CVE Program Expands with Two New Forums for Better Security
▼ Summary
– The CVE Program launched two new forums, the Consumer Working Group (CWG) and Researcher Working Group (RWG), to involve more stakeholders in shaping its future.
– The CVE Program, managed by MITRE and funded by CISA, faced uncertainty after its contract expired in April but was extended for 11 months.
– The CWG focuses on end-users of CVE data, aiming to gather feedback and improve usability for enterprises, security teams, and other stakeholders.
– The RWG is restricted to research and bug bounty CNAs, establishing norms and guidance for the research community under limited information-sharing rules.
– Both forums are now open for participation, with the CWG allowing broader stakeholder involvement while the RWG has stricter membership criteria.
The Common Vulnerabilities and Exposures (CVE) Program has introduced two new working groups to broaden participation and refine its approach to cybersecurity threat management. This strategic move comes as the initiative, operated by MITRE with support from CISA, navigates an extended contract period following earlier uncertainties about its continuity.
The newly formed CVE Consumer Working Group (CWG) focuses on organizations and professionals who rely on CVE data for security operations, risk assessment, and decision-making. Enterprises, government agencies, MSSPs, and software developers now have a formal channel to voice their needs and suggest improvements. According to the CVE Board, this group will evaluate how effectively the program serves real-world applications, ensuring its outputs remain practical and actionable.
Jean-Baptiste Maillet, a cybersecurity architect, highlighted the significance of this development, noting that after 25 years, end-users finally have a seat at the table. The CWG welcomes not only CVE Board members and authorized data publishers but also external stakeholders who work extensively with vulnerability data.
Alongside the CWG, the CVE Researcher Working Group (RWG) has been established to guide research-focused CVE Numbering Authorities (CNAs), including those affiliated with bug bounty programs. Operating under strict confidentiality rules (TLP:Amber), this forum will set standards for the research community while promoting broader engagement with the CVE Program. Participation is limited to approved representatives from research and bug bounty CNAs, though exceptions may be granted through member consensus.
Both groups are now accepting members, signaling a shift toward greater inclusivity in shaping the future of vulnerability disclosure and management. By empowering diverse stakeholders, the CVE Program aims to strengthen its role as a cornerstone of global cybersecurity efforts.
(Source: InfoSecurity Magazine)
