Enhancing cybersecurity through effective CVE management

Introduction

The landscape of cybersecurity vulnerability management is continually evolving with the Common Vulnerabilities and Exposures identifier (CVE ID) as the keystone holding it all together. The world has come to depend on CVE IDs and the standard vulnerability reporting that has evolved around it to keep their networks and systems more secure. The parts of the broader ecosystem including National Vulnerability Database (NVD), European Union Vulnerability Database (EUVD), Common Vulnerability Scoring System (CVSS), Common Platform Enumeration (CPE), and Common Weakness Enumeration (CWE), to name a few, but unwaveringly, CVE is at the heart of them all.

The CVE program has a core set of roles and functions enabling it as the keystone that it is. Although growth and maturity of this core has improved immensely since 2016, progress has happened in fits and starts. Rapid development and deployment of new capabilities is needed to support the continued expansion of the CVE Program. This paper describes the types of things the CVE Foundation could develop that would improve CVE and its usefulness.

Background

If you ask most people at large corporations and even governments whose job involves using CVE information, in one way or another, where they get the CVE information from, the answer is almost always NVD.

Why is this? It is because for many years NVD has provided a robust API that serves up enriched CVE information for all CVEs in existence. A team of analysts that would review all public information about a CVE and assign a CVSS, CWE and create CPE values for products associated with a CVE. They would maintain the CPE library and allow searches for products for which a CVE was assigned as a vulnerability aggregator for all to freely use. As the number of CVEs created per year grew, their job has become difficult to scale.

NVD ran into funding issues late in 2023 and the job of enriching all CVE records became hopelessly unachievable. The folks closest to the CVE program noticed this right away, but unfortunately not the companies and governments that still to this day depend on NVD for this data. They are curious to understand what has happened to the quality of the CVE data. Since this time, the NVD has been working to make improvements; however, scaling continues to be a challenge.

Early in 2024, the CVE program began encouraging all CNAs to enrich their own CVE records with CVSS, CWE and CPE information. The program has been successful to a degree, in fact about 20% of the active CNAs began adding CVSS and CWE information. Great progress, for sure, but how good are the CNAs at providing accurate information? There isn’t any built in support or checks on this enrichment provided by the CVE program, making this question difficult to answer. To provide the highest quality enriched data, we need to provide the tools to make this difficult job much easier for CNAs, and provide the checks and balances to perform basic data quality checks.

The Role of the Cyber Resilience Act

The Cyber Resilience Act (CRA) legislation, adopted by the EU in October 2024, emphasizes the importance of robust cybersecurity practices, requiring organizations to demonstrate effective vulnerability management. The initiatives outlined in this paper address several gaps in cybersecurity reporting and data interoperability, aligning with CRA requirements. Key Initiatives

Proposed Enhancements

The following are proposed CVE enhancements focused on solving challenges around data quality, CNA coordination, and enriched CVE delivery.

1. Building the CNA Directory

Objective:

Build a cloud native repository of CNA details. Provide a set of scalable REST APIs for accessing this data, which can be a basis for other applications, including web and LLM-based applications.

Implementation Approach:

• Establish a structured database containing comprehensive CNA information, including scope definitions and contact details.

• Expose microservice-based REST APIs supporting creation, updating, and removal of CNAs and Roots. Allow for reassignment of CNAs and Roots to other Roots.

• Provide web-hooks to support event-driven notification of new CNAs and changes to existing CNA information. This will allow subscribers to quickly integrate data changes.

Expected Outcomes:

CNA information is easy to retrieve, manage, and use in a variety of applications supporting direct web- and API-based information access and LLM-augmented search.

2. Development of an Issue Management System

Objective:

CNAs need a mechanism to address disputed CVEs, and to sort out duplicate assignments post disclosure. Building on the CNA Directory, a ticketing system can be a basis for ad-hoc coordination to resolve post-disclosure CVE assignment issues quickly and in a way that provides a greater degree of transparency around the state of a given issue.

Implementation Approach:

• Develop an issue management solution that supports CNA-to-CNA and CVE stakeholder-to-CNA coordination. Leverage existing open source issue management capabilities to the degree possible.

• Provide email and REST API integrations to allow for automated notifications and access to issue data.

Expected Outcomes:

• Quicker response times for resolving assignment related issues.

• Greater transparency for affected CVE stakeholders.

• Greater program visibility into the extent of assignment issues and related timeframes for resolution.

• Better integration into third-party workflows (e.g., GitHub).

3. Build a LLM-based chatbot to identify the CNA scoped for a given product

Objective:

Develop a Retrieval-Augmented Generation (RAG)-enabled Large Language Model (LLM) capable of efficiently identifying CNAs based on product names and providing relevant scope details.

Implementation Approach:

• Use the CNA User Registry and CVE list services to access comprehensive CNA information, including historical assignments and scope definitions.

• Integrate LLM technology trained on structured data to allow users to query product names and receive CNA matches with contextual accuracy.

• Employ dynamic updates and reinforcement learning techniques to enhance precision over time.

• Define best practices for CNA scope statements to drive improved statements that provide more information for LLMs to work with.

Expected Outcomes:

• Streamlined CNA identification process, reducing ambiguity and errors in vulnerability assignment.

