CVE Program Gets Extension, But Some Security Professionals Say Program Is Outdated

But what could possibly serve as an alternative? Some security leaders have a few ideas.

A kerfuffle ensued last week after the Cybersecurity and Infrastructure Security Agency (CISA) announced it would cease funding to Mitre, the nonprofit that runs the CVE (Common Vulnerabilities and Exposures) program, effectively ending the program on April 16.

After significant backlash from the cybersecurity community, CISA said it would continue to fund Mitre, extending the CVE program, although it’s unclear for how long.

While many in the cybersecurity community expressed relief over the decision to continue the funding, there are some who say the CVE program is outdated and in the current, frenetic threat landscape, new ways of monitoring for threats in the wild are needed.

“The recent news about the CVE program’s funding expiration highlights a critical issue that security teams have long recognized: The CVE-based approach to risk management is fundamentally outdated,” said Joe Silva, CEO of Spektion, which provides software vulnerability risk management, in an emailed statement to MES Computing.

“While the CVE program represents the tireless efforts of dedicated professionals, it is not equipped to handle the complexity of vulnerability risk in today’s software ecosystem. Even with the funding temporarily extended, CVE-based solutions offer only a partial view of risk rather than an accurate representation of exploitable vulnerabilities in your environment,” Silva said.

“This funding interruption underscores a crucial truth for your security strategy: CVE-based vulnerability management cannot serve as the cornerstone of effective security controls. At best, it’s a lagging indicator, underpinned by a program with unreliable resources,” he added.

“The CVE program has been the backbone of global cybersecurity vulnerability tracking, but it’s due for a facelift. Let me first say that MITRE built the program, like many others, on what we had at the time to move the ball forward relative to global coordination. CVE remains essential for standardizing how vulnerabilities are named and shared,” said Michael A. “Mike” Echols, MBA, CISSP, and the founder and CEO of Max Cybersecurity, a D.C.-based cybersecurity consulting firm, in a message to MES Computing.

However, Echols said that he also understands the importance of new solutions in tracking threats, particularly with the rise of AI.

“[With] the overwhelming volume of new discoveries and the rise of AI-powered threats, change is required now,” Echols said.

“In my work securing Operational Technology (OT) environments, it’s also clear that CVEs often lack the depth needed for effective mitigation. A significant modernization rooted in the original mission of shared risk reduction is critical to keeping the system relevant. I think most seasoned cyber professionals know this. The next wave of threats related to AI and cyber-physical systems are truly going to demand it,” he continued.

In a blog post, Marc Gaffan, CEO of Ionix, which provides external exposure management solutions, questioned the relevancy of the CVE program in today’s threat environment.

Threats to end the CVE database “expose a deeper issue: our reliance on outdated vulnerability management practices. The traditional methods of prioritizing vulnerabilities, primarily through the Common Vulnerability Scoring System (CVSS), are no longer sufficient in the face of an ever-evolving threat landscape,” Gaffan wrote in his post. .

CVE Alternatives

The CVE program, launched in 1999, has been a resource for security professionals worldwide to track threats. What are the alternatives to such a widely used standard in cybersecurity?

Some of the security professionals had thoughts as to why the program is no longer as effective as in the past and suggestions on the evolution of threat tracking.

“The future of vulnerability management should focus on identifying real exploitable paths in runtime, rather than merely cataloging potential vulnerabilities. Your organization’s risk posture should not hinge on the renewal of a government contract,” Silva said.

“CVSS has long been the standard for assessing the severity of vulnerabilities, assigning scores based on factors like exploitability and impact. While useful, CVSS scores are static and do not account for the dynamic nature of threats. They fail to indicate whether a vulnerability is actively being exploited in the wild, leading to potential misallocation of resources,” Gaffan wrote in his post.

Gaffan also called for a “paradigm shift” in vulnerability management strategies. He advised organizations to adopt a holistic, three-pillared approach with their security strategy: implement actionable threat intelligence that gathers real-time data on threat actors and attacks, evaluate “existing security measures that may mitigate the risk associated with certain vulnerabilities,” and conduct active exploit testing.