CVE and CVSS: The Rotten Heart of Cybersecurity We Almost Let Die (and Maybe Should Have)

In April 2025, the global cybersecurity community came within hours of an extinction-level event — and almost nobody outside the industry even noticed. The Common Vulnerabilities and Exposures programme, better known by its familiar acronym CVE, was poised to collapse not because of some grand cyberattack, not because of sabotage, but because someone in the United States government forgot to renew a fucking contract.

Let’s be absolutely clear about the scale of what almost happened. The CVE system is not just an American asset. It is the bedrock on which almost every country, almost every corporation, and almost every incident response team on Earth has built its vulnerability tracking. Your antivirus relies on CVE IDs. Your patch management tools rely on CVE IDs. Your national CERT advisories, your threat intel reports, your SIEM dashboards — all of it — are stitched together by the brittle thread of CVE.

And the United States government, the self-appointed world sheriff of cybersecurity, came within hours of cutting that thread through sheer, brain-dead administrative negligence.

MITRE, the non-profit steward of CVE for over two decades, saw the cliff edge coming. They warned the CVE Board and federal sponsors on 15 April 2025: the funding runs out tomorrow. CISA — the Cybersecurity and Infrastructure Security Agency, supposedly the adult supervision in the room — scrambled. Only a panicked, last-minute extension saved the programme from flatlining.

It should have been a moment of shame. It should have triggered a global summit, a structural overhaul, a serious discussion about why the entire planet’s vulnerability management was tied to one contract renewal form deep inside a Washington D.C. filing cabinet. Instead, it was treated as a near-miss and quietly buried. The extension gave MITRE another 11 months. Everyone pretended this was a win. It was nothing of the sort. It was a blinking neon sign screaming that cybersecurity, as we practice it today, is a house of cards balanced on a desk in a hurricane.

But the bigger, darker truth is this: even if CVE had survived flawlessly, even if the funding had been renewed without drama, the system itself is long past its sell-by date. It is a relic of a slower, simpler internet — one that no longer exists.

CVE was born in the late 1990s, an era when vulnerabilities were catalogued in human-readable advisories, and a new critical bug every few days was enough to raise eyebrows. It made sense back then to assign static IDs to each flaw, to manage disclosures through slow, deliberate processes. The world it was built for moved at the speed of fax machines and dial-up modems.

Fast-forward to today, and vulnerabilities are emerging at industrial scale. Automated fuzzing, AI-assisted discovery, autonomous exploit frameworks — these technologies are vomiting out security flaws by the thousands every week. Threat actors do not wait for tidy, peer-reviewed CVE entries. They weaponise in hours. Sometimes minutes.

Yet the CVE process remains stubbornly, laughably manual. Researchers must submit requests for identifiers. Human editors must approve descriptions. CNAs (CVE Numbering Authorities) must reserve and allocate IDs carefully. Every step drips with bureaucracy, while the world burns faster with every passing second.

This is not a system. It’s a museum exhibit being used as a fire hose.

And even this crumbling infrastructure would be better than nothing — if not for the twin farce that is CVSS.

The Common Vulnerability Scoring System, CVSS, is one of cybersecurity’s great tragedies. Born from good intentions and killed by misuse, CVSS was meant to be a rough guide to vulnerability severity. Instead, it has become an oracle worshipped by executives and auditors, a lazy metric that replaces understanding with blind obedience.

A CVSS score, we are told, will neatly tell you how bad a vulnerability is. Anything over 7.0? Panic. Anything over 9.0? Launch the incident response team. Anything under 5.0? Go back to sleep. It is cybersecurity for people who want to manage risk without ever understanding it.

But CVSS is fundamentally broken. It captures hypothetical technical properties — attack complexity, required privileges, impact on confidentiality/integrity/availability — and crunches them into a simple 0.0 to 10.0 scale. What it does not capture, cannot capture, is real-world exploitation. It does not care if a vulnerability is being actively exploited by ransomware gangs today. It does not adjust scores when nation-state actors pivot to new techniques. It is a frozen picture in a battlefield that moves at light speed.

