What the CVE Funding Scare Exposed About the State of Vulnerability Management

The CVE program is vital, but recent events are a reminder that security strategies must go far beyond known vulnerabilities.

The potential defunding of the CVE (Common Vulnerabilities and Exposures) program over the past 24 hours sparked widespread concern — and understandably so. While I was fairly confident this situation would be resolved, the reaction revealed something deeper and more unsettling about our industry.

I’ve said this before: the CVE program is incredibly valuable. It plays a central role in responsible disclosure and brings a much-needed layer of standardization to an ocean of software and hardware vulnerabilities. But if your security strategy is centered entirely around CVEs, then you likely have bigger problems to address.

CVEs Are Valuable — But They’re Not the Full Picture

There’s no denying that CVEs are important for visibility, coordination, and remediation across the industry, but they are inherently reactive. If your vulnerability management program relies solely on CVE-based scanning tools, you’re leaving massive gaps in your security posture.

Most real-world attacks aren’t launched using well-known, easily scannable vulnerabilities. They’re executed through misconfigurations, credentials exposure, social engineering, or abuse of legitimate tools and techniques, none of which show up in a CVE database. In fact, the majority of breaches don’t stem from known CVEs at all.

This is exactly why I’ve said before: vulnerability management today is often more reactive than proactive. And that’s a dangerous place to be, especially as threat actors continue to compress the timeline from exploit discovery to mass weaponization.

The CVE program will likely be just fine and we’re already seeing reassuring signs of stability from those close to the program. But this brief window of uncertainty should be a wake-up call.

Ask yourself this: If the CVE program disappeared tomorrow, would your organization be able to maintain a meaningful, risk-based security strategy?

If the answer is no, now is the time to adapt.

Build your approach around real-world attacker behavior, not just patch alerts. Incorporate adversary simulation, manual testing, and contextual analysis that reveals the vulnerabilities that actually matter to your environment. CVEs are part of the picture, but they’re not the whole frame.

The Real Work Still Lies Ahead

This is part of the reason I founded PlexTrac. The critical vulnerabilities, the ones that often lead to compromise, are most often discovered through penetration testing and adversary simulation, not passive scanning. Our mission has always been centered around the most effective way to report these vulnerabilities, consolidate them against other sources of risks, and empower prioritized remediation. 

Even more important than discovery, though, is the hard, often underappreciated work of remediation. It’s the last mile, and it’s where too many programs stall.

If you’re serious about reducing risk, you can’t afford to treat vulnerability management as a checklist. It must be prioritized, contextualized, and closed out with action.

Dan DeCloss PlexTrac Founder/CTO Dan has over 15 years of experience in cybersecurity. Dan started his career in the Department of Defense and then moved on to consulting where he worked for various companies. Prior to PlexTrac, Dan was the Director of Cybersecurity for Scentsy where he and his team built the security program out of its infancy into a best-in-class program. Dan has a master’s degree in Computer Science from the Naval Postgraduate School with an emphasis in Information Security. Additionally, Dan holds the OSCP and CISSP certifications.