#infosec people, THIS is big and you need it in front of management RIGHT NOW.
MITRE has informed the CVE board members that effective TONIGHT, funding to run CVE and CWE is effectively gone. The US federal government contracts MITRE to run these programs including both management, operations, and infrastructure.
This not only could but almost certainly will result in disruptions to CVE and CWE including a halt of all operations if new contracts/funding are not secured.
Attached: 1 image I boosted several posts about this already, but since people keep asking if I've seen it.... MITRE has announced that its funding for the Common Vulnerabilities and Exposures (CVE) program and related programs, including the Common Weakness Enumeration Program, will expire on April 16. The CVE database is critical for anyone doing vulnerability management or security research, and for a whole lot of other uses. There isn't really anyone else left who does this, and it's typically been work that is paid for and supported by the US government, which is a major consumer of this information, btw. I reached out to MITRE, and they confirmed it is for real. Here is the contract, which is through the Department of Homeland Security, and has been renewed annually on the 16th or 17th of April. https://www.usaspending.gov/award/CONT_AWD_70RCSJ23FR0000015_7001_70RSAT20D00000001_7001 MITRE's CVE database is likely going offline tomorrow. They have told me that for now, historical CVE records will be available at GitHub, https://github.com/CVEProject Yosry Barsoum, vice president and director at MITRE's Center for Securing the Homeland, said: “On Wednesday, April 16, 2025, funding for MITRE to develop, operate, and modernize the Common Vulnerabilities and Exposures (CVE®) Program and related programs, such as the Common Weakness Enumeration (CWE™) Program, will expire. The government continues to make considerable efforts to support MITRE’s role in the program and MITRE remains committed to CVE as a global resource.”
CVE funding is apparently not being renewed. I’m not alone in having strong feelings, and I want to talk about some of the original use cases that informed us as we set up the system. (You might also enjoy my thoughts on 25 Years of CVE for some context.) Those included comparing between vulnerability posts. It’s a lot of work to decide if two vulns are the same. Tagging both with a name was an important use case in 1997, and one that I got to revisit around 2010 when I was doing work to understand how malware got into PCs. Most of the attacks in exploit kits were not CVE-labeled. So deciding what they were was hours per vuln, with a high failure rate, versus minutes when they had a CVE assigned. CVE achieved public good status exceptionally quickly, in part because of support from thoughtful leaders like Tony Sager while he was at NSA. Finding support from outside the government was, as I recall, harder because MITRE is Congressionally chartered and has difficulty taking money from anyone but the US Government. There are other used cases, and I want to mention them because I was talking in private to friends, and they weren’t aware of these. All vendor names are used as examples. * Did redhat fix this python bug or do we need to find a patch is way easier with cves. * Did Apple fix this OpenSSL bug after getting version locked to OpenSSL .9.8? * Having a name lets you discuss “did Microsoft fix this yet?” and if there’s a tool that tests it, you can cross-check the bug, the proof of concept, and the patch. * Having an authoritative public timetable, including issuance, helped everyone understand when a vendor was slow-rolling a fix.
@Developmentdoc @rootwyrm @desperadoduck
this is my attempt to explain this problem for people who do not work in infosec:
When a security issue with any sort of computer product is found, it’s suppose to be forwarded to these people, MITRE. They assign each one a tracking name, maintain a big database, and publish a list of new ones.
Whether you are a huge corporation or a small business with a website, this list is incredibly helpful in staying on top of what needs to be fixed. Your computer has software components from literally thousands of different organizations running on it. Overlooking that one critically needs an update is how you wake up to your whole hospital having been ransomwared by criminals.
Cutting the funding for this means that there’s no centralized list everyone can reference and trust to be updated in a timely fashion. Hacking incidents, in general, everywhere, will begin to rise.
@0xabad1dea @Developmentdoc @rootwyrm @desperadoduck That's a very good explanation. I'll try to add a bit about what it looks like from the perspective of a company selling software or devices:
You make software, mostly by plugging together existing components - maybe a Linux OS, a database, and other stuff.
Each of those components might have security holes that are discovered over time. So you subscribe to the CVE database, and in case one of your components is affected, you get an alert.
@0xabad1dea @Developmentdoc @rootwyrm @desperadoduck Literally everyone in the industry has been relying on this subscription service. And now it looks like that service is going away. So as a vendor, I now have no way of tracking security holes in my product.
It's probably not the end of the world. People will find a way. But it absolutely is a major disruption for everyone not just in IT security, but for software producers and device manufacturers worldwide.
@0xabad1dea @rumpel Seconding this. Privatizing this service would be an amazingly bad idea.
First, it would screw with the perception of transparency. Can you really trust a commercial provider to report vulnerabilities honestly? Maybe they have some sort of deal with one or more of the big software producers.
Second, there's seldom a direct relationship between those who discover vulnerabilities, those who process them, and those who fix them. Super hard to monetize without screwing stuff up
@dramforever @0xabad1dea @Developmentdoc @rootwyrm @desperadoduck Right - another way that I would think of it is that it's sort of a "Recall" department like when the FDA recalls lettuce for having e.Coli, or tells people when they can't use baby formula from a particular plant because it has bacteria in it.
Only on an U.N./W.H.O. level scale, with Day-1 delivery of foods that don't need to be recalled. Only for software bugs.
FOR IMMEDIATE RELEASE April 16, 2025 CVE Foundation Launched to Secure the Future of the CVE Program [Bremerton, Washington] – The CVE Foundation has been formally established to ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program, a
RootWyrm 🇺🇦
Bluewater_61
M.Sie
abadidea
mx trouble
Rocketman
rumpel
Gwen, the Fops 
dram🎀
Alexander The 1st
Kufat