A letter to CVE board members posted to bluesky a few hours ago reveals that MITRE funding for the Common Vulnerabilities and Exposures (CVE) program is about to expire. Haven't found any good articles that cover this news story yet, but it's spreading like wildfire over on bluesky.

Of course this doesn't mean that the CVE program will immediately cease to exist, but at the moment MITRE funding is absolutely essential for its longterm survival.

In a nutshell CVEs are a way to centrally organize, rate, and track software vulnerabilities. Basically any publicly known vulnerability out there can be referred to via their CVE number. The system is an essential tool for organizations worldwide to keep track of and manage vulnerabilities and implement appropriate defensive measures. Its collapse would be devestating for the security of information systems worldwide.

How can one guy in a position of power destroy so much in such a short amount of time..? I hope the EU will get their shit together and fund independent alternatives for all of these systems being butchered at the moment...

Edit/Update 21:10 UTC:
It appears Journalist David DiMolfetta confirmed the legitimacy of the letter with a source a bit over an hour ago and published a corresponding article on nextgov 28 minutes ago.

Edit/Update 21:25 UTC:
Brian Krebs also talked to MITRE to confirm this news. On infosec.exchange he writes:

I reached out to MITRE, and they confirmed it is for real. Here is the contract, which is through the Department of Homeland Security, and has been renewed annually on the 16th or 17th of April.
MITRE's CVE database is likely going offline tomorrow. They have told me that for now, historical CVE records will be available at GitHub, https://github.com/CVEProject

Edit/Update 21:37 UTC:
Abovementioned post has been supplemented by Brian Krebs 5 Minutes ago with this comment:

Hearing a bit more on this. Apparently it's up to the CVE board to decide what to do, but for now no new CVEs will be added after tomorrow. the CVE website will still be up.

My thoughts are that apps can have end-to-end encryption, but if the app on the end is still connected to someone's servers, there's nothing stopping them from pulling the contents of the chat after it's been decrypted on the other end. What options do we have for messaging that don't have this issue? I understand that anything that I can see can still get taken by the OS, etc., but I'm curious about that first step.

Hi Tilderinos,

I head up a small startup and we're looking to get some support for our data security. Up until now we've worked with small mom and pops that didn't have any requirements, but a few of our new clients have full data security teams and our infrastructure and policies/protocols aren't up to snuff. We reached out to a few consulting firms and they quotes us between $80-100k to get things set up and run us through a full SOC2 review. As a small company we don't really have that type of budget, more like $40-50k. I stumbled upon Vanta and Drata as alternatives and had meetings with their sales folks last week. Both of their offerings from setting up our protocols to monitoring and getting us through a SOC2 were only $16k.

Are platform based companies like Vanta or Drata enough to get us off the ground while we're still getting set up? Has anyone worked with them before and have any feelings one way or the other? Should we be signing on with a security consulting company - be it at a lower rate if we can negotiate it?
This is all quite new to me and any insight folks here can provide would be incredible useful.