WILMINGTON, DE / ACCESS Newswire / April 17, 2025 / In response to increasing concerns over the effectiveness of the CVE Program and the sustainability of the U.S. government's role in managing the world's largest vulnerability database, cybersecurity leaders and international stakeholders are coming together to explore a federated model for vulnerability identification. The initiative seeks to address modern security challenges-such as the shift toward hyper-automation, the dominance of open-source software, and emerging needs in cryptography, artificial intelligence, and other specialized domains-by fostering global collaboration and innovation.
The cybersecurity community faces a pivotal moment. Recent reductions in funding for MITRE's support of the CVE program have sparked widespread concern that the world's largest vulnerability database can no longer keep pace with the demands of a rapidly evolving global threat landscape. Originally designed for a time when most software was commercial and automation was in its infancy, the CVE program and the National Vulnerability Database (NVD) struggle to meet the needs of an ecosystem increasingly dominated by open-source software. In fact, by some estimates, over 90% of all modern applications rely on open-source components, and yet the CVE program often fails to capture these vulnerabilities quickly or effectively.
These challenges are compounded by emerging cybersecurity needs that extend beyond traditional software vulnerabilities. For example, identifying weaknesses in cryptographic algorithms such as AES-128, which are not "vulnerabilities" in the traditional sense, or documenting cybersecurity issues in AI systems, medical devices, and other complex domains.
In parallel, new trends in cybersecurity have highlighted the limitations of centralized authority. The international community increasingly questions whether any single government or organization can sustainably serve as the sole steward of global vulnerability information. A centralized model, while historically effective, now appears to be a point of weakness, particularly as the breadth and scope of cybersecurity threats expand.
"The shift toward a federated model reflects a growing need for a more agile, community-driven approach. By engaging an international coalition of experts and stakeholders, we can overcome the limitations of centralized systems and deliver a solution that scales with the complexity of today's software ecosystems," says Steve Springett, Chair of OWASP CycloneDX and Ecma TC54 and Vice Chair of the OWASP Global Board of Directors.
Exploring a Decentralized Model
The international cybersecurity community must come together to explore a new approach-one that evolves beyond a single, central authority. This is not about "fixing" the CVE Program or the NVD. Instead, it's a call to action to envision a decentralized model supported by an international coalition.
This model would decentralize responsibility, enabling transparent, scalable, and open sharing of cybersecurity data. It would leverage the expertise of communities already shaping best practices and standards-such as OWASP's vibrant GenAI and supply chain communities-while encouraging participation from underrepresented sectors, including medical device manufacturers and other industry groups. The goal is to create a flexible, extensible system capable of capturing not only traditional vulnerabilities, but also a broader range of cybersecurity issues, all within a robust and resilient federated structure.
This initiative is in its early stages. There are no answers-yet. But the growing consensus among international stakeholders is clear: we need a modernized, federated approach to cybersecurity records that reflects the complexity, diversity, and global nature of today's security challenges.
"OWASP has long been at the forefront of advancing open and transparent security standards. This initiative aligns perfectly with our mission to empower the global community to develop secure software. Together, we can redefine how vulnerability intelligence is published and consumed, " states Andrew van der Stock, Executive Director of the OWASP Foundation.
Join Us in Building the Future
We are calling on governments, industry leaders, researchers, and community experts to contribute their voices, expertise, and resources. Together, we can build an alternative model that complements existing efforts, gradually replacing outdated approaches with a federated, community-driven, and international standard.
The future of cybersecurity identification depends on global collaboration. Let's build it together. cve@owasp.org
SOURCE: OWASP
View the original press release on ACCESS Newswire