Something Completely Different

Uncle Sam kills funding for CVE program. Yes, that CVE program

Started by DeepMinder, Apr 17, 2025, 03:46 PM

Previous topic - Next topic
Go Down
Apr 17, 2025, 03:46 PM
https://www.theregister.com/2025/04/16/homeland_security_funding_for_cve/

QuoteThe 25-year-old CVE program plays a huge role in vulnerability management. It is responsible overseeing the assignment and organizing of unique CVE ID numbers, such as CVE-2014-0160 and CVE-2017-5754, for specific vulnerabilities, in this case OpenSSL's Heartbleed and Intel's Meltdown, so that when referring to particular flaws and patches, everyone is agreed on exactly what we're all talking about.

It is used by companies big and small, developers, researchers, the public sector, and more as the primary system for identifying and squashing bugs. When multiple people find the same hole, CVEs are useful for ensuring everyone is working toward that one specific issue.

QuoteWhile the whole world's vulnerability management efforts aren't going to descend into chaos overnight, there is a concern that in a month or two they may. The lack of US government funding means that, unless someone else steps in to fill the gap, this standardized system for naming and tracking vulnerabilities may falter or shut down, new CVEs may no longer be published, and the program's website may go offline.
QuoteCVE is a cornerstone of cybersecurity, and any gaps in CVE support will put our critical infrastructure and national security at unacceptable risk


QuoteNot-for-profit outfit MITRE has a contract with the US Department of Homeland Security to operate the CVE program, and on Tuesday the group confirmed this arrangement has not been renewed. This comes as the Trump administration scours around the federal government for costs to trim.

"On Wednesday, April 16, funding for MITRE to develop, operate, and modernize the Common Vulnerabilities and Exposures Program and related programs, such as the Common Weakness Enumeration Program, will expire," Yosry Barsoum, MITRE's vice president and director at the Center for Securing the Homeland, told The Register.


QuoteHistorical CVE records will at least remain available at GitHub.

"CVE is a cornerstone of cybersecurity, and any gaps in CVE support will put our critical infrastructure and national security at unacceptable risk," Luta Security founder and CEO Katie Moussouris, who pioneered Microsoft's vulnerability disclosure program, told The Register.

"All industries worldwide depend on the CVE program to keep their heads above water when it comes to managing threats, so an abrupt halt like this would be like depriving the cybersecurity industry of oxygen and expecting it to spontaneously sprout gills," Moussouris said.

It basically works like this: When an individual researcher or an organization discovers a new bug in some product, a CVE program partner — there are currently a few hundred across 40 countries — is asked to assess the vulnerability report and assign a unique CVE identifier for the flaw if and as necessary.

The program is sponsored, and largely funded by the Cybersecurity and Infrastructure Security Agency, aka CISA, under the umbrella of the US Department of Homeland Security. It appears MITRE has been paid roughly $30 million since 2023 to run CVE and associated programs.





#1 Apr 17, 2025, 05:07 PM
Go Up