25 Years of CVE
Some thoughts on 25 years of the CVE program
I saw the headline CVE Program Celebrates 25 Years of Impact! and want to congratulate everyone involved. The 25th anniversary report was a nostalgic walk down memory lane for me.
I remember sitting a row or two behind Dave Mann and Steve Christey Coley at the workshop on vulnerability databases, and wondering who the heck MITRE was and why they cared?
My startup at the time cared because we spent an inordinate amount of energy understanding what our competitors were looking for, what the vulns we saw discussed meant. The lack of identifiers was costing us a lot of time and money. I drove over to MITRE's Burlington office and lobbied Margie Zuk, Penny Chase, Todd Wittbold and others to do something with the CVE. I had no idea how big and successful they were going to make it.
The program has challenges which are a natural result of success, and some of those are not really challenges of CVE. There was a longstanding symbiosis between CVE and NVD’s “enhancement,” and the issues at NVD often get portrayed as a CVE problem. They’re real problems, but one of the strengths of CVE has been its simplicity: it’s a name that enables correlation between records. Whatever issues the program may have, the NVD issues show how the simple design enabled all sorts of value.