It’s hard to see the bad faith use of this domain.
A National Arbitration Forum panelist has awarded The MITRE Corporation the domain name CVE.org in a cybersquatting dispute.
Finding in MITRE’s favor was the easy decision for panelist Ho Hyun Nahm, Esq. to make. MITRE is a respected organization and its Common Vulnerabilities and Exposures (CVE) service is run in conjunction with the U.S. Department of Homeland Security and Cybersecurity and Infrastructure Security Agency (CISA). The domain name owner also didn’t respond to the dispute.
So it was the easy decision, but I’m not sure it was the right decision.
MITRE argued that the domain is currently owned by either:
1. Someone associated with the dissolved non-profit organization CVE, Inc. but under inaccurate Whois information OR
2. A person who acquired the domain name after the non-profit dissolved.
If it’s the first case, the domain wasn’t registered in bad faith. If it’s the second, then it could have been registered in bad faith. We don’t know for sure because the domain owner didn’t respond, but I think it’s the second case based on a review of historical Whois records.
Given the second case and the non-response, there’s still a legitimate question of if this domain was registered and used in bad faith. The domain isn’t active, but MITRE argues:
Respondent registered and uses the disputed domain name in bad faith. Respondent either is affiliated with the inactive organization CVE, Inc. and provided false registration information on WHOIS, or Respondent is not affiliated with CVE, Inc. and uses the disputed domain name to create confusion and disrupt Complainant’s business for Respondent’s commercial gain. Respondent’s registration and use of the domain name is also in bad faith because it prevents Complainant from registering its mark as a domain name. Further, Respondent disrupts Complainant’s business because Respondent’s inactive website creates an impression that Complainant does not exist, or it may redirect Complainant’s consumers away from Complainant’s CVE product. Complainant asserts that Respondent presumably gains commercially from this practice. Respondent acquired the disputed domain name with actual knowledge of Complainant’s rights in the CVE mark.
If the domain owner used the domain to offer a security product or a parked page with security ads, there would be evidence of bad faith.
But not using the domain? I don’t see it. Also, what evidence is there that the domain owner “presumably gains commercially” from making the domain inactive? I’d argue the registrant presumably does not gain commercially from this.
Admittedly, CVE seems to be most commonly associated with MITRE’s CVE. Most Google results on the first page are for the program.
However, I find it difficult to squeeze this three-letter .org domain dispute into UDRP and to find that the Complainant showed it was registered and used in bad faith.
Nat Cohen says
I agree. It’s a troubling decision.
The reasoning presented in the decision is insufficient to support a finding of bad faith or to order the transfer of the domain name.
The domain name was first registered over 20 years ago, is not being used in any infringing way, and indeed is not being used at all.
All that is clear from the complaint is that MITRE wanted the domain name for its own use. The panelist, without justification, allowed MITRE to seize the domain name.
David Michaels says
It looks like cve .org was hijacked using some spurious arguments.
Someone is going to be real upset when they find out:
Domain Name: CVE.ORG
Registry Domain ID: D1684207-LROR
Registrar WHOIS Server: whois.networksolutions.com
Registrar URL: http://www.networksolutions.com
Updated Date: 2021-05-24T21:47:33Z
Creation Date: 1998-07-30T04:00:00Z
Registry Expiry Date: 2023-07-29T04:00:00Z
Registrar Registration Expiration Date:
Registrar: Network Solutions, LLC
Registrar IANA ID: 2
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.8777228662
Reseller:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registrant Organization: Web.com Holding Account
Registrant State/Province: FL
Registrant Country: US
Name Server: NS15.WORLDNIC.COM
Name Server: NS16.WORLDNIC.COM
Riley says
Wasn’t UDRP instituted to combat egregious cases of “cybersquatting?”
Instead, we have here another example where the UDRP policy is artfully interpreted to deliver a IP/complainant-friendly decision when the totality of the facts do not warrant it.
This ruling is proof that there are so many IP-biased loopholes in the UDRP policy that a complainant can make virtually any series of claims to an asset they have no primary claim to and still potentially win the case.
Holders of high value generic and acronym domains should be alarmed by this panelist’s unjustified decision against the registrant. This decision puts into jeopardy registrant’s rights in holding generic term and acronym domains.
hawkinsw says
I find it interesting that, even though they could not contact the Respondent, they still argued that he/she/it had _actual knowledge_ of the CVE trademark. Definitely a tenuous argument!