CIOs Face Unrealistic Expectations As CVE Program Faces Uncertainty
When news broke that funding for the Common Vulnerabilities and Exposures (CVE) database would expire on April 16, panic quickly spread through the infosec community. MITRE, the nonprofit that maintains the CVE program, confirmed it had secured a stopgap contract with the U.S. Department of Homeland Security—avoiding an immediate shutdown. But the scare underscored a deeper issue: the security industry's overreliance on a fragile system.
Security leaders, especially CIOs and CISOs, now face a familiar theme: diversify, build internal tools, collaborate, and spend more. But while most of these suggestions are good in theory, they fall apart operationally.
Yes, we should diversify our vulnerability intelligence central source. But let's be clear: most commercial databases, open-source feeds, or niche vendor advisories still depend on CVE IDs as the reference point. Without CVE, those systems degrade in accuracy or usability. Even the National Vulnerability Database (NVD), managed by the National Institute of Standards and Technology (NIST), acts as a centralized database of known vulnerabilities pulled from CVE.
CISOs can't just switch feeds and expect the same coverage. Rebuilding that visibility requires money, time, and resources that many organizations lack.
Investing in internal scanners or training teams to do vulnerability research sounds empowering, but it ignores the scale of the problem. Large enterprises can afford a red team that focuses on discovering and exploiting weaknesses across an organization's systems, people, and processes before real attackers do. Most mid-sized or smaller organizations? Not so much.
Vulnerability management teams already run lean. Asking them to replicate what MITRE has done with a fraction of the budget is unrealistic. No number of certifications or workshops can replace a centralized, trusted source of vulnerability IDs and metadata.
Industry groups like ISAC (Information Sharing and Analysis Center) can supplement knowledge but don't offer comprehensive coverage. Peer sharing is inconsistent and informal. Collaboration helps fill gaps—it doesn't replace structured vulnerability tracking at scale. And let's not pretend the average CISO or vulnerability engineer has time to manually parse peer alerts on top of everything else.
Reallocating resources means cutting from somewhere else within the team. Subscriptions to new intelligence platforms and hiring analysts aren't just budgeting tasks because they divert funds from incident response or endpoint protection, which will weaken the overall security posture. It is a risk to reshuffle dollars and hope for the best.
If we have a solid baseline, tracking the effectiveness of new tools and feeds makes sense. However, with the CVE program potentially unstable, what does security engineer compare against? Metrics lose meaning without a common framework like CVE to align definitions and scope.
The end of MITRE's CVE program isn't a crisis, but it's also not an opportunity. CVE has never been a risk assessment tool; it's a catalog. Carter Groome, CEO at First Health Advisory, said, 'The reliance on CVE can't be overstated, and as the old adage says, you can manage what you don't measure.'
CIOs and CISOs need realism, not idealism. Quick pivots and wishful strategies won't cut it. We need sustained investment in foundational infrastructure like CVE and a long-overdue rethink of defining and communicating vulnerability data across the ecosystem.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Miami Herald
2 days ago
- Miami Herald
Visitors to the U.S. on business and tourist visas may have to pay $15,000 bonds
Some international visitors to the United States might be required to pay up to $15,000 deposits as part of a new visa bond pilot program announced by the State Department this week in a document published in the Federal Register. The pilot program is another strategy the Trump administration is utilizing to crack down on illegal immigration and is meant to discourage the number of visitors who overstay their visas. The State Department said in the filing that those who overstay their visas pose a national security threat to the U.S. The program is being formed as part of the enforcement of a January executive order in which President Donald Trump declared there was an invasion by illegal immigration through U.S. borders. The consular officers in the respective U.S embassies will determine the amount of the bond during the issuance of the visa. Travelers will have to post the assigned bond amount before they are issued a single-entry visa, which will be valid for three months. Travelers with visa bonds would also be limited to traveling in and out of pre-selected airports. The list of airports has yet to be announced. The administration said 500,000 people overstayed their visas in 2023, based on data from the Department of Homeland Security. The pilot bond program will focus on those countries that the administration has