The Quality Imperative for CVEs: The Need For Enhancing Vulnerability Reporting Standards
CVE/FIRST VulnCon 2025 · Main Stage
In an insightful and candid presentation at VulnCon, Jerry Gamblin, a prominent figure in Cisco's Threat Detection and Response group, delivered a critical assessment of the current state of **Common Vulnerabilities and Exposures (CVE)** data quality. His talk, "The Quality Imperative for CVEs," highlighted systemic issues within the CVE program and the **National Vulnerability Database (NVD)**, emphasizing that while the data is foundational for cybersecurity, its current structure and inconsistent quality hinder its effectiveness. Gamblin's perspective is unique, stemming not from a **CVE Numbering Authority (CNA)** but from a significant consumer of CVE data, integrating it daily into Cisco's security products.
AI review
Gamblin delivers a competent, well-structured critique of CVE data quality that the community genuinely needs to hear. The talk is strongest when it gets specific — the schema documentation stats (163 keys, 60% described; 262 NVD keys, 3% described), the GitHub repo restructuring killing open-source adoption, the Vulnerogram single-maintainer dependency — these are concrete, citable problems from someone who clearly lives in this data daily. The recommendations are reasonable and actionable. But this is a practitioner advocacy talk, not original research, and the ceiling is capped by that…