The nonprofit organization Mitre, which maintains the common vulnerabilities and exposures (CVE) database, said on April 15 that the US government’s funding for its operations expires without renewal; In a reversing at the last minute, however, announced the morning of April 16 that CISA said it has extended support to the database. At the same time, CVE board members founded the CVE Foundation, a nonprofit not affiliated with the US federal government to maintain the CVE program.
The CVE program, which has been in place since 1999, is an important way to report and track vulnerabilities. Many other cyber security resources, such as Microsoft’s Patch Tuesday update and report, refer to CVE numbers to identify deficiencies and corrections. Organizations called CVE numbering authorities are associated with mites and are authorized to assign CVE numbers.
“CVE supports a huge part of vulnerability management, event response and critical infrastructure protection efforts,” wrote Casey Ellis, founder of Crowdsourced Cybersecurity Hub Bugcrowd, in an E email to TechPublic. “A sudden interruption of services has the very real potential to bubble up in a national security problem in short order.”
Funds were expected to run out on miter without renewal
A letter sent to CVE board members began circulating on social media on Tuesday.
“The current contracting path for Mitre to develop, serve and modernize CVE and several other related programs, such as CWE, expire,” said the letter from Yosry Barsoum, vice president and director of the Center for Securing Homeland, a branch of mites.
CWE is a common count of weakness, the list of hardware and software weaknesses.
“The government continues to make significant efforts to continue the role of mites to support the program,” Barsoum wrote.
Mitre is traditionally financed by the Department of Homeland Security.
Download: Protect your business with our premade and customizable network security policy.
Mitre did not respond to TechPublic’s question about the cause of the expiry or what cybersecurity -subject people can expect next.
The fund has not specified whether the cut in financing is related to the widespread spread of the Department of Government Efficiency (DOGE).
CVE Foundation has laid the basis for a new system in the past year
Before CISA’s announcement, an independent foundation said they were prepared to step in to continue the CVE program. CVE Foundation is a nonprofit dedicated to maintaining the CVE submission program and database.
“While we had hoped that this day would not come, we have prepared for this opportunity.” Wrote an anonymous CVE FLIFGE REPRESENTATIVE in a press release on Wednesday. “In response, a coalition of many years of active CVE board members has spent the past year developing a strategy to transfer CVE to a dedicated, non-profit foundation.”
CVE Foundation plans to detail its structure, timeline and opportunities for involvement in the future. With CISA expanding funding, the foundation may not be necessary yet – although it may be reassuring to know that its services and backups are available.