Packet Protector PP084: Inside the CVE Process With Cisco (Sponsored)
Oct 30, 2025
Osman Hashmi, a Principal Engineer at Cisco, Joe Malcolm, the CISO for Infrastructure Engineering, and Marco Cassini, an Incident Manager at Cisco's PSIRT, dive into the complexities of the CVE process. They discuss how key organizations like MITRE and NVD contribute to CVE management, explore the role of NVD in scoring vulnerabilities, and unpack the importance of Cisco’s CNA role. Additionally, they touch on responsible disclosure practices, the impact of customer collaboration on validation, and how AI is being integrated into security workflows.
AI Snips
Chapters
Transcript
Episode notes
CVE Ecosystem Roles
- MITRE maintains the CVE list and provides impartial guidance while NVD enriches CVEs with attributes like CWEs and CVSS.
- Cisco uses NVD data plus its CNA role to assess and prioritize vulnerabilities across products.
CVE As The Universal Identifier
- CVE identifiers serve as a de facto universal language for vulnerabilities worldwide.
- Europe may create parallel identifiers but the industry still relies on a single CVE per issue.
NVD Is The Trusted Enrichment Source
- NVD (run by NIST) assigns CVSS scores and enriches CVEs with CWE and CPE metadata.
- Organizations use NVD enrichment as a trusted automation input for vulnerability lifecycle and impact analysis.