Kevin BeaumontApr 15

Wow. CVE database is in serious trouble, tomorrow.

The cyber industry as a whole is in trouble also really, it’s the elephant in the room - the collapse of the White House’s support for cybersecurity is obvious and pronounced due to widespread cutbacks.

Show threadKevin BeaumontApr 15
Show threadKevin BeaumontApr 15

My take on the CVE contract issue for businesses: don’t overreact, wait and see what impacts are.

The NVD backlog was already pretty crazy.. the US gov has gotta put real funding into this area if it wants to retain control of cyber standards.

Show threadKevin BeaumontApr 15
Just as an update to this - @briankrebs has confirmed with MITRE the letter is real, and as it stands the CVE database is likely to go offline tomorrow.
Show threadKevin BeaumontApr 15

To widen it out - CVE is the globally recognised system orgs use for vulnerability management.

Every vulnerability management product uses CVEs. Vulnerability management is a core part of cybersecurity - often, the most important part.

Additionally, CVE is written into several US government standards that orgs have to follow.

So the US Government not funding it is a major and historic own goal.

Show threadKevin BeaumontApr 15
There's an argument that MITRE should try to keep everything alive and run things without funding and contracts etc.. but, honestly? My take - stop doing everything that isn't in the contract. Force the issue.
Show threadKevin BeaumontApr 15
CISA comment on CVE situation - they say the contract “will” lapse tomorrow. https://infosec.exchange/@metacurity/114344326544856491
Metacurity (@metacurity@infosec.exchange)

Attached: 1 image Regarding the end of MITRE's CVE program, here's a statement that a CISA spokesperson gave me for a piece I'm writing.

Infosec Exchange
Show threadKevin BeaumontApr 15
NextGov piece on the CVE mess. https://www.nextgov.com/cybersecurity/2025/04/mitre-backed-cyber-vulnerability-program-lose-funding-wednesday/404585/
MITRE-backed cyber vulnerability program to lose funding Wednesday

Organizations across industry, government, national security and critical infrastructure rely on the CVE Program, which serves as the de-facto global standard for vulnerability identification and management.

Nextgov.com
Show threadKevin BeaumontApr 16
DOGE have terminated MITREs contracts, they say they will be laying off nearly 500 people. This will have impacts beyond CVE - think MITRE ATT&CK etc. https://virginiabusiness.com/nova-govcon-firm-mitre-to-lay-off-442-employees-after-doge-cuts-contracts/
NoVa govcon firm Mitre to lay off 442 employees after DOGE cuts contracts

Listen to this article Federal contracting firm Mitre, which has dual headquarters in McLean and Massachusetts, expects to lay off 442 people in Virginia in two months. The cuts come after the Trump administration has announced more than $28 million in canceled contracts for the company. Mitre notified the state Wednesday of 442 job cuts […]

Virginia Business
Show threadHoward
@GossiTheDog Cue Ursula Van der Leyen holding a press conference with words and stuff.
Apr 16 at 8:20amWeb