• Improved efficiency for organizations seeking CVE assignments, resulting in a significant reduction in time to find a CNA, and increasing accuracy and alignment with CNA scopes.

• Reduce problematic out of scope assignments caused by misunderstandings in assignment scope.

4. Development of an NVD-Like API for CVE.org

Objective:

Build a robust and standardized microservices-based API for CVE.org inspired by key functionalities of NVD, improving data accessibility and usability. Consider standardized query interfaces such as GraphQL and methods to expose CVE data as a data lake for easy consumption by other cloud services.

Implementation Approach:

• Design and develop a RESTful API with standardized endpoints for querying CVEs, CNAs, CWE mappings, and associated metadata.

• Build using a cloud-native architecture that supports scaling under load supporting API availability across multiple regions. Transition legacy monolithic API server towards a serverless, microservices architecture that scales well under load, while minimizing compute costs.

• Implement authentication and rate-limiting mechanisms to maintain platform integrity and to manage costs.

• Ensure backward compatibility with existing cybersecurity platforms to facilitate integration. This can be supported by exposing APIs that align with legacy formats, while supporting modern APIs that provide greater functionality using the same underlying microservices.

Expected Outcomes:

Improved access to CVE data, supporting real-time cybersecurity analysis. Enhanced usability for third-party applications and cybersecurity researchers.

5. Collaboration with NVD to Become an Authorized Data Provider (ADP)

Objective:

Enhance CVE.org by integrating historical vulnerability data, including detailed CPE-to-CVE mappings, sourced from NVD.

Implementation Approach:

• Establish a data-sharing agreement with NVD to ingest historical CVE records directly into CVE.org.

• Map CPE identifiers to CVEs comprehensively to improve historical tracking and ensure consistency.

• Implement an automated data validation pipeline to verify accuracy and consistency across platforms.

Expected Outcomes:

Improved historical accuracy for CVEs with relevant CPE associations. Strengthened vulnerability tracking, supporting better decision-making and compliance reporting.

6. Federated Maintenance of the CPE Dictionary

Objective:

Develop a decentralized mechanism for maintaining the CPE dictionary to improve consistency and usability.

Implementation Approach:

• Establish a federated system where CNAs or designated cybersecurity organizations contribute to maintaining CPE definitions.

• Implement a governance framework to ensure uniformity and validation of contributed entries.

• Develop automation tools leveraging AI-driven entity recognition to suggest standardized CPE definitions.

Expected Outcomes:

• Reduced inconsistencies in CPE definitions through distributed governance.

• Improved CPE usability in vulnerability assessments and cybersecurity reporting.

7. Enhancing CVE clients like Vulnogram and CVE backend services with LLM Technology

Objective:

Integrate LLM technology into Vulnogram to enable CNAs to create higher quality and more enriched CVE records, automate vulnerability scoring, and improve the accuracy of CWE and affected product assignments.

Implementation Approach:

• Deploy an AI-assisted scoring mechanism to help CNAs assign accurate CVSS scores and CWEs.

• Utilize generative AI to recommend potential product associations using commonly available product identifiers (i.e., CPE) based on historical data patterns.

• Provide interactive feedback mechanisms to refine AI-generated suggestions based on expert input.

Expected Outcomes:

• Reduced manual burden for CNAs while ensuring high accuracy in vulnerability classification.

• Enhanced usability of Vulnogram through AI-powered automation. Fewer mistakes and higher quality, enriched CVE records.

8. Supporting vulnerability applicability and status (VEX) Inline on CVE.org

Objective:

Expand the role of Authorized Data Providers (ADP) to include CNAs contributing vulnerability status updates for open-source CVEs via the VEX framework.

Implementation Approach:

• Develop a streamlined submission process for CNAs to report real-time status updates on third-party vulnerabilities.

• Establish a structured data pipeline integrating VEX reports directly into CVE records.

• Encourage adoption through industry collaboration and regulatory incentives.

Expected Outcomes:

• Improved transparency in vulnerability mitigation efforts by tracking status updates.

• Increased engagement from CNAs in maintaining comprehensive vulnerability information.

9. Continuous Export of CVE.org Data to CSAF Format

Objective:

Ensure seamless and automated conversion of CVE data into the Common Security Advisory Framework (CSAF) format for broader usability.

Implementation Approach:

• Implement an automated export pipeline converting CVE data into CSAF-compliant documents, adopting the latest v2.1 format.

• Enable periodic updates to ensure CSAF reports reflect the latest vulnerability data.

• Provide structured JSON-based formatting for seamless integration into industry security workflows.

Expected Outcomes:

• Improved standardization of CVE data across global cybersecurity frameworks.

• Enhanced interoperability with third-party security platforms relying on CSAF reports.

Impact on Cyber Resilience Act (CRA) Compliance

Each of these initiatives directly supports CRA requirements by improving vulnerability tracking, ensuring data consistency, and strengthening industry-wide cybersecurity reporting. Organizations leveraging these advancements will be better equipped to meet regulatory mandates while fostering a more transparent and responsive cybersecurity ecosystem.

Conclusion and Next Steps

The proposed initiatives provide a roadmap for enhancing CVE management through automation, federation, and collaboration. Next steps include engaging relevant stakeholders, securing funding, and implementing phased rollouts to assess effectiveness.