[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

My resignation from CVE


During my recent vacation, and after a lot of thought, it became clear
that the time has come to formally announce my resignation from
day-to-day participation in the CVE project.  For CVE to move forward,
it is best to leave it up to the current CVE team to drive the project
into the next stage.

Effective today, I resign my position as technical lead, CVE Editor,
and chair of the CVE Editorial Board.  I will no longer be
contributing to CVE content production, the CVE-Assign role,
recruitment and management of CNAs, engagement with the CVE Editorial
Board, or "evangelism" with the general public on CVE-specific topics.
I will continue to privately support CVE team members in a more
limited context - as they wish - and to ensure a smooth transition,
which is already well under way.  I also plan to continue to
participate in discussions with the Board, albeit in an unofficial

I hope that people will allow me some reflection on what is a pivotal
event in my career, after almost 17 years of daily dedication and
loyalty to this project.

In the coming years, there will be many exciting opportunities and
challenges that are well-suited to my somewhat-entrepreneurial nature.
I'm thrilled about the chance to collaborate again with my mentors Bob
Martin, Penny Chase, and Margie Zuk.  My current work in CWE and
healthcare will continue, and it is likely to expand into other
industry verticals with emerging cybersecurity challenges.  I also
plan to investigate what "CVE" would mean in other industry verticals
and emerging technical domains, and/or in other global regions.  I'll
even be drawing from my experience in my old AI days of the early

Even as my work evolves, I intend to continue to advocate for and
support the development of the next generation of vulnerability
researchers; to build that ever-elusive theoretical framework for
precisely understanding vulnerabilities, weaknesses, and their root
causes; and to help "InfoSec" mature as an industry, including
embracing people with non-traditional or non-technical roles that are
critical to the industry's maturation.  I will also seek to encourage
diversity (in all its forms) within this industry; I believe that
InfoSec has great potential for positive change, because we've all
been outsiders in one way or another.  And there will always be
disclosure, because at some point, all too late, you realize that you
didn't choose disclosure - disclosure chose you.  Finally, rest
assured that no matter what form it takes, I can't ever give up the

Since Day 1, CVE has been a collaborative effort.  In that spirit, I'd
especially like to thank my fellow CVE co-founder David Mann, whose
passion, principles, and far-forward, out-of-the-box thinking is as
impressive to witness in retrospect as it was frustrating to
experience first-hand at the time ;-) I've since learned to believe
David even when I don't understand him.  Also, I owe a great debt to
Margie Zuk, the third member of the original CVE triad, whose
contributions to CVE have gone woefully unrecognized; whose unique
combination of unmitigated optimism, realistic pessimism, and patience
kept the project moving forward through some tough times; whose
ability to forecast long-term opportunities and trends is a wonder to
behold; and whose original admonition to "keep the faith" back in
spring 1999 has served me countless ways over the years.  I'm proud
and honored to consider David and Margie as my mentors of the finest

On a broader scale, my humblest thanks and appreciation go to the
hundreds of people in the entire CVE community, with whom I've had the
pleasure of working: the ever-changing members of the CVE content
team, each of whom has brought their own perspective and skills, and
left their own mark; numerous MITRE employees, from senior management
who supported the idea and took a risk in CVE's founding years, to the
specialists from other disciplines who contributed their expertise to
improve our processes, to the admin support who helped everything run
smoothly; the members of the CVE Editorial Board, who taught me to
think more comprehensively about the many different perspectives
surrounding vulnerability management, and whose endorsement of CVE
gave it the legitimacy to effect positive change in the industry;
independent and hobbyist researchers, whose contributions to the
industry's body of knowledge and my own intellectual growth have been
consistently underestimated; and countless other people I've talked to
by email, at conferences, or on social media.

While I've been far from perfect, I hope that I've been able to serve
the CVE community with technical excellence, empathy, respect,
balance, sincerity, honesty, and transparency.  I hope I've been able
to successfully listen carefully to, understand, and (when necessary)
represent the myriad perspectives of this community, especially when
hard decisions were necessary.

Finally, my best wishes go to the CVE Team, the Board, and the CVE
community in these interesting times for the entire information
security industry, for which CVE has sometimes been an accidental,
unavoidable reflection.  It won't be an easy job, especially in this
time of transition, but I'm looking forward to see what you can do!
You have my confidence and my full support.

Perhaps it's appropriate to end this post with the following
H.L. Mencken quote, which neatly summarizes and reflects the
deceptively simple nature of CVE's surprisingly convoluted history and

   "There is always a well-known solution to every human problem -
    neat, plausible, and wrong."

Warmest regards,

Steve Christey Coley
Principal INFOSEC Engineer
The MITRE Corporation

Page Last Updated or Reviewed: November 10, 2015