Mastodawn

Андрій Носенко Apr 15, 2025

I boosted several posts about this already, but since people keep asking if I've seen it....

MITRE has announced that its funding for the Common Vulnerabilities and Exposures (CVE) program and related programs, including the Common Weakness Enumeration Program, will expire on April 16. The CVE database is critical for anyone doing vulnerability management or security research, and for a whole lot of other uses. There isn't really anyone else left who does this, and it's typically been work that is paid for and supported by the US government, which is a major consumer of this information, btw.

I reached out to MITRE, and they confirmed it is for real. Here is the contract, which is through the Department of Homeland Security, and has been renewed annually on the 16th or 17th of April.

https://www.usaspending.gov/award/CONT_AWD_70RCSJ23FR0000015_7001_70RSAT20D00000001_7001

MITRE's CVE database is likely going offline tomorrow. They have told me that for now, historical CVE records will be available at GitHub, https://github.com/CVEProject

Yosry Barsoum, vice president and director at MITRE's Center for Securing the Homeland, said:

“On Wednesday, April 16, 2025, funding for MITRE to develop, operate, and modernize the Common Vulnerabilities and Exposures (CVE®) Program and related programs, such as the Common Weakness Enumeration (CWE™) Program, will expire. The government continues to make considerable efforts to support MITRE’s role in the program and MITRE remains committed to CVE as a global resource.”

USAspending.gov

BrianKrebs Apr 15, 2025

It's worth asking again who would benefit from taking CVE offline? Surely not the United States government, nor its private companies. Not its allies (such as they are now) in Europe. But it almost certainly would help our adversaries, like China and Russia, because confusion and uncertainty works to their advantage always.

BrianKrebs Apr 15, 2025

Probably the last CVE indexed before it goes dark should be CVE-2025-DOGE (critical, local privilege escalation vulnerability that leads to malicious code execution and data exfiltration).

adison verlice Apr 15, 2025

@briankrebs uh what? CVEs are only made for software programs and hardware right? i'd have to check the CVSS scoring system but I think they're only made for software and hardware, unless dogecoin is still around and there is a vulnerability in its code

Fugue State Machine Moto Apr 15, 2025

@adisonverlice @briankrebs I think DOGE qualifies as a configuration of the quintessential Evil Maid

adison verlice Apr 15, 2025

@cmdrmoto but again, CVEs are only assigned to software, hardware, and computer systems. not specific people, not government agencies, only those 3categories
"Currently, IT management must identify and assess vulnerabilities across many disparate *hardware* and *software* platforms"
I don't think I mentioned *government agencies* now did I?
btw, here is the document I took from

https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=51198.

Kat Valentine Allwell Apr 15, 2025

@adisonverlice
You are correct and also it doesn't matter.
@cmdrmoto

catatonicprime Apr 15, 2025

@adisonverlice @cmdrmoto I believe Brian is being satirical here.

Jim Salter Apr 16, 2025

@adisonverlice you appear to be someone who could use a refresher on the definition of the word "rhetorical," so here you go. I'd offer a definition for "bloody exhausting" as well, but you seem to have a solid handle on that one already.

https://www.merriam-webster.com/dictionary/rhetorical

Definition of RHETORICAL

Definition of 'rhetorical' by Merriam-Webster

Pomax Apr 15, 2025

@adisonverlice @briankrebs DOGE most certainly qualifies as a cybersecurity vulnerability.

adison verlice Apr 15, 2025

@TheRealPomax CVSS will not rate it because it is not a software or hardware.
CVE and CVSS (as stated in another reply) only work on software and hardware in computer systems.
doge is a *government agency* not a *processor*, a *piece of code and or software*, nore is it a *programming language* or any of the sort of software.
so CVSS wouldn't rate it. if CVE were different in it did, say, rate government agencies, then I would agree. but I don't, because cvss and CVE only apply to software and hardware

Pomax Apr 15, 2025

@adisonverlice Do... you not know who Brian is? Did you completely miss the part where this is a grim joke based on current events by one of the most well known names in cyber security reporting?

