The Growing Crisis in CVE Data Quality
Jerry Gamblin
BSidesSF 2025 — Here Be Dragons · Day 2 · Main
The CVE program is the backbone of global vulnerability management — but its data quality is deteriorating under the weight of exploding volume, underfunded enrichment, and minimal publishing requirements that allow nearly useless records to enter the system legally. Jerry Gamblin of Cisco, who runs the CVE tracking site cve.icu, diagnoses the structural failures behind the crisis and calls on the security community to demand mandatory quality fields, engage CVE working groups, and pressure CNAs to publish data that is actually usable. ---
AI review
Gamblin comes with data, not opinions: 20% of all CVEs use N/A for the product field, only a quarter of CVEs published in the last 18 months have NVD CVSS scores, NIST formally admitted it can no longer keep pace with volume, and the program nearly went dark in April 2025. This is the kind of systemic critique that only lands when the critic has actually run the numbers — and Gamblin runs cve.icu, so he has.