Can a Global, Decentralized System Save CVE Data? TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsCybersecurity OperationsCan a Global, Decentralized System Save CVE Data?Can a Global, Decentralized System Save CVE Data?byRobert Lemos, Contributing WriterNov 18, 20254 Min ReadApplication SecurityMalicious Npm Packages Abuse Adspect Cloaking in Crypto ScamMalicious Npm Packages Abuse Adspect Cloaking in Crypto ScambyElizabeth Montalbano, Contributing WriterNov 18, 20255 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllCyberattacks & Data BreachesCoyote, Maverick Banking Trojans Run Rampant in BrazilCoyote, Maverick Banking Trojans Run Rampant in BrazilbyAlexander CulafiNov 13, 20254 Min ReadThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCybersecurity OperationsCyber RiskApplication SecurityVulnerabilities & ThreatsNewsCan a Global, Decentralized System Save CVE Data?As vulnerabilities in the Common Vulnerabilities and Exposures ecosystem pile up, one Black Hat Europe presenter hopes for a global, distributed alternative.Robert Lemos, Contributing WriterNovember 18, 20254 Min ReadSource: CVE.icuThe current challenges with tracking vulnerabilities, enriching reported data in a timely manner, and maintaining the collection of information calls for a revamping of the Common Vulnerabilities and Enumeration (CVE) system, according to security data analyst Jerry Gamblin.As a result, the National Vulnerability Database (NVD) — the de facto repository of data maintained by MITRE and the National Institute of Standards and Technology (NIST) — continues to lag in analyzing vulnerabilities. In the past five years, more than 155,000 identifiers have been assigned as part of the Common Vulnerabilities and Enumeration (CVE) process, but only a quarter (26%) have been analyzed and enriched with additional data, according to Gamblin's analysis, which he will present at the Black Hat Europe conference in December.While the CVE program as a whole looks like it can weather the challenges, the community can no longer rely on the US government to maintain the data, says Gamblin."NIST funds the NVD with a very small budget, and their mandate is to enrich CVEs for the federal government use," he says. "They just happen to nicely make that data available for everybody in the world to use, [but that] became a single point of failure."In April 2024, due to a funding shortfall, NIST all but stopped processing and enriching CVEs in the National Vulnerability Database, leading to a massive backlog. Following additional funds being made available three months later, the group committed to resuming its work, but warned that the former status quo was no longer enough. This past March, NIST acknowledged the issues that the organization has with keeping up with the ever-increasing pace of vulnerability disclosures, saying that while the organization has managed to keep up its output level, the rate of submissions had increased 32% last year.Related:Bug Bounty Programs Rise as Key Strategic Security Solutions"[T]hat prior processing rate is no longer sufficient to keep up with incoming submissions. As a result, the backlog is still growing," NIST stated in a March 19, 2025, NVD General Update. "We anticipate that the rate of submissions will continue to increase in 2025. The fact that vulnerabilities are increasing means that the NVD is more important than ever in protecting our nation’s infrastructure. However, it also points to increasing challenges ahead."A Little Help From My FriendsThe challenges are due to the number of vulnerability reports and the number of submitters — or CVE Numbering Authorities (CNAs) — has grown quickly. Currently, more than 357 CNAs exist, a huge number for a single organization to collaborate with. However, certain technology companies or government agencies could become leaders — essentially "root CNAs" — that can manage the submissions from their industry or region, says Gamblin.Related:Kenya Kicks Off 'Code Nation' With a Nod to Cybersecurity Other vulnerability databases, such as the EU Vulnerability Database (EUVD) managed by the European Union Agency for Cybersecurity, and regional efforts could mirror the information to add redundancy, he says. Such decentralization of both effort and data could make the vulnerability repositories more resilient, says Gamblin, whose day job is as a principal engineer at networking giant Cisco.Currently, the European Union Agency for Cybersecurity (ENISA) is not expanding its vulnerability reporting efforts, but are working to enrich vulnerabilities data on its own, he says."At some point, you would hope that a global CVE program would import that data, and normalize it, and display both sets of records," Gamblin says. "Then, you have the data that ENISA enriched, along with the data that the CNA added, along with whoever else adds to that data, and you can see where the variance is and see how groups disagree."Decentralize or BustGamblin's plan is to promote the idea of a decentralized capability for vetting reports, enriching the data, and storing the information across the globe. He has created a number of security information sites through his independent effort, RogoLabs, including measuring the share of vulnerabilities lacking fully enriched data — currently sitting at only 52% for 2025, according to his data analytics dashboard, CVE.icu.Related:Bridging the Skills Gap: How Military Veterans Are Strengthening CybersecurityThe community can start by pushing companies that publish records to make them as complete as possible — that is, fully enrich the data — because they should know the data better than anyone.In addition, the final system should have a single global unique identifier for each distinct vulnerability, Gamblin says."At the end of the day, I really want this to be about everybody, about keeping one central CVE standard and record format," he says. "I don't know who's going to own that — that's kind of a political issue — but at the end of the day, it's better if we have a global unique identifier."The security researcher hopes that talking about the possibilities will result in more organizations that rely on the vulnerability databases to speak up."This isn't to a point where I'm bringing a plan in to say, 'Here's how we should implement this, and I've thought everything out.' it's more aspirational," he says. "It's more talking about what a decentralization looks like, and here's where we can take it."Read more about:Black Hat NewsAbout the AuthorRobert Lemos, Contributing WriterVeteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.See more from Robert Lemos, Contributing WriterMore InsightsIndustry Reports2025 State of Threat Intelligence: What it means for your cybersecurity strategyGartner Innovation Insight: AI SOC AgentsState of AI and Automation in Threat IntelligenceGuide to Network Analysis Visibility SolutionsOrganizations Require a New Approach to Handle Investigation and Response in the CloudAccess More ResearchWebinarsIdentity Security in the Agentic AI EraHow AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026More WebinarsYou May Also LikeEditor's ChoiceVulnerabilities & Threats'CitrixBleed 2' Wreaks Havoc as Zero-Day Bug'CitrixBleed 2' Wreaks Havoc as Zero-Day BugbyJai Vijayan, Contributing WriterNov 12, 20255 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsIdentity Security in the Agentic AI EraTues, Dec 9, 2025 at 1pm ESTHow AI & Autonomous Patching Eliminate Exposure RisksOn-DemandThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterTues, Nov 18, 2025 at 1pm ESTSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETMore WebinarsWhite PapersMissing 88% of Exploits: Rethinking KEV in the AI EraThe Straightforward Buyer's Guide to EDRThe True Cost of a Cyberattack - 2025 EditionHow to be a Better Threat HunterFrom the C-Suite to the SOC: Consolidating the Network Security SolutionsExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