In 2025, a thousand vulnerabilities with a CVSS score of 5.7 could devastate your organisation, while a handful of theoretical 9.8s might never be seen in the wild. But your patching policy, your compliance audits, your risk dashboards? They all march to the CVSS drum.

We have built entire cybersecurity programmes on a scoring system that is about as reliable as predicting the weather by licking your finger and holding it to the wind.

And the kicker? The very same governments and agencies that almost let CVE die have known for years that CVSS was broken. They knew CVE was struggling under the weight of modern vulnerabilities. They knew the entire system was fragile, outdated, and increasingly detached from reality.

But instead of fixing it, they papered over the cracks. They added complexity to CVSS. They expanded the CNA programme without fixing fundamental bottlenecks. They issued glossy reports celebrating the "resilience" of vulnerability management while quietly letting the core rot away.

Meanwhile, political pressures twisted cybersecurity priorities beyond recognition. During the same months that CVE funding teetered on the brink, insiders reported that CISA and related agencies were being instructed to "ease off" public scrutiny of foreign cyber operations — particularly Russian-linked threat activity.

It is hard to overstate the cynicism of this moment. While critical vulnerability tracking nearly collapsed because of bureaucratic inertia, the very organisations tasked with defending critical infrastructure were being muzzled for political optics. Attackers were given more breathing room. Defenders were given less. And the public was given bullshit assurances that everything was fine.

You could not design a better case study in strategic self-sabotage if you tried.

The implications are terrifying. It shows that cybersecurity, far from being treated as a national security issue, is still subordinated to short-term political interests. It shows that critical infrastructure — like CVE — can be endangered by nothing more than a bad news cycle or a tight budget year. It shows that the people in charge are willing to risk global cybersecurity stability if it means avoiding a tough conversation with voters or foreign "partners."

And it shows, most of all, that our systems are built not on resilience, but on ritual. CVE exists because it has always existed. CVSS persists because it is easier to understand than actual risk assessment. We are hurtling through a threat landscape that moves at quantum speed, clinging to ancient frameworks designed for a world that barely had Wi-Fi.

The April 2025 crisis should have been the end of this farce. It should have been the moment the cybersecurity community stood up, tore the whole creaking mess down, and built something fit for the future.

We should have demanded a new CVE system: open, decentralised, cryptographically verifiable, automated where possible but auditable where necessary. We should have replaced CVSS with real-time risk scoring models that pull from live threat intelligence, adjusting severity not based on theory but on active exploitation trends.

We should have internationalised vulnerability governance so that no single government, no matter how distracted or corrupt, could ever again hold the world’s cyberdefence hostage.

Instead, we did what we always do.

We kicked the can. We extended the funding. We promised reforms that will take years, if they happen at all. We watched politicians issue bland statements about "safeguarding cyber resilience" while their own agencies gutted operational effectiveness behind closed doors.

And we went back to clinging to the illusion that if we just assign another CVE ID, if we just nudge a CVSS vector slightly, if we just paint over the rot a little thicker, the whole edifice won’t eventually come crashing down on our heads.

It will.

Because the next crisis will not give us twelve hours’ warning. The next funding lapse, the next act of political cowardice, the next global wave of exploitation, will move too fast for frantic contract extensions and PR damage control.

When that happens, there will be no hiding from the truth. The truth that we saw this coming. The truth that we had every opportunity to fix it. The truth that we chose to prioritise comfort, tradition, and politics over survival.

And when the breach reports stack up, when the economy takes another multi-billion-dollar hit, when the headlines scream about another "unforeseen" cyber catastrophe, the architects of this failure will be nowhere to be found.

They’ll have moved on, cashed out, written memoirs about "hard decisions" made under pressure.

The rest of us will be left to pick through the wreckage.

Unless we act now. Unless we finally summon the courage to tear down what is broken, to build cybersecurity’s foundations not for nostalgia, not for compliance checklists, but for the brutal realities of the world we actually live in.

The CVE and CVSS systems have served their time. They bought us twenty years of marginal sanity.

They cannot buy us twenty more.

Rip them out. Burn them down. Build better.

Before it’s too late.