The CVE Program’s Close Call

Uploaded on 2025-06-10 in TECHNOLOGY--Resilience, FREE TO VIEW

In April 2025, the cybersecurity industry faced a near-crisis. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced that its contract with MITRE Corporation, the organisation responsible for managing the Common Vulnerabilities and Exposures (CVE) Program, was set to expire on April 16. 

For over 25 years, CVE has been a standardised, universal language for publicly disclosed vulnerabilities, serving as the backbone of global vulnerability coordination.The prospect of MITRE’s contract lapsing sparked immediate and widespread concern. 

Just hours before the deadline, CISA extended MITRE’s contract for 11 months, narrowly avoiding an immediate shutdown. But this stopgap fix exposed a deeper fragility: the global cybersecurity community has placed enormous reliance on a single, government-funded entity to maintain one of the most critical components of its security infrastructure.  

A Foundation Built On Shaky Bround 

In response to the scare, members of the CVE board announced the formation of the CVE Foundation, a nonprofit organisation that aims to provide long-term sustainability, independence, and more diverse funding for the CVE program. Its mission is to protect vulnerability intelligence from political fluctuations and foster broader global participation.  

This initiative couldn’t have come at a more urgent time. The National Institute of Standards and Technology's (NIST) National Vulnerability Database (NVD), which gives context to CVE entries with severity scores and metadata, has faced significant backlogs. As of late 2024, more than 20,000 CVEs awaited analysis, and only 47.9% of newly published vulnerabilities had been enriched with data like CVSS scores. This backlog leaves organisations without the critical content required to prioritise risks, slowing down response and fix times across the board.  

Worryingly, even the scores that do exist can be misleading. JFrog’s Software Supply Chain State of the Union 2025 report found that 88% of ‘critical’ and 57% of ‘high’ CVEs were downgraded in severity after deeper analysis, indicating that CVSS scores often overstate the real-world risk to specific systems.  

Vulnerability Volume  Is Outpacing Software Growth  

The volume of reported vulnerabilities is increasing rapidly. Our report also revealed 33,000+ CVEs were published in 2024, a 27% year-over-year increase, outpacing the 24.5% growth in open-source package adoption. More software equals more risk, yet our systems for identifying and responding to that risk haven’t scaled in tandem. 

Meanwhile, alternative vulnerability tracking systems are typically specific to individual software projects or organizations. Vulnerability tracking identifiers like GitHub Security Advisories (GHSA), Python’s PYSEC, and Amazon Linux Security Advisories (ALAS) lack comprehensive coverage or consistency. For example, 41% of known Python vulnerabilities in the JFrog database have no corresponding PYSEC ID, creating blind spots for developers relying on a single vulnerability tracking source. 

Fragile Practices & Widening Attack Surfaces 

At the organisational level, practices haven’t kept up with risk exposure. In 2024, JFrog found that the average organisation ingested 38 new open-source packages per month - over 450 annually, yet 71% still allow developers to fetch packages directly from the internet, opening the door to supply chain attacks. 

Despite increasing tool adoption (73% of organisations use seven or more security tools), key best practices remain missing. Binary-level scanning and secret detection are often overlooked, with JFrog alone detecting over 6,700 active secrets in public registries in 2024, a 64% increase over the previous year. 

What comes after CVEs? 

To build real resilience, the cybersecurity community needs to evolve beyond legacy models. A modern vulnerability management approach should include: 

  • Multi-source threat intelligence: Organisations should draw security data from multiple sources, including CNAs’ CVE data, GitHub security advisories, OSV, software vendor advisories, and internal telemetry, not just CVE and NVD. A single source is no longer sufficient. 
  • Applicability-aware analysis: Not all CVEs are relevant in every environment. JFrog research shows that 64% of high-profile CVEs had near-zero applicability in customer environments. This calls for tools that consider exploitability and actual reachability of vulnerable code. 
  • Guardrails on open-source use: Implementing proxy repositories and artifact managers helps vet packages before they’re integrated into builds, reducing exposure to malicious or vulnerable components. 
  • Contextual analysis & automation: Static CVSS scores miss the mark. Tools must go deeper, using code analysis, runtime behaviour, and environment awareness to assign risk. JFrog’s tools, for example, combine proprietary scanners and contextual enrichment to improve triage. 

Preparing For The Inevitable 

The near-loss of MITRE’s CVE stewardship serves as an industry-wide wake-up call. If that foundational system had collapsed, the shockwaves would’ve been felt across DevSecOps pipelines, compliance frameworks, and incident response workflows globally. 

As software development accelerates, especially with the advent of AI-generated code, our vulnerability management strategies must evolve accordingly. The future demands a decentralised, resilient, and context-rich vulnerability intelligence infrastructure. That includes supporting nonprofit initiatives like the CVE Foundation, improving collaboration across ecosystems, and investing in smarter, more adaptive tooling. 

Only by recognising and addressing the structural weaknesses in today’s vulnerability coordination model can we hope to prevent the next crisis, not just delay it. 

Jonathan Sar Shalom is Director of Threat Research at JFrog

Image: 

You Might Also Read:

The Seven Pillars Of MLops:

« The Top Seven Skills Security Analysts Need To Succeed, According To Security Leaders
Significant Breach Disrupts Victoria’s Secret »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Eustema

Eustema

Eustema designs and manages ICT solutions for medium and large organizations.

Secure Innovations

Secure Innovations

Secure Innovations is a cybersecurity firm dedicated to providing top-tier cyber security solutions for the Defense and the Intelligence Community.

Proteus

Proteus

Proteus is an Information Security consulting firm specialized in Risk Analysis and Executive Control.

Cyber Intelligence (CI)

Cyber Intelligence (CI)

Cyber Intelligence is an award winning 'MSC status' cyber security education and training company.

RCDevs

RCDevs

RCDevs is an award-winning Software company providing security solutions designed for modern enterprise technologies and suited for SMEs to large corporations.

Apozy

Apozy

Apozy replaces a secure web gateway to nullify phishing, malware and impersonation attacks.

Open Systems

Open Systems

Open Systems is a Secure Access Service Edge (SASE) pioneer delivering a complete solution to network and security.

Talion

Talion

Talion aim to reduce the complexity involved in securing your organisation and to give security teams unrivalled visibility into their security operations, so they can make optimal decisions, fast.

GoVanguard

GoVanguard

GoVanguard is an boutique information security team delivering robust, business-focused information security solutions.

nsKnox

nsKnox

nsKnox is a fintech-security company, enabling corporations and banks to prevent fraud and ensure compliance in B2B Payments.

Armo

Armo

Armo technology enhances any Kubernetes deployment with security, visibility, and control from the CI/CD pipeline through production.

Matrixforce

Matrixforce

Matrixforce is a vetted IT support provider that uses the patented Delta Method of streamlining technology for financial and professional service firms to reduce complexity and avoid risk.

Wadilona Cyber Securities

Wadilona Cyber Securities

Wadilona Cyber Securities' sole aim is to bring and secure Information and Communications Technology (ICT) to and work for humans in its simplest terms.

Stack Identity

Stack Identity

Stack Identity protects access to cloud data by prioritizing identity and access vulnerabilities via a live data attack map.

SPYROS Information & Technology Consulting

SPYROS Information & Technology Consulting

SPYROS specializes in providing highly qualified professionals in Computer Network Operations, Signals Intelligence, Technical Training and Certifications, Network Administration and Security.

Redport Information Assurance

Redport Information Assurance

Redport Information Assurance is an information assurance and cyber security solutions provider offering integrated business solutions for all levels of government.