The US federal government is rethinking how to support its globally adopted vulnerability tracking ecosystem after years of backlogs, funding scares, and growing doubts about whether the existing model can scale as vulnerability disclosures continue to accelerate. At the center of that ecosystem, there are two distinct but interdependent components. The Common Vulnerabilities and Exposures program, operated by Mitre, assigns standardized identifiers to software flaws. The National Vulnerabili
