MITRE support for the Common Vulnerabilities and Exposures (CVE) program will expire tomorrow
A letter to CVE board members posted to bluesky a few hours ago reveals that MITRE funding for the Common Vulnerabilities and Exposures (CVE) program is about to expire. Haven't found any good articles that cover this news story yet, but it's spreading like wildfire over on bluesky.
Of course this doesn't mean that the CVE program will immediately cease to exist, but at the moment MITRE funding is absolutely essential for its longterm survival.
In a nutshell CVEs are a way to centrally organize, rate, and track software vulnerabilities. Basically any publicly known vulnerability out there can be referred to via their CVE number. The system is an essential tool for organizations worldwide to keep track of and manage vulnerabilities and implement appropriate defensive measures. Its collapse would be devestating for the security of information systems worldwide.
How can one guy in a position of power destroy so much in such a short amount of time..? I hope the EU will get their shit together and fund independent alternatives for all of these systems being butchered at the moment...
Edit/Update 20250415 21:10 UTC:
It appears Journalist David DiMolfetta confirmed the legitimacy of the letter with a source a bit over an hour ago and published a corresponding article on nextgov 28 minutes ago.
Edit/Update 20250415 21:25 UTC:
Brian Krebs also talked to MITRE to confirm this news. On infosec.exchange he writes:
I reached out to MITRE, and they confirmed it is for real. Here is the contract, which is through the Department of Homeland Security, and has been renewed annually on the 16th or 17th of April.
MITRE's CVE database is likely going offline tomorrow. They have told me that for now, historical CVE records will be available at GitHub, https://github.com/CVEProject
Edit/Update 20250415 21:37 UTC:
Abovementioned post has been supplemented by Brian Krebs 5 Minutes ago with this comment:
Hearing a bit more on this. Apparently it's up to the CVE board to decide what to do, but for now no new CVEs will be added after tomorrow. the CVE website will still be up.
Edit/Update 20250416 08:40 UTC:
First off here's one more article regarding the situation by Brian Krebs - the guy I cited above, as well as a YouTube video by John Hammond.
In more positive news: first attempts to save the project seem to emerge. Tib3rius posted on Bluesky about half an hour ago, that a rogue group of CVE board members has Launched a CVE foundation to secure the project's future. It's by no means a final solution, but it's at least a first step to give some structure to the chaos that has emerged, and a means to manage funding from potential alternative sources that will hopefully step up to at least temporarily carry the project.
Edit/Update 20250416 15:20 UTC:
It appears the public uproar got to them. According to a nextgov article by David DiMolfetta the contract has been extended by 11 months on short notice just hours before it expired...
Imo the events of the past 24 hours will leave their mark. It has become very clear that relying on the US government for such critical infrastructure is not a sustainable approach. I'm certain (or at least I hope) that other governments (i.e. EU) will draw appropriate consequences and build their own infrastructure to take over if needed. The US is really giving up their influence on the world at large at an impressive pace.
Man, I have learned so much about government agencies and funding in the past few months.
Its like how, growing up, the way I would learn about new species is because there would be some article about how they’re about to be extinct. I knew what a axolotl was in like 2005.
Learning about government agencies via the ongoing news of the catabolic collapse of the united states is an interesting pass time.
That comparison is poignant. Do you mind if I steal it in explaining my own experience elsewhere?
Haha sure give it a go. Maybe someone somewhere will listen cause they sure aint ever listened to me.
This could be bad. If the funding remains cut, IT professionals will have to go to other sources to keep up to date on newly discovered and disclosed vulnerabilities. This would be quite a pivot, as even a lot of commercial software relies on the CVE database.
I found an article that explains what CVE is, how it integrates with some other systems, and potential alternatives. Hopefully that will help others with less familiarity understand the topic a bit more.
I believe this is where we wax optimistic about the free market saving the day. I'm certain somebody is already positioning themselves to get individually wealthy by selling us something we need as an entire society and used to get through tax funding.
As someone who deals with these occasionally, our usual workflow as code owners in a large company is:
Automated tools flag an application as using a dependency that has a known CVE.
Look up the CVE on MITRE, because the automated tool's report doesn't supply all of the information.
Triage the problem, by finding out if the developer of the dependency has an update or a timeline for one.
Eventually update the dependency version, make a recommended workaround or find an alternative.
Without a central database, this becomes impossible. Being aware of issues across many third party packages is unlikely without it, and keeping tabs on the remediation of the vulnerability also simply doesn't scale if you just end up with hundreds of companies blasting emails at some unfortunate third party...
There's also this really nice diagram created and shared on LinkedIn by James Berthoty earlier. It nicely illustrates how central CVEs are to effectively processing vulnerabilities in a professional setting, and how many dependencies would be destroyed by removing them from the equation.
Thank you, very little of this made sense to me up front due to not having the broader context.
As a former infosec worker: This could seriously hinder the reporting, tracking and dissemination of information of vulnerabilities in systems everywhere, causing a sharp decline in vulnerability patching and mitigation, and thereby resulting in systems that are more vulnerable to bad actors.
I think we almost certainly could bring the CVE database to the EU; the EU would probably fund it. However, the EU tends to move slowly. It's not going to happen in a day.
Well, at least the EU has already been working on the EU vulnerability database (EUVD) for some time now. (See also: this ENISA press release from June 2024.)
Maybe building off of that we could get a full CVE replacement in a somewhat reasonable timeframe. But yes, changing how basically every organization worldwide is keeping track of vulnerabilities is not something that happens overnight.
Current infosec worker; discussed with my chunk of the organization today. What we're losing will hurt security professionals' ability to rapidly, correctly triage and prioritize risks. In turn, that will cause delays and gaps in incident response. We believe the likeliest consequences are:
Lastly and more personally, I am expecting a barrage of disinformation -- specifically, disingenuous bloviating about CVE creep, CVSS inflation, and similar subjects. I fully expect a bunch of bootlickers to say 'good riddance' and blame everything on MITRE. Yes, no one likes having to handle a gazillion CVEs and many are kinda stupid. Yes, CVSS v3 and v4 scores are generally higher across the board than they used to be in earlier versions. But no one is arguing these systems are perfect. Throwing the (ugly) baby out with the bathwater, and then celebrating it like I've already seen a few folks online doing? That's just bad attempts at deflecting from the obvious parallels where other public agency data sources (NOAA, NWS, etc.) are being trashed for no good reason.
I'd like to hope that sanity prevails before tomorrow, but my pessimist side has been feeling right a lot lately.
I just found out about this from John Hammond's YT page a minute ago. Holy crap, they really are just throwing every bit of critical infrastructure they can grab into a bonfire.
I feel like we are speedrunning the collapse of the American empire. Sure, it was in decline anyway, but was there really a need to push as fast and hard as possible for everything to burn?