identified as having high visa overstays. The program is limited to only B-1 business and B-2 tourist visas. It does not affect students applying for F-1 student visas. The full list of countries has yet to be announced. A State Department spokesperson said business and tourist visitors from Malawi and Zambia who are eligible for the B-1/B-2 visas will have to post bonds starting Aug. 20. According to Homeland Security's 2023 fiscal year visa overstay data, Malawi had a total visa overstay rate of 14% from 1,655 visitors, and Zambia had 11% from 3,493 visitors. The complete list of countries will be published when the program takes effect. This new program comes as South Florida airports saw a decline in the number of domestic and international travellers compared to the previous year. Dan Linblade, the president and CEO of the Greater Fort Lauderdale Chamber of Commerce, which represents more than 1,250 companies, said in a statement that international business and tourism were vital to the economy and the new bond pilot program is a 'disincentive to travel from abroad.' 'We are concerned of the potential negative impact on international tourism at a time when we see declining numbers related to foreign travel,' said Lindblade. 'If the State Department's focus is only targeted to bad players then the impact will be smaller.' The Federal Reserve Bank of Atlanta, which covers the Sixth District of the Federal Reserve, including Florida, reported in July that group bookings from international travel to the U.S from Canada, Asia, and Europe continued to slow, but there was some growth in overall travel and tourism. In the filing this week, the Department of State said that after reviewing reports going back as far as 2000, when the Immigration and Naturalization Service Data Management Improvement Act was introduced, the reports of entry and exits of nonimmigrant visa holders to the U.S. who overstayed their visas show that thousands of visitors failed to depart by their visa terms. The first Trump administration had tried to initiate a six-month visa-bond pilot program in November 2020. The program was to 'serve as a diplomatic tool to encourage foreign governments to take all appropriate actions to ensure their nationals timely depart the United States after making temporary visits.' It was to run from December 2020 through June 2021. The State Department scrapped the pilot program due to the reduction of global travel because of COVID-19. 'Data collected during the Pilot may also be used to determine the effectiveness of visa bonds at reducing overstays, evaluate concerns about insufficient identity verification, and the extent to which visa bonds may deter otherwise legitimate B-1 and B-2 visa applicants from traveling to the United States,' the State Department said. The bond program will run until August 2026, and the countries on the list will continually be updated over the year. Visitors with bonds will have to file for a refund within 30 days of their departure from the United States. Failure to do so results risks forfeiting the deposits.
Yahoo
2 days ago
- Yahoo
US Visa Holders Will Be Required to Pay Bonds of Up to $15,000 for Entry
jimfeng/Getty Visiting the United States is about to get exorbitantly expensive for certain travelers. The US State Department has announced the launch of a visa bond pilot program that will require tourists and business travelers from specific countries to pay bonds of either $5,000, $10,000, or $15,000 as part of their visa application process. Officials published a notice of the 12-month trial program in the Federal Register on Tuesday, August 5. According to the notice, the bonds will apply to visitors from countries with high visa overstay rates or where screening and vetting data for travelers is deemed deficient, as determined by the Department of Homeland Security. However, the official list of countries has yet to be announced. The notices says that the trial program will be apply to all B1 and B2 visa applicants from a forthcoming list of countries. B1 and B2 visas are for business, tourism, or a combination of both and are typically valid for six months to one year. The B1 and B2 visas were selected for the pilot because their admission period to the US will be concluded within the one-year pilot "allowing for data collection at all stages of the process," according to the notice. For now, the bonds in the pilot program won't apply to student visas, which can be valid for several years, or other visa types. The bond amount each visa applicant will be required to post will be 'based upon the applicant's circumstances as determined by the consular officer but in an amount of no less than $5,000, unless the bond requirement is waived,' the notice states. Guidance in the documents show that consular officers will be advised to set the bond at $10,000 in most cases. Officials say that the program's list of countries will be released on the State Department's website when the bonds take effect in late August. After the initial list is