The current system, the CVE in cooperation with the NVD, has served the global community well, but as with any system built when the number of vendors, products and open source projects were fewer and the focus on cybersecurity much lower, it’s time to take a step backwards and review the situation.
- NAMING: In a smaller ecosystem, it was natural for the NVD to assign enumeration of product names and vendors. However, with a growing number of active vendors and products, this no longer works on a global scale. Even within the managed name space, there are several examples of a single vendor being given multiple names. This leads to software that “guesses” the CPE name by adding multiple permutations for a single component, in the hope to find a match.
- The CPE as a vendor and product name identifier is an old system that has worked well, but new naming schemes are being developed and a planned migration needs to take place. For this to work, coordination between client implementations as well as services and APIs needs to take place.
- Limited funding: As we expect the number of vulnerabilities reported to grow exponentially, the current funding is likely not enough. We’ve seen the problems exposed by the NVD as the number of CVEs reported in 2024 grew dramatically.