The Post-NVD Era: A Call for Global CVE Decentralization

No ratings

Presented at Black Hat Europe 2025 by

Jerry Gamblin

For decades, the National Vulnerability Database (NVD), maintained by NIST, has served as a cornerstone of vulnerability intelligence, providing crucial enrichment for Common Vulnerabilities and Exposures (CVEs). However, the NVD is grappling with an unprecedented backlog, stemming from budget cuts, an exponential surge in vulnerability disclosures, and inherent technical rigidities. This crisis has exposed its fragility and the systemic limitations of a centralized vulnerability management model. A model that leaves organizations blind to critical threats and exacerbates operational burdens. This talk argues that the current NVD crisis is a call for a fundamental paradigm shift, we must move towards global CVE decentralization now!We meticulously dissect the NVD's failures and their far-reaching implications, then envision and advocate for a resilient, scalable, and collaborative decentralized ecosystem. By exploring pioneering models such as the Global CVE Allocation System (GCVE), the principles of Federated Search, and the potential of blockchain technology, this talk proposes a multi-faceted architectural evolution. We outline a comprehensive roadmap, detailing evolving responsibilities for software vendors, security teams, government agencies, and researchers. The post-NVD Era is not just about fixing a broken system. It's about embracing a distributed future where collective intelligence, shared responsibility, and technological innovation converge to build a more robust and trustworthy global vulnerability management framework.