Last week, Mitre’s Common Vulnerabilities and Exposures (CVE) Program nearly faced closure during a major shakeup in the U.S. government. Amid this uncertainty, they have named Armis, a specialist in cyber exposure management, as a CVE Numbering Authority (CNA). This allows Armis to review and assign CVE identifiers to new vulnerabilities, which aligns with the program’s goal of identifying and cataloging security issues.
Nadir Izrael, Armis’s CTO and co-founder, emphasizes their mission: “We’re focused on providing real security before an attack happens, not just reacting afterward. It’s our responsibility to raise awareness and action in cybersecurity across industries. This is crucial for tackling the whole lifecycle of cyber threats.”
Mitre collaborates with 450 CNAs globally, nearly 250 of which are in the U.S., along with 12 in the UK. The roster includes major tech companies like Amazon, Apple, Google, Meta, and Microsoft, as well as various suppliers, government bodies, and computer emergency response teams. Participation is voluntary, and these organizations agree to have a public vulnerability disclosure policy, a public source for new disclosures, and to abide by the program’s terms.
By taking part, these organizations can show a mature approach to vulnerabilities, provide valuable information to customers, control the CVE release process for their vulnerabilities, assign CVE IDs independently, and streamline the reporting process.
However, Armis’s inclusion comes amid concerns for the CVE Program’s future, given its near cancellation. Experts have claimed that the management of CVEs needs a significant overhaul. Joe Silva, CEO of risk management firm Spektion, pointed out, “CVE-based vulnerability management can’t be the foundation of effective security. It’s a lagging indicator supported by a program with unreliable funding.” He further stressed the need for a focus on identifying real exploit paths in real time rather than merely cataloging potential vulnerabilities.
Additionally, Armis is enhancing its vulnerability management by making its proprietary Vulnerability Intelligence Database (VID) freely available. This community-driven database, developed by the Armis Labs unit, provides early warning services and asset intelligence. It continually gathers crowdsourced data to help organizations prioritize emerging vulnerabilities and strengthen their defenses before issues escalate.
Izrael highlighted the importance of a proactive approach: “As cyberattacks grow more sophisticated, it’s essential to reduce risk. The Armis Vulnerability Intelligence Database offers a vital, accessible resource crafted by the security community for the community. It turns vulnerability data into real-world impact, letting businesses adapt quickly and make informed decisions against cyber threats.”
Research shows that 58% of cyber attack victims only respond after damage occurs, and almost a quarter of IT decision-makers recognize a lack of ongoing assessments as a significant security gap.
