What is CVE? 

  • Thursday
  • November
  • 13
  • 2025
10:00 AM PST | 01:00 PM EST
Duration: 90 Minutes
IMG Tom Alrich
Webinar Id: 61829
Live
Session
$119.00
Single Attendee
$249.00
Group Attendees
Recorded
Session
$159.00
Single Attendee
$359.00
Group Attendees
Combo
Live+Recorded
$249.00
Single Attendee
$549.00
Group Attendees

Overview:

Ever since there has been software, there have been software vulnerabilities – snippets of code that can unintentionally provide a “door” for an attacker to penetrate the system. However, only since the internet came into widespread use have hackers been able to exploit vulnerabilities in remote systems from the comfort of their own home, and even from the other side of the planet. Today, most cyber attacks – including devastating ransomware attacks – start with a hacker exploiting a software vulnerability in the target system.

As the number of cyber attacks grew, software researchers realized that just having a verbal description of how an attack was carried out wasn’t enough: there needed to be a centralized list of vulnerabilities, each with its own numerical identifier. In 1999, two researchers from the MITRE Corporation presented a system for cataloging vulnerabilities called “Common Vulnerabilities and Exposures” or CVE; it was based on a year and a vulnerability number within the year, for example CVE-2025-12345. 

In its first year of operation, about 200 CVE vulnerabilities were reported. Today, the total number of CVEs is close to 300,000, and increasing numbers of CVEs are identified every year; in 2024, about 40,000 new CVEs were reported. Identifying, describing, cataloging and distributing new and existing CVEs now requires hundreds of MITRE employees, along with volunteers from software developers and other organizations. These people are part of the “CVE Program”.

Anybody who is concerned about software vulnerabilities, or works in the field of cybersecurity in some way, should take this course.

Why you should Attend:

Most people involved in software vulnerability management have not paid much attention to how the 300,000 CVE vulnerabilities were identified, or how they are catalogued and made available to vulnerability databases like the National Vulnerability Database (NVD).

However, on April 15, 2025, the members of the worldwide cybersecurity community were startled by a letter to the Board of an organization most of them had never heard of, CVE.org. That letter said that the next day, the MITRE Corporation, which has been running the CVE Program since it started in 1999, would have to shut the program down because their contract wouldn’t be renewed.

Fortunately, the program didn’t shut down and the contract was renewed for a year. Not only that, but it seems likely that in March of 2026, a well-funded international nonprofit organization will start funding MITRE’s contract; the program will not only continue, but thrive.

However, this incident, and the much more serious ongoing problems at the National Vulnerability Database (NVD), have convinced many people that they need to pay much more attention to what’s going on behind the curtain in the CVE Program (there is a separate course on the NVD available in this series. Unfortunately, the NVD’s problems don’t currently have a happy ending in sight).

Areas Covered in the Session:

  • What is a software vulnerability?
  • How the CVE concept came about
  • How the CVE Program operates today
  • The role of the CVE Numbering Authorities (CNAs) in the CVE Program
  • Current issues with the CVE Program, including the question of software identifiers
  • The relationship between the CVE Program and the National Vulnerability Database (there is a separate course on the NVD available in this series)
  • The likely change of “ownership” of the CVE Program in 2026
  • Desired improvements in the CVE Program

Who Will Benefit:

  • The primary audience is people involved in vulnerability management. In some cases, an organization will have a department or group of people dedicated to vulnerability management; in other cases, the IT or Information Security department will be responsible for vulnerability management
  • Given how important software vulnerabilities are today, almost everyone in the IT department (including everyone involved in cybersecurity) should be interested in this course. Very few IT people have a good understanding about how vulnerabilities are reported and made available in vulnerability databases

Speaker Profile

Tom Alrich is an independent consultant and trainer specializing in two important topics

Compliance with the rigorous NERC CIP cybersecurity standards, which apply to the control systems that monitor and operate the North American power grid. They are enforced by NERC and the Federal Energy Regulatory Commission (FERC); they carry maximum penalties of $1 million per violation. While these standards have been successful in securing the grid in the 15 years they have been in effect, they are increasingly inhibiting security by preventing many electric utilities and Independent Power Producers from utilizing cloud-based security software and services.

Software vulnerabilities, which “open the door” for the most successful cyber attacks. All software has vulnerabilities. These can never be eliminated, but they can be managed. However, management can only be successful if there are good data available on vulnerabilities, as well as data on the software or devices in which the vulnerabilities are found. Currently, two big US government programs are essential to providing that data: the CVE Program (run by the US Department of Homeland Security) and the National Vulnerability Database (run by the Department of Commerce). There are currently serious problems with both programs, and both are likely to undergo big changes in the coming years.