When CVE Almost Vanished: A Wake-Up Call for Cybersecurity

Finding vulnerabilities is just half the battle - why patch deployment remains our Achilles' heel

If you work in IT, you've no doubt encountered the term CVE. And if you haven't,well, you might want to check your job description.

Started in 1999 (yes, it's been around that long), the Common Vulnerabilities and Exposures program provides a standard framework for vulnerability identification across the cybersecurity ecosystem. For over two decades, it has been instrumental for transparent and consistent vulnerability disclosure.

This past week, this fundamental program faced an existential crisis as funding appeared set to expire when the U.S. government initially decided not to renew its contract with MITRE, the non-profit organization that manages the program.

Source:

[https://www.msn.com/en-gb/money/other/funding-for-the-critical-cve-security-detection-system-renewed-just-hours-before-deadline/ar-AA1D34FS](https://www.msn.com/en-gb/money/other/funding-for-the-critical-cve-security-detection-system-renewed-just-hours-before-deadline/ar-AA1D34FS)

The cybersecurity community held its collective breath until CISA stepped in with an eleventh-hour intervention, extending the contract for 11 months. At the same time, the CVE Foundation was created with the aim to secure the program's long-term future.

Source:

[https://www.theregister.com/2025/04/16/cve_program_funding_save/](https://www.theregister.com/2025/04/16/cve_program_funding_save/)

While I'll sidestep the political debate surrounding this issue, the creation of the CVE Foundation presents a crucial opportunity for the tech industry to take greater responsibility for its security ecosystem.

If we genuinely want more secure software, the industry must financially support this program and collaborate with the CVE Foundation to expand its capabilities. A robust vulnerability management system benefits everyone—from vendors to end users.

Speaking of software security, Microsoft's patching process comes to mind. Those of us of a certain vintage remember when patching was a perilous undertaking, performed only when absolutely necessary.

Today, patching has become routine, yet some old frustrations persist. Who hasn't encountered the cryptic `0xsomething` errors or the deflating "update failed to apply" message after a reboot?

I recognize the underlying complexity exceeds what's visible to end users, and I respect the professionals working behind the scenes. However, from the perspective of IT professionals, more and clearer information is necessary, even if has a parameter that needs to be enabled by those in the know.

And while I'm airing grievances about Microsoft: will we ever get a proper management console for Azure-hosted VMs? It's a clear example of functionality sacrificed at the altar of cloud migration.