Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

URL has been copied successfully!
CVE program averts swift end after CISA executes 11-month contract extension
URL has been copied successfully!

Collecting Cyber-News from over 60 sources

Important update April 16, 2025: Since this story was first published, CISA signed a contract extension that averts a shutdown of the MITRE CVE program.A CISA spokesperson sent CSO a statement saying, “The CVE Program is invaluable to cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.” Sources say the contract extension will last 11 months.April 15, 2025: In a stunning development that demolishes a cornerstone of cybersecurity defense, nonprofit R&D organization MITRE said that its contract with the Department of Homeland Security (DHS) to maintain the Common Vulnerabilities and Exposures (CVE) database, which organizes computer vulnerabilities, will expire at midnight on April 16.Yosry Barsoum, vice president and director of the Center for Securing the Homeland at MITRE, wrote in a missive to the CVE board, “On Wednesday, April 16, 2025, funding for MITRE to develop, operate, and modernize the Common Vulnerabilities and Exposures (CVE®) Program and related programs, such as the Common Weakness Enumeration (CWE) Program, will expire. The government continues to make considerable efforts to support MITRE’s role in the program, and MITRE remains committed to CVE as a global resource.” Sasha Romanosky, senior policy researcher at the Rand Corporation, branded the end to the CVE program as “tragic,” a sentiment echoed by many cybersecurity and CVE experts reached for comment.”CVE naming and assignment to software packages and versions are the foundation upon which the software vulnerability ecosystem is based,” Romanosky said. “Without it, we can’t track newly discovered vulnerabilities. We can’t score their severity or predict their exploitation. And we certainly wouldn’t be able to make the best decisions regarding patching them.”Ben Edwards, principal research scientist at Bitsight, told CSO, “My reaction is sadness and disappointment. This is a valuable resource that should absolutely be funded, and not renewing the contract is a mistake.”He added “I am hopeful any interruption is brief and that if the contract fails to be renewed, other stakeholders within the ecosystem can pick up where MITRE left off. The federated framework and openness of the system make this possible, but it’ll be a rocky road if operations do need to shift to another entity.”

MITRE’s CVE program foundational to cybersecurity: MITRE’s CVE program is a foundational pillar of the global cybersecurity ecosystem and is the de facto standard for identifying vulnerabilities and guiding defenders’ vulnerability management programs. It provides foundational data to vendor products across vulnerability management, cyber threat intelligence, security information, event management, and endpoint detection and response.Although the National Institute of Standards and Technology (NIST) enriches the MITRE CVE records with additional information through its National Vulnerability Database (NVD), and CISA has helped enrich MITRE’s CVE records with its “vulnrichment” program due to funding shortfalls in the NVD program, MITRE is the originator of the CVE records and serves at the primary source for identifying security flaws.”If MITRE’s funding goes away, it causes an immediate cascading effect that will impact vulnerability management on a global scale,” Brian Martin, vulnerability historian, CSO of the Security Errata project, and former CVE board member, wrote on LinkedIn.”First, the federated model and CVE Numbering Authorities (CNA) can no longer assign IDs and send info to MITRE for quick publication. Second, all of that is the foundation for the National Vulnerability Database (NVD), which is already beyond struggling, with a backlog of over 30,000 vulnerabilities and the recent announcement of over 80,000 ‘deferred’ (meaning will not be fully analyzed by their current standards).”Martin added, “Third, every company that maintains ‘their own vulnerability database’ that is essentially lipstick on the CVE pig will have to find alternate sources of intelligence. Fourth, national vulnerability databases like China’s and Russia’s, among others, will largely dry up (Russia more than China). Fourth [sic], hundreds, if not thousands, of National / Regional CERTs around the world, no longer have that source of free vulnerability intelligence. Fifth [sic], every company in the world that relied on CVE/NVD for vulnerability intelligence is going to experience swift and sharp pains to their vulnerability management program.”

Why is the contract ending?: It’s unclear what led to DHS’s decision to end the contract after 25 years of funding the highly regarded program. The Trump administration, primarily through Elon Musk’s Department of Government Efficiency initiative, has been slashing government spending across the board, particularly at the Cybersecurity and Infrastructure Security Agency (CISA), through which DHS funds the MITRE CVE program.Although CISA has already been through two funding cuts, press reports suggest that nearly 40% of the agency’s staff, or around 1,300 employees, are still slated for termination. However, sources say that compared to the budget cuts made elsewhere in the federal government, the expense of running the CVE program are minor and “won’t break the bank.”

What happens next?: Sources close to the CVE program say that starting at midnight on April 16, MITRE will no longer add records to its CVE database. However, historical CVE records will be available on GitHub.The real question is whether a private sector alternative to MITRE’s program emerges.”It’s difficult to speculate on what services could be impacted reading the note from MITRE,” Patrick Garrity, a security researcher at threat intelligence firm Vulncheck, told CSO. “The current vulnerability ecosystem is fragile after seeing NIST NVD’s failure last year, and any impacts to the CVE Program could have detrimental impacts on defenders and the security community. VulnCheck remains committed to helping fill any gaps that might arise.”Garrity posted on LinkedIn, “Given the current uncertainty surrounding which services at MITRE or within the CVE Program may be affected, VulnCheck has proactively reserved 1,000 CVEs for 2025,” adding that Vulncheck “will continue to provide CVE assignments to the community in the days and weeks ahead.”A CISA spokesperson told CSO, “CISA is the primary sponsor for the Common Vulnerabilities and Exposure (CVE) program, which is used by government and industry alike to disclose, catalog, and share information on technology vulnerabilities that can put the nation’s critical infrastructure at risk.  Although CISA’s contract with the MITRE Corporation will lapse after April 16, we are urgently working to mitigate impact and to maintain CVE services on which global stakeholders rely.”This article was originally published April 15, titled “CVE program faces swift end after DHS fails to renew contract, leaving security flaw tracking in limbo.” It has been updated to reflect the latest announcements about CVE.

First seen on csoonline.com

Jump to article: www.csoonline.com/article/3963190/cve-program-faces-swift-end-after-dhs-fails-to-renew-contract-leaving-security-flaw-tracking-in-limbo.html

Loading

Share via Email
Share on Facebook
Tweet on X (Twitter)
Share on Whatsapp
Share on LinkedIn
Share on Xing
Copy link