#KEYMASTER: CVE Blind Spots – Why Defenders Are Still Left in the Dark

In this episode of #KEYMASTER, Sven Rajala, International PKI Man of Mystery, sits down with cybersecurity expert Olle Johansson to unpack the current state of CVEs (Common Vulnerabilities and Exposures) and the growing gaps in vulnerability tracking. They explore the limitations of today’s SBOM (Software Bill of Materials) tooling, the challenges with mapping software components to known CVEs, and the downstream impact on defenders and product makers, especially in light of upcoming legislation like the EU Cyber Resilience Act.

Olle highlights a concerning lack of completeness in the National Vulnerability Database (NVD), where vital fields like component names and severity scores are missing from the majority of CVEs. This undermines defenders’ ability to accurately detect and respond to known vulnerabilities in their software stacks. He explains how commercial tools and fragmented databases are attempting to fill the gap, but warns that most users are still flying blind.

The conversation moves into trust and the future: Olle advocates for a globally governed, open, and digitally signed CVE data ecosystem. Drawing from his PKI experience, he outlines a vision where CVEs and their metadata are cryptographically signed by vendors, researchers, and trusted entities, providing traceability and integrity across the chain of vulnerability intelligence.

Watch video on YouTube

#KEYMASTER episode mentioned in video: The Rise of Software Bill of Materials (SBOMs) – A Growing Necessity 

Conclusion

If you are relying on CVE data to protect your infrastructure, you are currently working with incomplete intelligence. The ecosystem is fragmented, and the official public databases are not keeping up. This is not just an inconvenience it is a security risk. Without accurate matching between SBOM components and CVE records, you cannot confidently assess exposure or ensure compliance with modern regulations like the CRA.

The path forward is not just about more data it is about trusted data. A digitally signed, globally accessible CVE system is not just a nice-to-have; it is a critical next step to restore visibility and build defensible systems. Until then, defenders must recognize the limitations of today’s CVE data and push for transparent, verifiable, and vendor-backed disclosures.

Learn more

• Olle Johansson is the lead of the Global Vulnerability Intelligence Project GVIP
• EJBCA has reported CVEs since 2020, see Archive of EJBCA Security Issues
• A Software Bill of Materials (SBOM) is published alongside every EJBCA Container Set release, see
  EJBCA Container Set – Software Bill of Materials
• Find all our #KEYMASTER videos and more on Keyfactor for Developers – Your hub for cryptography, PKI, and signing.

About Olle E. Johansson

Olle E. Johansson

Experienced Open Source developer and consultant. Co-founder of SBOM Europe.

Olle E. Johansson is an experienced and well-regarded speaker, teacher, and open-source developer and consultant. He is currently project lead for OWASP Project Koala, developing the Transparency Exchange API (TEA), member of the CycloneDX industry working group, the OWASP SBOM Forum, co-founder of SBOMEurope.eu, and a leader for the DNS TAPIR Open Source project.

While not trying to save the world with SBOMs, he is helping clients on their journey towards CRA compliance as a consultant at his company, Edvina AB. Once a year, he organises the Nordic Software Security Summit conference in Stockholm, Sweden. Olle has been a core developer of Asterisk - the Open Source PBX, part of the core team in Kamailio.org, and is currently also a member of the team that tries to put some new energy into SoftHSM.org.