Security BSides Las Vegas 2025

What Should CVE Be When It Grows Up?
2025-08-05 , Florentine A

The CVE Program is a pillar of the cybersecurity ecosystem. For more than a quarter century, it has provided an authoritative source of data about vulnerabilities for software users. It is also critical for continuing to drive security into the design and development process. However, over the last 18 months, both the CVE Program and the US National Vulnerability Database have faced funding challenges. At the same time, developments in the European Union have led to the creation of the EU Vulnerability Database. Congress has taken note, and in June, members requested a formal audit of the program. What are the challenges facing the CVE Program? How should these be communicated to policymakers in a way that maintains the critical function and avoids a fractioning of the ecosystem? What are new governance models that should be considered?


A 45-minute moderated discussion featuring Bob Lord.

Jerry Gamblin is a Principal Engineer in the Threat Detection & Response business group at Cisco Security, where he leads research and data science initiatives to enhance Cisco Security products. He is actively involved in the CVE community, participating in various working groups and serving as a member of the EPPS SIG. He regularly speaks on vulnerabilities and vulnerability management at international conferences and manages a CVE data collection site at CVE.ICU.

This speaker also appears in:

Madison Oliver is a senior security manager at GitHub, overseeing the advisory database team responsible for publishing over 6,000 CVEs to date. Previously, as a vulnerability coordinator at the CERT Coordination Center at Carnegie Mellon University, Madison's team published more than 200 CVEs and assisted in the international coordination of many more. Madison has played a pivotal role in the global response to major named vulnerabilities, including Log4Shell, SolarWinds SUPERNOVA, Foreshadow, and KNOB. Her extensive experience in vulnerability transparency is further evidenced by her service on the CVE Program Board and participation in OpenSSF working groups.

Moderator.

Vice president of security research at runZero and CVE mucker-abouter.