Let’s Talk About Fitness for Purpose: Comparing and Contrasting the CVE List with OSV.dev
CVE/FIRST VulnCon 2025 · Main Stage
Andrew, a member of Google's open source security team, delivered a compelling talk at VulnCon, expanding on his previous discussions regarding the challenges in vulnerability metadata quality. His presentation, titled "Let’s Talk About Fitness for Purpose: Comparing and Contrasting the CVE List with OSV.dev," critically examines whether the Common Vulnerabilities and Exposures (CVE) program, in its current state, adequately serves the needs of modern defenders. Andrew argues that while the CVE program was groundbreaking 25 years ago, its mission statement and current implementation have not evolved sufficiently to cope with the exponential growth in vulnerabilities, leading to significant data quality issues.
AI review
A competent, well-structured policy/infrastructure talk from someone who has clearly done the work. Andrew knows the OSV.dev codebase intimately and has credible grievances about CVE data quality. The core argument — that CVE's 25-year-old mission and voluntary compliance model can't survive the current volume of vulnerabilities — is correct and worth repeating at VulnCon specifically. But it is, fundamentally, a talk we've largely heard before. The CVE-vs-OSV comparison, the NVD backlog, the 'automation or bust' thesis — these are established positions in the vuln management discourse, not…