The current state of the Common Vulnerabilities and Exposures (CVE) system, as highlighted by security data analyst Jerry Gamblin, is facing significant challenges that demand a re-evaluation of its operational model. The CVE program, primarily managed by the National Vulnerability Database (NVD) under the auspices of the National Institute of Standards and Technology (NIST) and MITRE, is struggling to keep pace with the exponential growth in vulnerability disclosures and the efforts to enrich this data. As of November 2025, only 26% of the over 155,000 CVE identifiers assigned in the past five years have been thoroughly analyzed and enhanced with additional information, pointing to a critical backlog. This situation is exacerbated by the limited funding allocated to the NVD, which primarily focuses on enriching CVEs for federal government use, inadvertently creating a single point of failure for global vulnerability data.

The funding shortfall in April 2024, leading to a near-halt in NVD processing and enrichment, underscored the vulnerability of relying on a single entity for this crucial function. Although additional funds were secured in July 2024, the damage was done, and a substantial backlog remains. Furthermore, the rate of submissions has increased by 32% last year, and projections indicate a continued rise in vulnerability disclosures, placing immense strain on the NVD's capacity. This pressure is compounded by the proliferation of CVE Numbering Authorities (CNAs)—currently exceeding 357—significantly increasing the operational burden for the NVD.

Recognizing these limitations, Gamblin advocates for a decentralized, global system for vulnerability data management. He argues that the current model, largely controlled by the US government, is no longer sufficient for the scale and complexity of the modern threat landscape. He proposes a collaborative approach involving diverse stakeholders including technology companies and government agencies, establishing “root CNAs” to manage submissions from specific sectors or regions.

This decentralization could mirror efforts by organizations like the European Union Agency for Cybersecurity (ENISA) and other regional bodies, creating redundancy and resilience. Central to this vision is the establishment of a single, globally unique identifier for each vulnerability, streamlining data management and facilitating interoperability.

The RogoLabs project, spearheaded by Gamblin, aims to demonstrate the viability of this decentralized approach. Using CVE.icu, a data analytics dashboard, the team tracks the share of vulnerabilities lacking fully enriched data – currently at 52% – highlighting the magnitude of the problem. The team’s goal is to galvanize the community to push for more complete enrichment of vulnerability records, as those publishing the records are best positioned to understand the potential impact of the vulnerabilities.

The approach is not prescriptive, but rather aspirational, focused on building a conversation around the design of a truly global and resilient CVE system. The key is to foster a collaborative environment where contributions from diverse sources are welcomed and integrated into a unified standard. This reflects a shift in perspective, moving away from a centralized, government-controlled model to one that leverages collective intelligence and distributed responsibility. Robert Lemos, contributing writer for TechTarget, emphasizes that the goal is to create a system “where everybody can contribute.”