that’s where people start. And that’s generally where they start. And then they start going to additional sources, right? And then they suddenly get overwhelmed because they’re like, my gosh, there’s 800 sources I need to go collect if I want the most enriched data. And so naturally, think like, yeah, GCVE is interesting with what they’re doing because they’re…

Josh Bressers (26:16) Yes, yes, yes, I agree.

Yes.

Patrick Garrity (26:39) create an ecosystem where you can add more sources of data that aren’t reliant on a single source issuing the information. ⁓ And so in some ways, there’ll be its own set of conflicts, but it naturally kind of moves away from this scope concept because everyone essentially has their own ID and can issue whatever they want under that ID.

⁓ Even if there’s conflicts and I think naturally they talked about this. I was watching the YouTube video is like You know, hopefully court people coordinate on the conflicts that happen. But yeah, I think that that’s gonna be interesting But it’s kind of like yeah, there’s more sources You know as well and this I think is another good example of that ⁓ And so how do you ensure that these things all tie together and you’re looking at the same data?

And the most accurate data, which tends to be coming from security advisories ⁓ when vendors disclose properly. That doesn’t always happen either. So you got to take into consideration all those things.

Josh Bressers (27:50) Yeah, yeah, for sure, for sure. Man, it’s gonna be wild. So here’s one of the funny things, I’ll kind of give you my little anecdote, is I have been highly critical of CVE for a long time. And I’ve complained about a lot of the things they’ve gotten wrong and been like, you know, someday it’s just all gonna fall down. And like now that it’s starting to fall down, I’m like, not like this. Like, this is not what anyone wanted. And it’s tough.

Patrick Garrity (28:13) Yeah, well that’s the

thing I think a lot of people wanted a better program right and they’re like Yeah, we want a better program and like some of this stuff has to break for it to get better But I think how it’s breaking is like not how people envisioned it get happening and getting fixed and several like my gosh like No, no, we weren’t talking about like retraction of nothing We were talking about like this stuff breaking so it can get better

Josh Bressers (28:28) Yeah, right. Right.

Yeah. Yeah.

Patrick Garrity (28:41) And it seems like it’s breaking and getting worse. ⁓

Josh Bressers (28:45) It does. Well,

at the same time, I also blame myself and everyone else. Like, I feel like we should have known this was going to happen someday, right? When you have an organization that has significant communication issues, they have an overinflated self-sense of self-worth, they have a single funding source that is of, we’ll say, notoriously unreliable. Like, everything in hindsight?

We should have been prepared for this. Like, I feel like we all dropped the ball. Like, we should have known this would happen.

Patrick Garrity (29:24) But when things are good enough for so long, We have a tendency of humans to be like, hey, it’s good enough. Why would we spend more time to make this any better? ⁓ Let’s go work on some other things. And I think naturally, we’re experiencing that now. I think it’s good there’s a bunch of different projects considering how to help ⁓ maybe the program ⁓ or other efforts outside the program moving forward.

Josh Bressers (29:29) It’s true.

It’s true.

Patrick Garrity (29:53) Generally, on our side, I’m at VulnCheck and we’re a CNA, a CVE numbering authority. Yeah, our philosophy is the best thing to do is to try get a CVE assigned to vulnerabilities out there. So there’s an identify for it. So I think all the CNAs are still continuing to operate. There’s, I don’t know, 400 plus, 100 and some active in the last year. And so I think naturally, it’s like the amount of…

Josh Bressers (30:18) Yep. Yep.

Patrick Garrity (30:22) ⁓ volume of contributors to the program continues to be consistent and rise. ⁓ It’s more in question of like the infrastructure ⁓ operated inside that like is like this program goes away. So naturally, think like even if the program and maybe it does, maybe funding gets removed, right? ⁓ Hopefully, in some way, like all these entities continue to come together to

Josh Bressers (30:38) Yes.

Patrick Garrity (30:52) find a way to sustain the program. And I think that’s part of it is like there, yeah, there’s just a lot of people involved and naturally a small amount of those people actually involved in the inner workings of the program, which is interesting. Lately, I’ve been getting more involved. There’s a research working group that we’re working on. And I think research CNAs are a great example of like

organizations that can help contribute to some of the work that MITRE has been doing in collaboration with MITRE, which is great. So we’re working on how to optimize some of that stuff. But yeah, it’ll be an interesting, I don’t know, what do we have like six months, nine months, six? See what happens. Yeah.

Josh Bressers (31:32) Cool.

Six months. Maybe I’ll you come back in six months and we’ll see what’s going on. Yeah, right, right.

Is it going to be the this is fine comic or something else, you know? I don’t know, man. It’s going to be… I’ll say this. It’s been three months since we had the issues with CVE funding and the last three months do not fill me with optimism for the next six months. Like, I feel like there’s been a disturbing lack of action from…

Patrick Garrity (31:47) We’ll see. Yeah.

Josh Bressers (32:07) pretty much everybody. And this is very much so. there’s even, even some of the groups like OWASP has like a CVE group. There’s Olle Johansen is his GVIP program, I think it’s called. There’s been a lot of efforts and even a lot of those, feel like lack the urgency they should have. And I, I don’t know. I don’t know. Six months, six months, Patrick. We’ll see.

Patrick Garrity (32:08) Yeah, it’s been kind of status quo, right?

Yeah, we’ll see where we’re at.

Josh Bressers (32:36) Alright

man, I’m calling it. Thank you so much. This has been a ton of fun and I can’t wait to have you back someday.

Patrick Garrity (32:43) Awesome, thanks so much.