BrianKrebsApr 15

I boosted several posts about this already, but since people keep asking if I've seen it....

MITRE has announced that its funding for the Common Vulnerabilities and Exposures (CVE) program and related programs, including the Common Weakness Enumeration Program, will expire on April 16. The CVE database is critical for anyone doing vulnerability management or security research, and for a whole lot of other uses. There isn't really anyone else left who does this, and it's typically been work that is paid for and supported by the US government, which is a major consumer of this information, btw.

I reached out to MITRE, and they confirmed it is for real. Here is the contract, which is through the Department of Homeland Security, and has been renewed annually on the 16th or 17th of April.

https://www.usaspending.gov/award/CONT_AWD_70RCSJ23FR0000015_7001_70RSAT20D00000001_7001

MITRE's CVE database is likely going offline tomorrow. They have told me that for now, historical CVE records will be available at GitHub, https://github.com/CVEProject

Yosry Barsoum, vice president and director at MITRE's Center for Securing the Homeland, said:

“On Wednesday, April 16, 2025, funding for MITRE to develop, operate, and modernize the Common Vulnerabilities and Exposures (CVE®) Program and related programs, such as the Common Weakness Enumeration (CWE™) Program, will expire. The government continues to make considerable efforts to support MITRE’s role in the program and MITRE remains committed to CVE as a global resource.”

USAspending.gov

Show threadBrianKrebsApr 15
It's worth asking again who would benefit from taking CVE offline? Surely not the United States government, nor its private companies. Not its allies (such as they are now) in Europe. But it almost certainly would help our adversaries, like China and Russia, because confusion and uncertainty works to their advantage always.
Show threadAmgine

@briankrebs

++

Question: what do these nations use for similar distribution of vlunerability information, to address the confusion/lack of information?

Apr 15 at 8:45pmWeb
Show threadBrianKrebsApr 15
@Amgine well presumably the attackers call these things by different names (without CVEs in them) prior to their being indexed by MITRE and the affected vendors. The longer defenders don't know how to call the same thing the same thing, that's advantage attackers, IMO.
Show threadSimple NomadApr 15
@briankrebs @Amgine And that was the original purpose behind CVE back when it came into existence in the late 90s - remove the confusion. And that was when tech wasn't nearly as interconnected and interdependent as it is now.
Show threadAmgineApr 15

@briankrebs

I was thinking more along the lines of how does China or Russia or Iran inform their industry of risks and dangers from, for example, Stuxnet or Stars.

Do they maintain something equivalent to MITRE?

Show threadAmgineApr 15

@briankrebs
@simplenomad

The implication I am trying to make is: addressing vulnerabilities is a shared responsibility in common with most computer users everywhere. It is only a limited subset, those wishing to use those vulnerabilities to do harm, who want to interrupt such work.

Show threadFL | エフルApr 15

@Amgine @briankrebs thats a very interesting question....and sadly it does not look good either

For instance, in china the CNCERT used to maintain a national vulns db. Vulns were named "CNCVE-(year)-(id)", broadly following MITRE path

But, since few years, a new policy order Chinese citizens to declare vulns on a new portal, the CNNVD (not to be confused with the CNVD, which is something else - also vulns related). This portal is not maintained by the CNCERT, but by the Chinese MSS. It is also partially nonpublic.

Yes, vulnerabilities management was effectively removed from the Chinese CISA and given to the Chinese NSA...

Vulns from the CNNVD are named "CNNVD-(year)(month)-(id)". However, there is multiple reports of intentional witholding/alterations on the platform: obvious lies on discovery/published dates; vulns not being published despite having huge impact including in China; etc...

Show threadAmgineApr 16

@fl @briankrebs

Argh.

Show threadAndrey DarkCat09Apr 16

TIL that "Federal service for technical and export control" (ФСТЭК) has its own vulnerability database, and they even accept reports: https://bdu.fstec.ru/contacts/vulreport

(Skip TLS errors, they use govt's certificate authority)

@Amgine @briankrebs

Show threadicrawlerApr 17

@Amgine @briankrebs

Also in Russia there's a similar database, https://bdu.fstec.ru/vul (root cert is issued by Russian domestic CA, thus won't be trusted by most of the browsers)