It’s hard to see the bad faith use of this domain.
A National Arbitration Forum panelist has awarded The MITRE Corporation the domain name CVE.org in a cybersquatting dispute.
Finding in MITRE’s favor was the easy decision for panelist Ho Hyun Nahm, Esq. to make. MITRE is a respected organization and its Common Vulnerabilities and Exposures (CVE) service is run in conjunction with the U.S. Department of Homeland Security and Cybersecurity and Infrastructure Security Agency (CISA). The domain name owner also didn’t respond to the dispute.
So it was the easy decision, but I’m not sure it was the right decision.
MITRE argued that the domain is currently owned by either:
1. Someone associated with the dissolved non-profit organization CVE, Inc. but under inaccurate Whois information OR
2. A person who acquired the domain name after the non-profit dissolved.
If it’s the first case, the domain wasn’t registered in bad faith. If it’s the second, then it could have been registered in bad faith. We don’t know for sure because the domain owner didn’t respond, but I think it’s the second case based on a review of historical Whois records.
Given the second case and the non-response, there’s still a legitimate question of if this domain was registered and used in bad faith. The domain isn’t active, but MITRE argues:
Respondent registered and uses the disputed domain name in bad faith. Respondent either is affiliated with the inactive organization CVE, Inc. and provided false registration information on WHOIS, or Respondent is not affiliated with CVE, Inc. and uses the disputed domain name to create confusion and disrupt Complainant’s business for Respondent’s commercial gain. Respondent’s registration and use of the domain name is also in bad faith because it prevents Complainant from registering its mark as a domain name. Further, Respondent disrupts Complainant’s business because Respondent’s inactive website creates an impression that Complainant does not exist, or it may redirect Complainant’s consumers away from Complainant’s CVE product. Complainant asserts that Respondent presumably gains commercially from this practice. Respondent acquired the disputed domain name with actual knowledge of Complainant’s rights in the CVE mark.
If the domain owner used the domain to offer a security product or a parked page with security ads, there would be evidence of bad faith.
But not using the domain? I don’t see it. Also, what evidence is there that the domain owner “presumably gains commercially” from making the domain inactive? I’d argue the registrant presumably does not gain commercially from this.
Admittedly, CVE seems to be most commonly associated with MITRE’s CVE. Most Google results on the first page are for the program.
However, I find it difficult to squeeze this three-letter .org domain dispute into UDRP and to find that the Complainant showed it was registered and used in bad faith.