What Happens When the World’s Biggest Vulnerability Database Goes Dark?

Application Security | Artificial Intelligence | Data Management | Risk Management | Threat Intelligence

Posted: Tuesday, Jul 01

KBI.Media
$
What Happens When the World’s Biggest Vulnerability Database Goes Dark?

Karissa Breen, crowned a LinkedIn ‘Top Voice in Technology’, is more commonly known as KB, and widely known across the cybersecurity industry. A serial Entrepreneur and co-founder of the TMFE Group, a holding company and consortium of several businesses all relating to cybersecurity. These include an industry-leading media platform, a marketing agency, a content production studio, and the executive headhunting firm, MercSec. She is also the former Producer and Host of the streaming show, 2Fa.tv. Our flagship arm, KBI.Media, is an independent and agnostic global cyber security media company led by KB at the helm of the journalism division. As a Cybersecurity Investigative Journalist, KB hosts her renowned podcast, KBKast, interviewing cybersecurity practitioners around the globe on security and the problems business executives face. It has been downloaded in 65 countries with more than 300K downloads globally, influencing billions of dollars in cyber budgets. KB is known for asking the hard questions and getting real answers from her guests, providing a unique, uncoloured position on the always evolving landscape of cybersecurity. She sits down with the top experts to demystify the world of cybersecurity, and provide genuine insight to executives on the downstream impacts cybersecurity advancement and events have on our wider world.

i 3 Table of Contents

What Happens When the World’s Biggest Vulnerability Database Goes Dark?

From Karissa Breen

MITRE, the cornerstone of global vulnerability tracking, announcing it could go dark. For years, the field had relied on this single repository, the bedrock for tracking software vulnerabilities. What happens when that rug is pulled from beneath an entire industry?

Tal Zarfati, Architect Lead at JFrog Security, still recalls the tremor this news sent across the community.

“It caught a lot of people by surprise,” he explained in a recent conversation. “No one thinks about CVEs until you log in one day and they’re gone.”

Letter which was sent to CVE Board Members.

A well oiled machine which is held together by funding is the industry’s reliance on MITRE’s CVE database.

“There’s an ecosystem that has evolved around MITRE and NVD [National Vulnerability Database] being the definitive source” Zarfati explained.

But as political uncertainty and funding challenges threatened its continuity, it revealed just how precarious that reliance was. Ironically, this wasn’t even the first warning. Security professionals have long whispered about the limitations of these databases which includes patch delays, incomplete data, and a scoring system that sometimes falls short. JFrog, he points out, even began building their own enriched datasets ‘because the industry already knew depending on a single source was risky.’ So why did no one act until the threat became existential? Human nature, says Zarfati.

“We optimise for convenience, right until we’re forced to adapt.”

🚨 The CVE program is about to go dark.

MITRE just confirmed their funding to run CVE and CWE expires tomorrow. That’s the main database the world relies on to track known vulnerabilities in software.

Yes, the CVE. The backbone of the entire vuln ecosystem. No CVEs = no shared… pic.twitter.com/4bwcPxiA1V

— Feross (@feross) April 15, 2025

Source: X

Security teams found themselves at a new crossroads drawn to a patchwork of alternatives. GitHub’s Security Advisory, proprietary advisories from ecosystems like npm or PyPi, commercial aggregators from Google and yes, more than one vendor racing to promise ‘the next best single source.’

“It’s not overreliance anymore, it’s decision fatigue,” Zarfati says.

Most organisations, he believes will push this burden onto vendors, expecting them to aggregate, contextualise, and prioritise vulnerability information and make the tough decisions on their behalf.

“We’re already seeing operating system vendors, database providers, everyone becoming an aggregator in their own right,” he said.

This proliferation of vulnerability sources doesn’t just confuse defenders it creates new windows for attackers. Furthermore, Zarfati explains even minor delays in vulnerability intelligence can buy adversaries time.

“Attackers are well aware of these gaps. If a vulnerability is discovered but not yet scored, attackers have a head start.”

The industry saw it before if you think back to ‘Patch Tuesday’ when hackers would race to reverse engineer Microsoft’s updates before organisations could install them. And now, with generative AI in the mix, the game is only going to get more intense. In his research, Zarfati found that the number of machine learning models had tripled in a year, but malicious models on open platforms like Hugging Face grew significantly. The sheer noise, coupled up with thousands of flagged models means false positives abound.

“If 96% of ‘malicious’ flagged models turn out to be benign, developers will start ignoring alerts,” warns Zarfati. “That’s when attackers win.”

Vulnerability backlogs stretch for years and years. Triage becomes less about technical facts and more about negotiating with stakeholders who all have different KPIs to push the next feature, pass the next audit, secure the system… but never all at once.

Zarfati believes three things need to change:

1. Sharper contextualisation (so only vulnerabilities that genuinely matter hit the developer’s desk)
2. Automation for governance (so processes don’t bottleneck on red tape)
3. Giving actionable, specific feedback to developers, fast

“If I’m a developer and you hit me with a thousand vulnerabilities, I’ll push back. But if there’s one deeply explained and prioritised…it’s a different conversation.”

Still, there’s fatigue, especially in regulated environments.

“Sometimes compliance is used like a hammer to avoid technical discussion ‘do it because the regulator says so” he adds.

But that as a result just breeds resentment and inertia across the business. The future is about incentives, ownership, and making security a collaborator, not a police force. As we know, the volume of software and vulnerabilities isn’t slowing down.