FOR IMMEDIATE RELEASE
April 16, 2025
CVE Foundation Launched to Secure the Future of the CVE Program
[Bremerton, Washington] – The CVE Foundation has been formally established to ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program, a
Decentralizing a foundation such as CVE would do more harm than good. For things like git or the fediverse it makes perfect sense, but the last thing I want something like the CVE to be is fragmented. We need a single source of truth for this.
Now setting up a non-profit foundation and cutting dependence with governments is a good thing, but it’s not the same as decentralized.
The whole point of CVE is to make sure everyone is on the same page regarding exploits. That necessitates a single point of truth for the whole operation.
So distribute it, like DNS. Have the CVE Foundation be the final authority, but relying solely upon them makes me uneasy.
The CVE Foundation might currently be independent from the US government, but that doesn’t mean they’re not still subject to its whims. I think people underestimate just how awful things are or could get here, and “why is the government doing that stupid/heinous/bizarre thing” has become a daily mantra for many.
CVE needs better protection from hostile governments, and distributing the system seems like the only way to achieve that
That’s long since been the case, e.g. the Linux Kernel assigns its own CVE numbers, they’re a CNA. Which keeps the “root” CVS database completely out of the loop short of saying “this here is your namespace and scope”. Canonical is a CNA, Airbus is a CNA, both covering their own products. 453 in total.
Still important to have a fallback though because not all projects are big enough to do that kind of stuff, and you always want there to be some database you can report something against.
There is some distribution of effort/expertise at least:
When an individual researcher or an organization discovers a new bug in some product, a CVE program partner — there are currently a few hundred across 40 countries
— is asked to assess the vulnerability report and assign a unique CVE identifier for the flaw if and as necessary.
I think you might be overestimating how complex the system is. This isn’t collaborative, and it’s barely even dynamic. It’s essentially bookkeeping around a list of numbers and a zip file of text documents.
There’s additional data attached relating to not just the vulnerability, but exploitation and the system configuration that’s known to be exploitable.
Up until now it was benign, as well as entirely unavoidable, for so much of the infrastructure of the Internet to be closely tied to the US government.
Distribution, decentralization… those ideas only serve to add unnecessary complexity to a sensitive and critical infrastructure. Instead of tweeting the baby with the bathwater, let’s work toward making these institutions not rely on or be beholden to governments. Anything else is a poor man’s Band-Aid to the problem.
FWIW, I agree with your concerns, but not the proposed solutions. Regardless, these are the types of discussions we all should be having for our critical infrastructure.
let’s work toward making these institutions not rely on or be beholden to governments.
I don’t see how that’s possible unless you use a system that’s resistant to governments (or moneyed interests). And the only systems like that are effectively outside their government’s power or jurisdiction. Otherwise, the right mix of ambitious or greedy people could eventually cause it to crumble.
Did you have some other kind of system or plan in mind?
Decentralizing a foundation such as CVE would do more harm than good. For things like git or the fediverse it makes perfect sense, but the last thing I want something like the CVE to be is fragmented. We need a single source of truth for this.
Now setting up a non-profit foundation and cutting dependence with governments is a good thing, but it’s not the same as decentralized.
This, exactly.
The whole point of CVE is to make sure everyone is on the same page regarding exploits. That necessitates a single point of truth for the whole operation.
So distribute it, like DNS. Have the CVE Foundation be the final authority, but relying solely upon them makes me uneasy.
The CVE Foundation might currently be independent from the US government, but that doesn’t mean they’re not still subject to its whims. I think people underestimate just how awful things are or could get here, and “why is the government doing that stupid/heinous/bizarre thing” has become a daily mantra for many.
CVE needs better protection from hostile governments, and distributing the system seems like the only way to achieve that
That’s long since been the case, e.g. the Linux Kernel assigns its own CVE numbers, they’re a CNA. Which keeps the “root” CVS database completely out of the loop short of saying “this here is your namespace and scope”. Canonical is a CNA, Airbus is a CNA, both covering their own products. 453 in total.
Still important to have a fallback though because not all projects are big enough to do that kind of stuff, and you always want there to be some database you can report something against.
There is some distribution of effort/expertise at least:
https://www.theregister.com/2025/04/16/homeland_security_funding_for_cve/
I think you might be overestimating how complex the system is. This isn’t collaborative, and it’s barely even dynamic. It’s essentially bookkeeping around a list of numbers and a zip file of text documents.
https://github.com/CVEProject/cvelistV5/archive/refs/heads/main.zip
The reporting of the issues is already done by other people, they just rely on a central group to keep the numbers from colliding.
https://www.cve.org/CVERecord?id=CVE-2025-3576
Not a whole lot there.
Significantly more worrying is the nvd.
https://nvd.nist.gov/vuln/detail/CVE-2025-31161
There’s additional data attached relating to not just the vulnerability, but exploitation and the system configuration that’s known to be exploitable.
Up until now it was benign, as well as entirely unavoidable, for so much of the infrastructure of the Internet to be closely tied to the US government.
Distribution, decentralization… those ideas only serve to add unnecessary complexity to a sensitive and critical infrastructure. Instead of tweeting the baby with the bathwater, let’s work toward making these institutions not rely on or be beholden to governments. Anything else is a poor man’s Band-Aid to the problem.
FWIW, I agree with your concerns, but not the proposed solutions. Regardless, these are the types of discussions we all should be having for our critical infrastructure.
I don’t see how that’s possible unless you use a system that’s resistant to governments (or moneyed interests). And the only systems like that are effectively outside their government’s power or jurisdiction. Otherwise, the right mix of ambitious or greedy people could eventually cause it to crumble.
Did you have some other kind of system or plan in mind?