adison verlice Apr 15, 2025

@TheRealPomax the only way I know it is a joke is if it is placed in a content warning.
also yes I know who Brian is, i've emailed him and i've communicated him personally before. respectible guy definitely, but he should've put things in a content warning saying something like, joke, or cybersecurity joke, that way it is obvious

Pomax Apr 15, 2025

@adisonverlice Jokes don't need to be "funny haha it's just a joke, it's not serious", they can also be incredibly serious and harshly confrontational social commentary about how the US is getting dismantled at the moment and DOGE is at the forefront of that effort in the digital space.

This was one of those.

adison verlice Apr 15, 2025

@TheRealPomax still, would've been nice to have a content warning. something like "partial joke, partial reality" would've been good too. when i make jokes, will offen have a content warning, even if it has some reality to it

adison verlice Apr 15, 2025

@TheRealPomax what I will agree with is that yes, doge doesn't seam to have their cybersecurity strate. boy, cyberattacks may happen for 4more years.
still, if a joke is to be made, there should be a content warning so we know it's a joke, or even partially a joke.
otherwise, i'm going to take it as if he meant it and I will start factchecking. and no, I am not an AI< so I don't randomly ban people just for false facts or wish them to be banned, but I will certainly call them out

Pomax Apr 15, 2025

@adisonverlice Didn't think you were, but I do think you're unfamiliar with how social commentary works, and misunderstood what was being said and why.

The worst thing language can do is only ever be literal, there's context and nuance, and if that's not understood, that's not something to demand people hide.

Language is a rich thing, literal interpretation only gets you so far.

adison verlice Apr 15, 2025

@TheRealPomax not everyone, especially myself, can easily distinguish joke from reality, unless it is super obvious there is some joke and some reality. and I don't think a content warning hides it, it just makes it obvious to the reader so they know what they're getting to.
either way, I can agree with Brian's statement that if this continues, we are definitely fucked. we really need to look at how the government is doing cybersecurity. I know we don't have the time to make our own civilian ran government inside the US, but still things should be investigated

rugk Apr 17, 2025

@adisonverlice
Ah no need to argue it's just https://en.m.wikipedia.org/wiki/Poe's_law at work hehe. Misunderstandings happen and I be can e.g. mark it as /s to be more obvious but well, now you know. (btw don't want to claim anything and without offense, but I know people who likely would say they are autistic don't understanding this and this is totally fine! Cause taking respect for their needs is good.)
@TheRealPomax

Poe's law - Wikipedia

Typositoire Apr 15, 2025

@briankrebs This needs to happen

Arena Cops 🇺🇦✌Apr 15, 2025

@briankrebs Shouldn't officers from FBI, CIA, DIA, NSA, Department of Homeland Security & other agencies consequently all have their stopping hands on the shoulders of everyone serving "DOGE" & enemies of the United States?

#RuleOfLaw #DefendTheConstitution #DefendTheUnion #DOGE #Espionage #DataTheft #DataBreach #NationalSecurityThreat #ObstructionOfNationalDefense #USPol #USPolitics

John Abbe (aka Slow)Apr 16, 2025

@ArenaCops @briankrebs Show them this, and they might actually sit up and take note:

"This declaration details DOGE activity within NLRB, the exfiltration of data from
NLRB systems, and – concerningly – near real-time access by users in Russia. Notably,
within minutes of DOGE personnel creating user accounts in NLRB systems, on
multiple occasions someone or something within Russia attempted to login using all of
the valid credentials (eg. Usernames/Passwords)."

https://whistlebloweraid.org/wp-content/uploads/2025/04/2025_0414_Berulis-Disclosure-with-Exhibits.s.pdf

Steve Hersey Apr 16, 2025

@slowenough @ArenaCops @briankrebs

Sadly, this all fits within the notion that bumbling wannabe-dictators are removing all the mechanisms that would stop them from doing any arbitrary thing they want to, with utter disregard for the real-world consequences of removing those mechanisms.