published, countries could be added or removed on a rolling basis. The notice states that more than 500,000 travelers are suspected to have overstayed their US visas in 2023, according to DHS data. Travelers who comply with all the terms of their visas—including departing the US on time and not accepting unauthorized employment—will have their bonds refunded. On the other hand, travelers who breach their visa terms will forfeit the bond amount. Visa applicants will receive a State Department email to the address provided on their application with the link to post their bond amount via the US Treasury's service. Visitors from the 42 countries with which the US has a visa waiver agreement would automatically be exempt from the bond program, as they do not need an entry visa for stays of 90 days or less. The new bond payments will apply to all B1 and B2 visas for the listed countries. The visa bond program is scheduled to take effect 15 days after being published in the Federal Register, which would be August 20, 2025. When the initiative launches, travelers subject to the bonds will only be allowed to travel in and out of specific US airports that participate in the program, according to the federal notice. Airports will be chosen for the program 'based on their capacity to automatically confirm' that travelers have left the US, which likely means hubs with facial recognition technology at the Customs and Immigration checkpoint. The list of airports will be announced 15 days before the program launches and can be updated on a rolling basis. Visa bond policies have been proposed by federal officials numerous times, including by the first Trump administration. However, past policies have always been deemed too complicated and cumbersome to realistically execute. The goal of this pilot program, the federal notice states, is to assess whether visa bonds are feasible on an ongoing basis. The bond program's announcement comes as the US also plans to begin charging some travelers a $250 'visa integrity' fee. That fee, which is set to debut by the end of the year, will apply to all non-immigrant visa applicants and could also potentially be refunded to travelers who comply with the terms of their visas. Originally Appeared on Condé Nast Traveler The Latest Travel News and Advice Want to be the first to know? Sign up to our newsletters for travel inspiration and tips Stop Counting the Countries You Visit How Safe Is Flying Today? 5 Things Experts Want Travelers to Know The Best Places to See the Northern Lights Worldwide Solve the daily Crossword
Business Insider
2 days ago
- Business Insider
U.S. demands $15,000 deposit for visa applicants from Zambia and Malawi
The administration of President Donald Trump will soon require visa applicants from Zambia and Malawi to pay bonds of up to $15,000 for certain tourist and business visas. The policy introduces a visa bond requirement for applicants from Zambia and Malawi for specific visa categories. Bonds range from $5,000 to $15,000, determined during the visa interview, and must be paid through an official platform. Compliance with visa terms will result in a refund of the bond amount; non-compliance may impact future travel eligibility. The administration of President Donald Trump will soon require visa applicants from Zambia and Malawi to pay bonds of up to $15,000 for certain tourist and business visas, the U.S. State Department announced on Tuesday. The policy will take effect in two weeks as part of a new pilot program. " Starting August 20, 2025, any citizen or national travelling on a passport issued by one of these countries who is found otherwise eligible for a B1/B2 visa must post a bond in amounts of $5,000, $10,000, or $15,000, determined at the time of visa interview," according to the State Department website. The applicant will also be required to complete Department of Homeland Security Form I-352, agreeing to the bond conditions, and submit the payment through the Department of the Treasury's online platform, This requirement applies universally, regardless of where the visa application is filed. The State Department emphasised that paying a bond does not guarantee visa issuance. If any individual pays fees without being directed to do so by a consular officer, that money will not be returned. However, the bond amount will be refunded to the applicant provided they depart the United States within the authorised period of stay and fully comply with all conditions of their visa status. Required Ports of Entry As a condition of the bond, all visa holders who have posted a visa bond are required to enter and exit the United States through one of the designated ports of entry listed below: Failure to comply may result in denial of entry upon arrival or improper documentation of departure, which could impact future immigration benefits. Since assuming office in January, President Donald Trump has signed multiple executive orders aimed at dismantling humanitarian protections for migrants from certain countries already living in the United States.
