VIEWS In order to address a gap that never really existed in the first place, the Common Vulnerability Enumeration (CVE), now known as Common Vulnerabilities and Exposures, was established in 1999 This article explores vulnerability enumeration cve. . David Mann and Steve Christey-Coley's white paper, "Towards a Common Enumeration of Vulnerabilities," served as the inspiration for the CVE initiative.

The paper's main point was that a "common enumeration" of vulnerabilities is necessary. But it ignores the fact that a public vulnerability database (VDB) with extensive coverage was already in place for over a year. As of August 1997, ISS (later purchased by IBM) had a fully public VDB at the time of CVE's launch.

One set of regulations that MITRE must abide by for these contracts is Code of Federal Regulations Title 48, Federal Acquisition Regulations System, particularly section 35, "Research and Development Contracting." There is sufficient language in soliciting contracts (35.007), the evaluation for award (35.008), and, in particular, the section on FFRDCs (35.017) to contend that the CVE contract should never have been awarded.

Funding requirements for MITRE include "novel ideas," "highest competence in a specific field," "special competency," and the ability to carry out tasks that cannot be completed by "existing in-house or contractor resources." Related: CISOs Gain Notoriety: Security Executives Enter the Executive Suite. I would contend that a layperson's interpretation of these points strongly suggests that CVE was not a novel idea, the creators were no more experts than anyone else at the time, and that the need for such an effort could have been obtained for free or contracted through ISS at the time, even though I am neither a lawyer nor an author of government regulations.

Section 35.017-4 of Title 48 mandates that the contract sponsor—in this case, the Cybersecurity and Infrastructure Security Agency (CISA)—conduct a review before extending the contract.

The "consideration of alternative resources," a "assessment of the efficiency and effectiveness for..." meeting the sponsor's needs," and the requirement that the FFRDC "maintain its objectivity..." quick response capability, currency in its field of expertise" should all be included in the review, according to 35.017-4(c). Crucially, CISA must determine if the FFRDC is conducting a "cost-effective operation." Furthermore, a "FFRDC's performance of its tasks requires that a special relationship exist between the FFRDC and its sponsor," according to the government-run Defense Acquisition University."

The list is essentially the same as the one above, with the addition of "Adaptability — ability to respond to emerging needs of their sponsors and anticipate future critical issues." It seems to be a list of all the specific ways that MITRE has failed to execute the CVE program.

and why, in terms of vulnerability intelligence, they are failing the entire world.

In the past, there have been numerous instances of MITRE not being seen as objective, and this trend is still present today. I think the Government Accountability Office (GAO) needs to ask two questions in light of MITRE's performance and CVE funding. First, does MITRE fulfill the prerequisites for operating a vulnerability database as an FFRDC?

Second, if there are better-performing contracted or commercial alternatives in 2026, will an FFRDC still be necessary? Investigating "fraud, waste, abuse and mismanagement," after all, is the responsibility of the GAO.