CVE Record Format - Past, Present, and Future
CVE/FIRST VulnCon 2025 · Main Stage
This talk, presented by Chris Coffin from MITRE and MZ from F5—both co-chairs of the CVE Quality Working Group (QWG) and CVE Board members—delves into the evolution and future trajectory of the **CVE record format**. The presentation offers a comprehensive look at the current state, recent enhancements, and upcoming changes to the JSON schema that underpins how vulnerability information is ingested, stored, and displayed by the CVE Program. It highlights the critical role of the format in standardizing vulnerability data, ensuring consistency, and facilitating its consumption across the cybersecurity ecosystem.
AI review
A competent, insider-track overview of where the CVE record format has been and where it's going, delivered by two people who are actually doing the work. This is VulnCon, not DEF CON — the audience is vulnerability management practitioners, CNA operators, and toolchain builders, and for that crowd this talk has genuine utility. The CPE applicability statement changes, SEver validation, SSVC formalization, and the deprecation process discussion are all real operational concerns. Nothing here is groundbreaking research, but it's not trying to be. The ceiling is a solid conference-track…