CVE Unmoored: Implications of the Removal of the Technology Requirement
CVE/FIRST VulnCon 2025 · Main Stage
Jonathan Evans, a seasoned expert from GitHub's Advisory Database and a former member of MITRE's CVE team, delivered a compelling talk at VulnCon titled "CVE Unmoored: Implications of the Removal of the Technology Requirement within the CVE Rules." This presentation delved into the profound changes to the Common Vulnerabilities and Exposures (CVE) program rules, specifically the removal of the long-standing "technology requirement." This seemingly subtle alteration carries significant ramifications, broadening the scope of what can be assigned a **CVE ID** and introducing new complexities for both vulnerability researchers and **CNA (CVE Numbering Authority)** organizations.
AI review
Evans is one of maybe a dozen people on the planet who can speak to CVE policy evolution with genuine insider authority — a decade at MITRE on the CVE team, now curating GitHub's Advisory Database. This isn't a research talk in the exploit sense, it's a policy/standards deep-dive in its own lane, and judged there it delivers. The removal of the technology requirement is a real, consequential change that will touch every CNA, every vulnerability management program, and every organization that depends on CVE data for risk prioritization. Evans walks through the implications methodically, uses…