Post At88CLXd9Dea9nvC2i by adamshostack@infosec.exchange
 (DIR) More posts by adamshostack@infosec.exchange
 (DIR) Post #At88CLXd9Dea9nvC2i by adamshostack@infosec.exchange
       2025-04-15T22:27:58Z
       
       0 likes, 1 repeats
       
       CVE funding is apparently not being renewed. I’m not alone in having strong feelings, and I want to talk about some of the original use cases that informed us as we set up the system. (You might also enjoy my thoughts on 25 Years of CVE for some context.) Those included comparing between vulnerability posts. It’s a lot of work to decide if two vulns are the same. Tagging both with a name was an important use case in 1997, and one that I got to revisit around 2010 when I was doing work to understand how malware got into PCs. Most of the attacks in exploit kits were not CVE-labeled. So deciding what they were was hours per vuln, with a high failure rate, versus minutes when they had a CVE assigned.CVE achieved public good status exceptionally quickly, in part because of support from thoughtful leaders like Tony Sager while he was at NSA. Finding support from outside the government was, as I recall, harder because MITRE is Congressionally chartered and has difficulty taking money from anyone but the US Government.There are other used cases, and I want to mention them because I was talking in private to friends, and they weren’t aware of these. All vendor names are used as examples.Did redhat fix this python bug or do we need to find a patch is way easier with cves.Did Apple fix this OpenSSL bug after getting version locked to OpenSSL .9.8?Having a name lets you discuss “did Microsoft fix this yet?” and if there’s a tool that tests it, you can cross-check the bug, the proof of concept, and the patch.Having an authoritative public timetable, including issuance, helped everyone understand when a vendor was slow-rolling a fix.