Wow. CVE database is in serious trouble, tomorrow.
The cyber industry as a whole is in trouble also really, it’s the elephant in the room - the collapse of the White House’s support for cybersecurity is obvious and pronounced due to widespread cutbacks.
My take on the CVE contract issue for businesses: don’t overreact, wait and see what impacts are.
The NVD backlog was already pretty crazy.. the US gov has gotta put real funding into this area if it wants to retain control of cyber standards.
To widen it out - CVE is the globally recognised system orgs use for vulnerability management.
Every vulnerability management product uses CVEs. Vulnerability management is a core part of cybersecurity - often, the most important part.
Additionally, CVE is written into several US government standards that orgs have to follow.
So the US Government not funding it is a major and historic own goal.
Listen to this article Federal contracting firm Mitre, which has dual headquarters in McLean and Massachusetts, expects to lay off 442 people in Virginia in two months. The cuts come after the Trump administration has announced more than $28 million in canceled contracts for the company. Mitre notified the state Wednesday of 442 job cuts […]
FOR IMMEDIATE RELEASE April 16, 2025 CVE Foundation Launched to Secure the Future of the CVE Program [Bremerton, Washington] – The CVE Foundation has been formally established to ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program, a
CISA have, at the last minute, extended the MITRE CVE contract. “The CVE Program is invaluable to cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.” HT @metacurity
It’s unclear how long it has been extended for.
CVE extension to March 16th 2026
See y’all March 15th 2026 for the last minute renewal 🫡😅
https://www.usaspending.gov/award/CONT_AWD_70RCSJ24FR0000018_7001_70RSAT20D00000001_7001
MITRE’s statement is interesting as they included trademark and copyright symbols on terms like CVE.. one to watch as people try to start their own systems.
What do you believe? We believe that CVEs are the cornerstone of cybersecurity defense. Without a common language to communicate about vulnerabilities, chaos follows. This is why the CVE Program was created 25 years ago and it is even more true today. We believe in a free, publicly available
> The commenter from F5, MZMegaZone, seemingly the principal security engineer at F5, ...
https://www.linkedin.com/in/megazone/
🤷♂️
@GossiTheDog @thecvefoundation the fact that people are afraid to reveal their names for this is very telling.
We are in a strange fucking place.
@acalarch @GossiTheDog Most of the people involved have 'day jobs' and not all employers are necessarily supportive. Some people asked to have time to first discuss what's happening with their employer before their name is public.
Especially as we're already seeing people presume that because someone involved with the Foundation works for Employer X it must mean Employer X is backing the Foundation - which is not safe to assume. So there is some concern about blowback on employers causing problems for the individual.
People are participating as individuals, not corporate representatives. As people are comfortable being named they'll be added to the FAQ entry.
(This is MegaZone. F5 is not officially involved, but supports employees working on initiatives outside of F5. They're aware of what I'm doing - our CEO commented on my LinkedIn post about being part of this.)
@GossiTheDog I have to say, as someone who lives in the D.C. area and is plugged into gossip networks of both civil servants and contractors…there is a lot of this kind of thing* going on lately.
*”This kind of thing” being “the contract is off, no, wait, now it’s back on.”
@GossiTheDog Do they understand that if you smash the trust-china, it will not hold the soup in the future?
The last sentence reads like an intentional insult to me.
@GossiTheDog @metacurity I feel like this short period of uncertainty has done enough damage that alternatives will come forward regardless of what will happen to MITRE in the future.
I just hope that we'll be able to arrive at a better independent and decentralized solution without completely fragmenting into multiple competing standards
@GossiTheDog @gcve Great, now there are three competing standards... Waiting for a fourth one from China...
Also, their FAQ doesn't cover even the very basic question - how do I request an ID for a vulnerability that I have discovered?
Ok, but why don't we just use OIDs?
They're hirarchical and already delegated to a lot of organizations. And they're already used at other places like TLS certs and such.
Also you can address anything and everything with them.
Kevin Beaumont
Martin Seeger
Andreas
Acalarch
The CVE Foundation
Bendik J. I. Iversen
AntiComposite
CatSalad🐈🥗 (D.Burch) 
Philip Mallegol-Hansen
esa
Daniel Ares
Misuse Case
number137
Morgan Davis
Christof Damian 💙💛
Jon
Pedro
0xNut 
Nemo
dj2mn
Kris
wall-e / Daniel
Xavier «X» Santolaria 
Ulrich Plate
oh hey it's corruptdropbear
Viraptor
VessOnSecurity
Pierce
Klaus Frank
intuentis0x0