It's fascist dictatorship, but run by clowns.

Arena Cops 🇺🇦✌Apr 16, 2025

@n1xnx @slowenough @briankrebs The least & worst entertaining clowns, that are causing real harm to real people.

Peter Amstutz Apr 16, 2025

@ArenaCops
@briankrebs
Have you seen who Trump has appointed to the FBI, DHS, etc? You could hack their accounts and post their nudes for all to see and the only response would be to try to find the hackers and send them to El Salvador, not to fund the CVE database. Cyber security takes forethought and insight into the underlying problems and systems and these people don't do nuance.

noplasticshower Apr 16, 2025

@briankrebs lol

Gary McGraw Apr 16, 2025

@briankrebs penetrate and patch is dead. Long live penetrate and patch.

OOTS Apr 16, 2025

@briankrebs I'd say CVE-2025-DOGE also leads to Denial of Service.

Christophe Rome Apr 16, 2025

@briankrebs I'd say the issue is bigger and we're dealing with CVE-2025-TRUMP which is beyond identification phase. It's time for some serious isolation and eradication activity, won't you say? I hear El Salvador has some space left...

Face Thumb Apr 16, 2025

@briankrebs APT-420 made up of college kids and incels

Amgine Apr 15, 2025

++

Question: what do these nations use for similar distribution of vlunerability information, to address the confusion/lack of information?

BrianKrebs Apr 15, 2025

@Amgine well presumably the attackers call these things by different names (without CVEs in them) prior to their being indexed by MITRE and the affected vendors. The longer defenders don't know how to call the same thing the same thing, that's advantage attackers, IMO.

Simple Nomad Apr 15, 2025

@briankrebs @Amgine And that was the original purpose behind CVE back when it came into existence in the late 90s - remove the confusion. And that was when tech wasn't nearly as interconnected and interdependent as it is now.

Amgine Apr 15, 2025

I was thinking more along the lines of how does China or Russia or Iran inform their industry of risks and dangers from, for example, Stuxnet or Stars.

Do they maintain something equivalent to MITRE?

Amgine Apr 15, 2025

@briankrebs
@simplenomad

The implication I am trying to make is: addressing vulnerabilities is a shared responsibility in common with most computer users everywhere. It is only a limited subset, those wishing to use those vulnerabilities to do harm, who want to interrupt such work.

FL | エフル Apr 15, 2025

@Amgine @briankrebs thats a very interesting question....and sadly it does not look good either

For instance, in china the CNCERT used to maintain a national vulns db. Vulns were named "CNCVE-(year)-(id)", broadly following MITRE path

But, since few years, a new policy order Chinese citizens to declare vulns on a new portal, the CNNVD (not to be confused with the CNVD, which is something else - also vulns related). This portal is not maintained by the CNCERT, but by the Chinese MSS. It is also partially nonpublic.

Yes, vulnerabilities management was effectively removed from the Chinese CISA and given to the Chinese NSA...

Vulns from the CNNVD are named "CNNVD-(year)(month)-(id)". However, there is multiple reports of intentional witholding/alterations on the platform: obvious lies on discovery/published dates; vulns not being published despite having huge impact including in China; etc...

Amgine Apr 16, 2025

@fl @briankrebs

Argh.

Andrey {.ru account};Apr 16, 2025

TIL that "Federal service for technical and export control" (ФСТЭК) has its own vulnerability database, and they even accept reports: https://bdu.fstec.ru/contacts/vulreport

(Skip TLS errors, they use govt's certificate authority)

@Amgine @briankrebs

icrawler Apr 17, 2025

@Amgine @briankrebs

Also in Russia there's a similar database, https://bdu.fstec.ru/vul (root cert is issued by Russian domestic CA, thus won't be trusted by most of the browsers)

Todd Knarr Apr 15, 2025

@briankrebs They don't care. All they see is money the government isn't giving to their favorite companies.

