This episode was originally planned as a recap of VulnCon 2025, but recent events around the CVE program took center stage. On April 15, 2025, news broke that funding for CVE was being cut — only to be restored by CISA within 24 hours. In that short window, speculation and FUD (fear, uncertainty, and doubt) spread quickly, along with a flurry of new initiatives aiming to respond.
Ironically, I had just been discussing the future of the CVE program days before this all unfolded. Now, with the dust starting to settle, I’m sharing my thoughts on what happened, what’s broken, and why reactive responses aren’t the solution. Despite the chaos, there’s no need to panic — important conversations are happening, and I believe the future of CVE is still bright.
CVE is dead… long live CVE!
References: