Decentralized Vulnerability Disclosure via Permissioned Blockchain: A Secure, Transparent Alternative to Centralized CVE Management

TL;DR

This paper introduces a blockchain-based decentralized system for CVE publication, enhancing transparency, trust, and control over vulnerability disclosures compared to traditional centralized models.

Contribution

It presents a novel permissioned blockchain architecture with smart contracts for secure, transparent, and decentralized vulnerability disclosure management.

Findings

Prototype implementation with Hyperledger Fabric demonstrates feasibility.

System improves transparency and trust in vulnerability disclosures.

Supports embargoed disclosures and decentralized governance.

Abstract

This paper proposes a decentralized, blockchain-based system for the publication of Common Vulnerabilities and Exposures (CVEs), aiming to mitigate the limitations of the current centralized model primarily overseen by MITRE. The proposed architecture leverages a permissioned blockchain, wherein only authenticated CVE Numbering Authorities (CNAs) are authorized to submit entries. This ensures controlled write access while preserving public transparency. By incorporating smart contracts, the system supports key features such as embargoed disclosures and decentralized governance. We evaluate the proposed model in comparison with existing practices, highlighting its advantages in transparency, trust decentralization, and auditability. A prototype implementation using Hyperledger Fabric is presented to demonstrate the feasibility of the approach, along with a discussion of its implications for the future of vulnerability disclosure.