Supply Chain Exposed

Chapter Five

The CVE Died, and ADP Is the Death Rattle

A 1999 filing cabinet that refuses to admit 1999 is over.

The mean time from a CVE being published to it being exploited is now negative. Mandiant’s M-Trends 2026 puts it near negative seven days. CrowdStrike finds that 42 percent of exploited vulnerabilities are hit before they are public. Read that plainly. The exploit arrives before the advisory. The catalog is a lagging indicator of an event that has already happened to you. A system whose entire reason to exist is “time from publish to exploit” becomes incoherent the moment that number drops below zero.

The CVE is 1999 thinking, and it refuses to admit 1999 is over. It was built to enumerate memory bugs in libraries for a world where disclosure came first, defenders had months, and the threat was a typed advisory you could plan a maintenance window around. That world is dead. We kept the filing cabinet and started calling it ground truth.

The defense offered for all of this is money. The program is underfunded, the federal appropriation is uncertain, what do you expect. It is a strawman, and the evidence against it sits everywhere you are not supposed to look. We have example after example, surrounding the program on every side, of what good looks like at a fraction of the ceremony: feeds that enrich in hours, identifiers that treat malware as real, communities that score and correct in the open. The program does not lack proof that better is possible. It declines to acknowledge the proof exists, because pretending the evidence was never published is easier than the work of changing in light of it. Underfunding is the alibi. Dogma is the cause.

Look at the body on the floor. NVD stopped enriching at the old pace, shifted to a triage model, and shelved tens of thousands of CVEs as “not scheduled,” promising to score only the fraction that touches a federal list. The record could no longer stand on its own, so the program bolted on ADP, the Authorized Data Publishers, to let other people add back the severity, the exploit status, and the KEV linkage the catalog had abandoned. That is not a sign of health. It is life support administered by strangers. ADP is the death rattle. The patient cannot breathe on its own, so volunteers take turns squeezing the bag and we are all asked to admire the chest rising.

The catalog is not even pointed at the threat. In 2025 the open-source world logged roughly four times as many malicious packages as CVEs, something near 190,000 pieces of malware against 48,000 CVEs, and almost none of the malware was ever assigned a CVE. A CVE for malware is exceptionally rare. The worm infections will not all be numbered; the registries said so outright. The poisoned packages get a GHSA malware identifier, not a CVE, and may never get one. The thing actually landing on developer laptops and CI runners is invisible to the ledger everyone treats as canon.

GHSA is younger, grows faster, and once you count malware advisories its corpus has already passed CVE, with little crossover, because GHSA records what CVE will not. It treats malware as a first-class object with its own identifier. GHSA is, in structure, the takedown queue for what is happening right now. CVE is a memorial to what happened in a calmer decade.

Exploits tell the same story. A working SYSTEM-level exploit drops on a fully patched machine, and there is no CVE, no advisory, no patch. Why? Because the program hands the vendor the pen. The CNA is the vendor, and the vendor decides whether the flaw in its own product is allowed to have a number.

The party most embarrassed by the bug holds the veto over whether defenders are even permitted to know it officially exists.

Call it what it is. A right of first refusal, written into the process, favoring whoever wants to avoid embarrassment over everyone who wants to be safe. A vendor can revoke a researcher’s account, threaten legal action, and decline the CVE, and the exploit still runs on your machine tonight. The catalog says you are fine. You are owned.

So stop genuflecting to a 1999 ledger that records what is convenient for vendors and omits what is killing you. The demand here is as plain as the last one. Track the malware. Number it, score it, share it, and treat it as the first-class threat it is, at the speed it is actually moving, which is faster than any committee will ever convene.