Kevin BeaumontApr 15, 2025

Wow. CVE database is in serious trouble, tomorrow.

The cyber industry as a whole is in trouble also really, it’s the elephant in the room - the collapse of the White House’s support for cybersecurity is obvious and pronounced due to widespread cutbacks.

Show threadKevin BeaumontApr 15, 2025
Show threadKevin BeaumontApr 15, 2025

My take on the CVE contract issue for businesses: don’t overreact, wait and see what impacts are.

The NVD backlog was already pretty crazy.. the US gov has gotta put real funding into this area if it wants to retain control of cyber standards.

Show threadKevin BeaumontApr 15, 2025
Just as an update to this - @briankrebs has confirmed with MITRE the letter is real, and as it stands the CVE database is likely to go offline tomorrow.
Show threadKevin BeaumontApr 15, 2025

To widen it out - CVE is the globally recognised system orgs use for vulnerability management.

Every vulnerability management product uses CVEs. Vulnerability management is a core part of cybersecurity - often, the most important part.

Additionally, CVE is written into several US government standards that orgs have to follow.

So the US Government not funding it is a major and historic own goal.

Show threadKevin BeaumontApr 15, 2025
There's an argument that MITRE should try to keep everything alive and run things without funding and contracts etc.. but, honestly? My take - stop doing everything that isn't in the contract. Force the issue.
Show threadLauren Weinstein
@GossiTheDog That's tantamount to recommending suicide.
Apr 15, 2025 at 10:19pmWeb