All news with #cve program tag

Security Firms Clash Over CVE Credit and Disclosure

🔍 A public dispute erupted when FuzzingLabs accused Y Combinator-backed Gecko Security of copying proof-of-concepts (PoCs), resubmitting them for CVEs, and backdating blog posts to claim credit. FuzzingLabs cites two specific flaws — an Ollama token-stealing bug and a Gradio arbitrary file-copy/DoS issue — and says unique markers in its PoCs prove plagiarism. Gecko denies wrongdoing, saying its process involves direct coordination with maintainers and that overlaps were accidental; it has since updated posts to credit FuzzingLabs.

CISA Publishes Strategic Roadmap for the CVE Program

🔒 CISA has published a strategic focus document, “CVE Quality for a Cyber Secure Future,” signaling federal support for the Common Vulnerabilities and Exposures (CVE) program and a shift from a growth-focused expansion to a defined Quality Era. The agency reaffirmed that the program should remain public and vendor‑neutral while evaluating potential mechanisms for diversified funding and taking a more active leadership role. The roadmap prioritizes automation, strengthened CNA services and CNAs of Last Resort, expanded API support, improved CVE.org capabilities, minimum data-quality standards and federated enrichment approaches such as Vulnrichment.

CISA Outlines Strategic Vision for CVE Program Quality

🛡️ CISA released "CISA Strategic Focus: CVE Quality for a Cyber Secure Future," a roadmap that shifts the CVE Program from its Growth Era to a Quality Era emphasizing trust, responsiveness, and improved vulnerability data. The plan highlights expanded community partnerships, potential diversified government sponsorship, technological modernization, and stronger transparency and communications. It also prioritizes data quality improvements, including standardized enrichment approaches such as Vulnrichment and expanded Authorized Data Publisher capabilities.

CISA Leads CVE Program: Mandate, Mission, Momentum

🔒CISA reaffirms federal leadership of the CVE Program, arguing that a neutral, government steward is essential to preserve trust and national security. The agency ties the program to operational initiatives such as the Known Exploited Vulnerabilities (KEV) Catalog and warns that privatization or fragmentation would erode reliability and increase risk. CISA outlines a shift from a 'Growth Era' to a 'Quality Era' focused on improving completeness, accuracy, timeliness, governance, and sustainable infrastructure, and invites practitioners, industry, and international partners to help shape the program's future.