Expertenkommision Cyberunfall Apr 15, 2025

Uncertainty is the fuel facism needs

Telepyleia Apr 15, 2025

@briankrebs the current government benefits.

Tim Ward ⭐🇪🇺🔶 #FBPE Apr 15, 2025

@briankrebs Me Sir! Please Sir! I know that one!

"Who would benefit" would be the thousands of developers across the world who spend much of their time reacting to CVEs and will be able to do more interesting things instead if the CVEs stop coming!

Virginicus Apr 15, 2025

@TimWardCam 🤣

Orca 🌻 | 🎀 | 🪁 | 🏴🏳️‍⚧️Apr 15, 2025

@briankrebs
China has been using a CNVD (China NVD) number to track vulns and I have always loathed it (as it deviate from standard and can create confusion)
Can't believe one day it would be proven to be right

neoghost_facepalm

Aaron Apr 15, 2025

@briankrebs I think the other party that benefits from "confusion and uncertainty" is Trump himself.

Jonathan Kamens 86 47 Apr 16, 2025

@briankrebs Speaking as someone who worked as a fed in infosec for 1.5yrs before being fired by DOGE, and who has been watching DOGE carefully: while it is true that our adversaries would benefit from the CVE process degrading, I think it is less likely that this is a targeted funding cut and more likely that it has just been caught up in DOGE's slash-and-burn campaign through the federal government like so many other random contracts.
The proof will be in whether the funding gets restored.

Jonathan Kamens 86 47 Apr 16, 2025

@briankrebs And indeed, according to @metacurity he was notified by CISA that they've extended the contract, supporting the hypothesis that this was DOGE collateral damage, not an intentional effort to help our adversaries by killing CVE.

PK 🌻Apr 16, 2025

@jik @briankrebs @metacurity The volume of incompetence and malice have been so high that it feels like telling them apart has grown more difficult.

firstprimate Apr 16, 2025

Hanlon’s Razor. These are self inflicted wounds. It’s tempting to blame the culturally appropriate enemies but it’s glaring obvious that incompetence is at play here and Americans of all types, from human to corporate, are collateral damage.

In as far as Musk has an ideology it’s how to benefit himself. Destroying regulations that challenge his companies’ activities is his game. It helps that this aligns with the Network State ideology of his tech colleagues and fellow Trump donors.

Trump is the same. His audience, the racist heart of the USA, loves the way he is wielding ICE and tariffs, and encouraging Musk to take apart everything perceived to be woke.

Frankly any half decent foreign handler would be asking him to tone it down. This disaster is American made and until America owns it there is no stopping it. The rest of us are working on building a post US empire world.

#uspol #genocide

mcc Apr 16, 2025

@briankrebs "It's worth asking again who would benefit from taking CVE offline?" Software development companies that produce software with security bugs. Are there any of those involved with the Trump administration

ewanm89 Apr 16, 2025

@briankrebs Potentially Musk might think he does, no more vulnerabilities against Tesla, Twitter and Starlink filed.

@briankrebs That's just so stupid and pointless.

@briankrebs I wonder how FEDRAMP's vulnerability scanning and reporting requirement feels about this. https://www.fedramp.gov/assets/resources/documents/CSP_Vulnerability_Scanning_Requirements.pdf

Evan Light Apr 15, 2025

@briankrebs Umm... so... given the complexity of the, what, thousands of different unique services that power the contemporary internet, we're... fucked?

Christos Argyropoulos MD PhD Apr 15, 2025

@elight @briankrebs Everyone gets to find out about everyone's else Only Fans subscriptions in a few months

The Long Tail Apr 15, 2025

@briankrebs This is like closing down the CDC.
Oh, wait.

Elric Apr 15, 2025

@briankrebs When I was consulting for my government, I raised this exact scenario as a potential security risk. It was ignored. And here we are.

hal8999 Apr 15, 2025

@briankrebs Procurement tag is 'SSS: ONLY ONE SOURCE'. This contract won't be handed over to a competitive private enterprise.