#infosec people, THIS is big and you need it in front of management RIGHT NOW.
MITRE has informed the CVE board members that effective TONIGHT, funding to run CVE and CWE is effectively gone. The US federal government contracts MITRE to run these programs including both management, operations, and infrastructure.
This not only could but almost certainly will result in disruptions to CVE and CWE including a halt of all operations if new contracts/funding are not secured.
@Developmentdoc @rootwyrm @desperadoduck
this is my attempt to explain this problem for people who do not work in infosec:
When a security issue with any sort of computer product is found, it’s suppose to be forwarded to these people, MITRE. They assign each one a tracking name, maintain a big database, and publish a list of new ones.
Whether you are a huge corporation or a small business with a website, this list is incredibly helpful in staying on top of what needs to be fixed. Your computer has software components from literally thousands of different organizations running on it. Overlooking that one critically needs an update is how you wake up to your whole hospital having been ransomwared by criminals.
Cutting the funding for this means that there’s no centralized list everyone can reference and trust to be updated in a timely fashion. Hacking incidents, in general, everywhere, will begin to rise.
@0xabad1dea @Developmentdoc @rootwyrm @desperadoduck That's a very good explanation. I'll try to add a bit about what it looks like from the perspective of a company selling software or devices:
You make software, mostly by plugging together existing components - maybe a Linux OS, a database, and other stuff.
Each of those components might have security holes that are discovered over time. So you subscribe to the CVE database, and in case one of your components is affected, you get an alert.
@0xabad1dea @Developmentdoc @rootwyrm @desperadoduck Literally everyone in the industry has been relying on this subscription service. And now it looks like that service is going away. So as a vendor, I now have no way of tracking security holes in my product.
It's probably not the end of the world. People will find a way. But it absolutely is a major disruption for everyone not just in IT security, but for software producers and device manufacturers worldwide.
@0xabad1dea @rumpel Seconding this. Privatizing this service would be an amazingly bad idea.
First, it would screw with the perception of transparency. Can you really trust a commercial provider to report vulnerabilities honestly? Maybe they have some sort of deal with one or more of the big software producers.
Second, there's seldom a direct relationship between those who discover vulnerabilities, those who process them, and those who fix them. Super hard to monetize without screwing stuff up
@dramforever @0xabad1dea @Developmentdoc @rootwyrm @desperadoduck Right - another way that I would think of it is that it's sort of a "Recall" department like when the FDA recalls lettuce for having e.Coli, or tells people when they can't use baby formula from a particular plant because it has bacteria in it.
Only on an U.N./W.H.O. level scale, with Day-1 delivery of foods that don't need to be recalled. Only for software bugs.
FOR IMMEDIATE RELEASE April 16, 2025 CVE Foundation Launched to Secure the Future of the CVE Program [Bremerton, Washington] – The CVE Foundation has been formally established to ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program, a
RootWyrm 🇺🇦
Bluewater_61
Kevin Karhan 
abadidea
mx trouble
Rocketman
rumpel
Gwen, the Fops 
dram🎀
Alexander The 1st
Kufat