惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

酷 壳 – CoolShell
酷 壳 – CoolShell
aimingoo的专栏
aimingoo的专栏
Microsoft Security Blog
Microsoft Security Blog
NISL@THU
NISL@THU
T
Threatpost
T
The Exploit Database - CXSecurity.com
T
Threat Research - Cisco Blogs
S
Securelist
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
人人都是产品经理
人人都是产品经理
B
Blog RSS Feed
S
Secure Thoughts
MyScale Blog
MyScale Blog
O
OpenAI News
P
Palo Alto Networks Blog
美团技术团队
C
Cyber Attacks, Cyber Crime and Cyber Security
TaoSecurity Blog
TaoSecurity Blog
量子位
L
Lohrmann on Cybersecurity
G
GRAHAM CLULEY
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
T
Tailwind CSS Blog
Know Your Adversary
Know Your Adversary
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Simon Willison's Weblog
Simon Willison's Weblog
宝玉的分享
宝玉的分享
PCI Perspectives
PCI Perspectives
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
C
Cybersecurity and Infrastructure Security Agency CISA
T
Tenable Blog
I
InfoQ
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Microsoft Azure Blog
Microsoft Azure Blog
Recent Announcements
Recent Announcements
S
Security @ Cisco Blogs
S
Schneier on Security
B
Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
The Cloudflare Blog
AWS News Blog
AWS News Blog
IT之家
IT之家
V
Vulnerabilities – Threatpost
The Hacker News
The Hacker News
H
Heimdal Security Blog
I
Intezer
A
Arctic Wolf
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
H
Help Net Security
W
WeLiveSecurity

OWASP

Aikido and OWASP bring agentic Code Audit to the global AppSec community | OWASP Foundation Community update regarding Richard Greenberg | OWASP Foundation OWASP Dependency-Track 5.0 Is Now Generally Available | OWASP Foundation Juice Shop v20.0.0 — a fresh squeeze of features, now with AI | OWASP Foundation Welcome to the Google Summer of Code 2026! | OWASP Foundation OWASP Foundation Unveils Its Strategic Plan for a World Without Insecure Software | OWASP Foundation The OWASP Foundation appoints Missie Lindsey as Director of Corporate Relations | OWASP Foundation Bridging the Gap in Product Lifecycle Management: How OpenEoX and CLE Work Together | OWASP Foundation Announcing the Retirement of OWASP Meetup Platform | OWASP Foundation The OWASP Foundation appoints Stacey Ebbs as Communications & Marketing Manager | OWASP Foundation OWASP Certified Secure Software Developer | OWASP Foundation GSoC 2025 Recap | OWASP Foundation OWASP Top 10 Community Survey | OWASP Foundation OWASP Elections 2025 - Become a member today! | OWASP Foundation Help Support Sherif Mansour by donating blood today! | OWASP Foundation cdxgen and CycloneDX .NET Join GitHub Secure Open Source Fund | OWASP Foundation InfoSecMap x OWASP Collaboration | OWASP Foundation OWASP x Google Summer of Code 2025 - Enabling 15 opportunities for impact | OWASP Foundation OWASP Enables AI Regulation That Works with OWASP AI Exchange | OWASP Foundation ASVS 5.0 RC1 is ready for your review! | OWASP Foundation OWASP Education and Training Committee update | OWASP Foundation Committees Advisory on Software Bill of Materials and Real-time Vulnerability Monitoring for Open-Source Software and Third-Party Dependencies | OWASP Foundation OWASP Juice Shop leadership changes & contributor recognition | OWASP Foundation Lifecycle events are part of the secure supply chain | OWASP Foundation More than a Password Day 2024 | OWASP Foundation A workaround for OWASP Foundation emails being blocked by Microsoft Office 365 | OWASP Foundation Securing React Native Mobile Apps with OWASP MAS | OWASP Foundation
OWASP Calls to Build a Unified Framework for Global Vulnerability Intelligence | OWASP Foundation
Steve Springett · 2025-04-17 · via OWASP
image

Thursday, April 17, 2025

In response to increasing concerns over the effectiveness of the CVE Program and the sustainability of the U.S. government’s role in managing the world’s largest vulnerability database, cybersecurity leaders and international stakeholders are coming together to explore a federated model for vulnerability identification. The initiative seeks to address modern security challenges—such as the shift toward hyper-automation, the dominance of open-source software, and emerging needs in cryptography, artificial intelligence, and other specialized domains—by fostering global collaboration and innovation.

The cybersecurity community faces a pivotal moment. Recent reductions in funding for MITRE’s support of the CVE program have sparked widespread concern that the world’s largest vulnerability database can no longer keep pace with the demands of a rapidly evolving global threat landscape. Originally designed for a time when most software was commercial and automation was in its infancy, the CVE program and the National Vulnerability Database (NVD) struggle to meet the needs of an ecosystem increasingly dominated by open-source software. In fact, by some estimates, over 90% of all modern applications rely on open-source components, and yet the CVE program often fails to capture these vulnerabilities quickly or effectively.

These challenges are compounded by emerging cybersecurity needs that extend beyond traditional software vulnerabilities. For example, identifying weaknesses in cryptographic algorithms such as AES-128, which are not “vulnerabilities” in the traditional sense, or documenting cybersecurity issues in AI systems, medical devices, and other complex domains.

In parallel, new trends in cybersecurity have highlighted the limitations of centralized authority. The international community increasingly questions whether any single government or organization can sustainably serve as the sole steward of global vulnerability information. A centralized model, while historically effective, now appears to be a point of weakness, particularly as the breadth and scope of cybersecurity threats expand.

“The shift toward a federated model reflects a growing need for a more agile, community-driven approach. By engaging an international coalition of experts and stakeholders, we can overcome the limitations of centralized systems and deliver a solution that scales with the complexity of today’s software ecosystems,” says Steve Springett, Chair of OWASP CycloneDX and Ecma TC54 and Vice Chair of the OWASP Global Board of Directors.

Exploring a Decentralized Model

The international cybersecurity community must come together to explore a new approach—one that evolves beyond a single, central authority. This is not about “fixing” the CVE Program or the NVD. Instead, it’s a call to action to envision a decentralized model supported by an international coalition.

This model would decentralize responsibility, enabling transparent, scalable, and open sharing of cybersecurity data. It would leverage the expertise of communities already shaping best practices and standards—such as OWASP’s vibrant GenAI and supply chain communities—while encouraging participation from underrepresented sectors, including medical device manufacturers and other industry groups. The goal is to create a flexible, extensible system capable of capturing not only traditional vulnerabilities, but also a broader range of cybersecurity issues, all within a robust and resilient federated structure.

This initiative is in its early stages. There are no answers—yet. But the growing consensus among international stakeholders is clear: we need a modernized, federated approach to cybersecurity records that reflects the complexity, diversity, and global nature of today’s security challenges.

“OWASP has long been at the forefront of advancing open and transparent security standards. This initiative aligns perfectly with our mission to empower the global community to develop secure software. Together, we can redefine how vulnerability intelligence is published and consumed,” states Andrew van der Stock, Executive Director of the OWASP Foundation.

Join Us in Building the Future

We are calling on governments, industry leaders, researchers, and community experts to contribute their voices, expertise, and resources. Together, we can build an alternative model that complements existing efforts, gradually replacing outdated approaches with a federated, community-driven, and international standard.

The future of cybersecurity identification depends on global collaboration. Let’s build it together.