Confusing Value with Enumeration: Studying the Use of CVEs in Academia
Moritz Schloegel
34th USENIX Security Symposium (USENIX Security '25) · Day 2 · Software Security and Usable Security
This article delves into a critical examination of how **Common Vulnerabilities and Exposures (CVE)** identifiers are perceived and utilized within the academic security research community. Presented by Moritz Schloegel at USENIX Security 2025, the talk, titled "Confusing Value with Enumeration: Studying the Use of CVEs in Academia," exposes a fundamental misunderstanding: that a CVE ID inherently signifies real-world impact, verification, or even the existence of a genuine security vulnerability. The research, a massive collaborative effort, stemmed from a growing concern among security researchers that the academic pursuit of CVEs might be inadvertently devaluing the very metric it seeks to leverage.
AI review
Schloegel does something rare and genuinely useful: turns the microscope on the academic security community itself, with hard data to back it up. 304 papers, 1,803 CVEs, manually analyzed — this is the kind of rigorous self-audit the field has needed for years and nobody wanted to do because it implicates everyone in the room.