To view older blog posts, please visit the archives section.

Allowing the status quo is the worst possible thing you can do

Progression allows you to move forward. Regression teaches important lessons. Status quo allows for the emergence of complacency. Nothing good comes out of it. 

Earlier this week, the world of security had a profound shock as Mitre funding for the CVE program, a cornerstone of security, almost came to an end. As everyone panicked, Mitre funding was reinstated for one year. If you work on the technical side of cyber, you already know CVEs are the backbone of vulnerability tracking. Otherwise, know that our field came really close to a catastrophic failure.

This post is not about the drama surrounding this week’s events as it was already discussed at length. This post is, however, about moving forward and getting out of the status quo. It will also be written in two parts. The first one exploring what got us where we are, the second one exploring how we could move on.

A short history of vulnerability reporting

Computer security really became mainstream in the last 10 years. Not many people were into it 20 years ago or even 40 years ago. For many among us, CVE is just a fact of life. A bit like light or electricity. Things were not always like this! In fact, vulnerability management, while it pretty much always existed, didn’t really take off until fairly recently.

Before the CVE program

The CVE program came into existence in November 1999. To my knowledge, prior to this date, even after, up to 2005-2008 ish, the most important source of centralized vulnerabilities information was Bugtraq. Back then geeks were talking about security and hacking was that dark art that only "geniuses" could get into. As Bugtraq evolved and changed hands, the broader world started recognizing the national security implications of computer vulnerabilities. The CVE program was therefore instated in 1999. It still took a couple of years before the program picked up speed and public acceptance. In fact, I remember reading a copy of Hacking exposed back in 2003 where, according to my memory, Bugtraq was mentioned as a way to search for vulnerabilities information but I can’t recall the CVE program being present in the book. It probably was. But this shows how it really took some time for the general public to pick up on CVE. Even in 2012, the year I officially started working as a software security professional, I remember a series of Microsoft Remote Desktop vulnerabilities being discussed about in security circles using their Microsoft security bulletin designation: MS-12-020. Not their CVE identifiers. Even if those did in fact exist and were mentioned in MS-12-020. How things have changed!

What brought us here?

The democratization of computer security, as a whole, is directly responsible for the standardisation of vulnerability reporting. Reporting a vulnerability has never been as easy as it is now. Thank God! This was not always the case. If you go back, not even 10 years ago, reporting a vulnerability was almost an ordeal for a private researcher: companies were suing us when responsibly disclosing vulnerabilities. I personally have about 30 unreported vulnerabilities from back in 2012-2014 for this very reason. That’s also why PasteBin, ExploitDB and others became very popular back then for somewhat anonymous vulnerability reporting through full disclosure. 

Bottom line, the best way to describe vulnerability reporting and management from the 90’s to the 00’s is: best efforts and, often, secrecy and trust in smaller hacking groups.

Eventually, out of a very real need, the CVE program picked up speed and became the de-facto standard way of reporting vulnerabilities and also the very root of vulnerability management. The CVE program is now the primary source of intelligence for bulk vulnerabilities information. Just about every tool out there relies directly on it, in one way or another.

The current status quo collectively puts us in danger

While it is amazing, the CVE program allowed for centralisation of vulnerabilities information into the hands of a single source: the US homeland security, through Mitre. There are multiple issues surrounding the current state of things, some are briefly explained here:

• Closed disclosure process (mostly anyway):

  • If you have ever attempted at disclosing a vulnerability through Mitre directly, you had a glimpse into this. Vulnerabilities will not be published to the NVD until public information is available about the vulnerability. This means there is a time period, a stage of the process, where the vulnerability information is available to a centralised sovereign government entity but not to the general public. Often, CVEs at that stage will be in the “reserved” state. I personally have a CVE in this state right now. As of this writing: CVE-2025-22966 is marked as reserved. It’s been in this state for the last 3 months. This means that Mitre, and by extension, US homeland security, are aware of the vulnerability and its details. However, vulnerabilities in this state can’t be identified by any security tool as their details are not publicly available. Should any major geopolitical event occur, situations like this one could potentially result in an important edge for the US government in a future conflict.

• Absence of information across the world:

  • Should there be any major world disruption leading to the US government cutting public access to the program, the world of computer security could literally go back to the dark ages. Some initiatives would appear. Public domain information would likely be less frequent and less organised/standardised. Most security tools focusing on vulnerability management would instantly become expensive paperweights. The following points all build on this one.

• Potential exploit and vulnerability grey market demand explosion:

  • If you didn’t know about this, there is such a thing as a market for 0-day exploits. And I’m not talking about bug bounties here. I am talking about actual organisations buying vulnerability information from independent sources at big prices. In a world where defenders would become less organized, buying exploits could become even more prevalent than it is right now. The lack of communications on the defender's side could potentially result in a longer shelf life for these commodities resulting in business growth for people selling this type of information.

  • Similarly, bug bounty prices would likely jump. Why? Whoever controls the broadest source of information would take the CVE program’s place. This is likely to drive bug bounty prices up as there certainly would be fierce competition for this spot. Control of the bug bounty market is possibly the least expensive way to achieve this. The alternative is investing into research. A great long term solution but a very expensive endeavour with little to no short term ROI.

• The end of centralized public domain information:

  • With the value of the information going up, there would be a serious incentive to monetize the information. In every possible way. In some cases, this could even become a source of funding for open source projects and software companies.

There are certainly more issues that could be discussed. You might find my take on this to be slightly alarmist. I can’t blame you. But as with everything, when money and people are involved, usually, it can be expected that the worst in the world will come out. After all, some people have to pay for access to drinkable water, something life itself depends on…

This week’s issues only shed light on problems that were always there

Forget about funding for a moment, every single one of the issues mentioned previously exist whether funding keeps going or not:

The current status quo in the world of vulnerability management has led to the centralisation of the very information at the root of all such efforts in the hands of a sovereign government. 

Continued funding does not guarantee the CVE program will remain freely and openly available. Whoever controls the information controls who will receive it and when they will receive it. Our industry depends on this. 

Moving on

To steal the words of a great master:

If you know the enemy and know yourself, you need not fear the result of a hundred battles.
- Sun Tzu, The Art of War

How can you know the enemy, the threat in this case, in a world where the information is not easily available? I know I’ve just painted a bleak picture. But not all is dark and bad. We need to rethink how we handle vulnerability disclosure. Centralization helped us grow. Now it might be the thing holding us back.

In part two, I’ll explore how we can reclaim control of vulnerability disclosure and what a healthier, more resilient future might look like for defenders everywhere.