Can We Trust CVE?

Summary

If you are a security nerd, and even if you’re not, you probably heard about the epic CVE mess that happened. It’s a very long story and was covered in many places, but the TL;DR was the funding for CVE fell through, panic ensued, then CISA found some temporary funds to keep the lights, so everything is fine and we can all go back to normal. Well, some of us won’t go back to normal because the CISA funding is good for 11 months. Will there be more funding in 11 months? Will an asteroid destroy the Earth in 2032? Will society still exists at Christmas? Nobody really knows. Well that asteroid one, we sort of know that. We’ll be fine. Yay science! So anyway, the point of this article isn’t to pile on CVE, it’s to talk about trust, but not the sort of trust we usually talk about in security. We’re usually talking about trust in the context of “can I trust that session isn’t a Russian trying to steal my cat memes?”. This is human trust, trust with the user story “As a human on Earth, can I ever trust CVE again?”. While I could keep you on the edge of your seat during the entirety of this article, I’ll ruin the ending. You can’t trust CVE ever again, because you are a human, on Earth. Why can’t we trust CVE?# I’m going to start the story about trusting CVE with NVD and why we also can’t trust them. But that’s fine because nobody trusts them anymore anyway, so it’s a less exciting revelation. That’s why I didn’t ruin this observation in the intro. At the start of 2024, it became known that NVD had stopped enriching CVE records. There were a few of us who noticed this, and we just sort of assumed there was some sort of ghost in the machine and things would go back to normal in a few days. A few days turned into a little more than a week. That’s when it was pretty clear time to say something. I helped write a blog post, I’m not sure if it was THE post that broke the news, but it was pretty early. Now before this post, NVD had said nothing. Then once the news broke, they said...