Mastodawn

Joonas Kuorilehto Apr 16

I boosted several posts about this already, but since people keep asking if I've seen it....

MITRE has announced that its funding for the Common Vulnerabilities and Exposures (CVE) program and related programs, including the Common Weakness Enumeration Program, will expire on April 16. The CVE database is critical for anyone doing vulnerability management or security research, and for a whole lot of other uses. There isn't really anyone else left who does this, and it's typically been work that is paid for and supported by the US government, which is a major consumer of this information, btw.

I reached out to MITRE, and they confirmed it is for real. Here is the contract, which is through the Department of Homeland Security, and has been renewed annually on the 16th or 17th of April.

https://www.usaspending.gov/award/CONT_AWD_70RCSJ23FR0000015_7001_70RSAT20D00000001_7001

MITRE's CVE database is likely going offline tomorrow. They have told me that for now, historical CVE records will be available at GitHub, https://github.com/CVEProject

Yosry Barsoum, vice president and director at MITRE's Center for Securing the Homeland, said:

“On Wednesday, April 16, 2025, funding for MITRE to develop, operate, and modernize the Common Vulnerabilities and Exposures (CVE®) Program and related programs, such as the Common Weakness Enumeration (CWE™) Program, will expire. The government continues to make considerable efforts to support MITRE’s role in the program and MITRE remains committed to CVE as a global resource.”

USAspending.gov

BrianKrebs Apr 15

It's worth asking again who would benefit from taking CVE offline? Surely not the United States government, nor its private companies. Not its allies (such as they are now) in Europe. But it almost certainly would help our adversaries, like China and Russia, because confusion and uncertainty works to their advantage always.

BrianKrebs Apr 15

Probably the last CVE indexed before it goes dark should be CVE-2025-DOGE (critical, local privilege escalation vulnerability that leads to malicious code execution and data exfiltration).

adison verlice Apr 15

@briankrebs uh what? CVEs are only made for software programs and hardware right? i'd have to check the CVSS scoring system but I think they're only made for software and hardware, unless dogecoin is still around and there is a vulnerability in its code

rainbowinfinity

@adisonverlice @briankrebs I think DOGE qualifies as a configuration of the quintessential Evil Maid

adison verlice Apr 15

@cmdrmoto but again, CVEs are only assigned to software, hardware, and computer systems. not specific people, not government agencies, only those 3categories
"Currently, IT management must identify and assess vulnerabilities across many disparate *hardware* and *software* platforms"
I don't think I mentioned *government agencies* now did I?
btw, here is the document I took from

https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=51198.

Kat Valentine Allwell Apr 15

@adisonverlice
You are correct and also it doesn't matter.
@cmdrmoto

catatonicprime Apr 15

@adisonverlice @cmdrmoto I believe Brian is being satirical here.

Jim Salter Apr 16

@adisonverlice you appear to be someone who could use a refresher on the definition of the word "rhetorical," so here you go. I'd offer a definition for "bloody exhausting" as well, but you seem to have a solid handle on that one already.

https://www.merriam-webster.com/dictionary/rhetorical

Definition of RHETORICAL

Definition of 'rhetorical' by Merriam-Webster

@adisonverlice @briankrebs DOGE most certainly qualifies as a cybersecurity vulnerability.

adison verlice Apr 15

@TheRealPomax CVSS will not rate it because it is not a software or hardware.
CVE and CVSS (as stated in another reply) only work on software and hardware in computer systems.
doge is a *government agency* not a *processor*, a *piece of code and or software*, nore is it a *programming language* or any of the sort of software.
so CVSS wouldn't rate it. if CVE were different in it did, say, rate government agencies, then I would agree. but I don't, because cvss and CVE only apply to software and hardware

@adisonverlice Do... you not know who Brian is? Did you completely miss the part where this is a grim joke based on current events by one of the most well known names in cyber security reporting?

adison verlice Apr 15

@TheRealPomax the only way I know it is a joke is if it is placed in a content warning.
also yes I know who Brian is, i've emailed him and i've communicated him personally before. respectible guy definitely, but he should've put things in a content warning saying something like, joke, or cybersecurity joke, that way it is obvious

@adisonverlice Jokes don't need to be "funny haha it's just a joke, it's not serious", they can also be incredibly serious and harshly confrontational social commentary about how the US is getting dismantled at the moment and DOGE is at the forefront of that effort in the digital space.

This was one of those.

adison verlice Apr 15

@TheRealPomax still, would've been nice to have a content warning. something like "partial joke, partial reality" would've been good too. when i make jokes, will offen have a content warning, even if it has some reality to it

adison verlice Apr 15

@TheRealPomax what I will agree with is that yes, doge doesn't seam to have their cybersecurity strate. boy, cyberattacks may happen for 4more years.
still, if a joke is to be made, there should be a content warning so we know it's a joke, or even partially a joke.
otherwise, i'm going to take it as if he meant it and I will start factchecking. and no, I am not an AI< so I don't randomly ban people just for false facts or wish them to be banned, but I will certainly call them out

@adisonverlice Didn't think you were, but I do think you're unfamiliar with how social commentary works, and misunderstood what was being said and why.

The worst thing language can do is only ever be literal, there's context and nuance, and if that's not understood, that's not something to demand people hide.

Language is a rich thing, literal interpretation only gets you so far.

adison verlice Apr 15

@TheRealPomax not everyone, especially myself, can easily distinguish joke from reality, unless it is super obvious there is some joke and some reality. and I don't think a content warning hides it, it just makes it obvious to the reader so they know what they're getting to.
either way, I can agree with Brian's statement that if this continues, we are definitely fucked. we really need to look at how the government is doing cybersecurity. I know we don't have the time to make our own civilian ran government inside the US, but still things should be investigated

@adisonverlice
Ah no need to argue it's just https://en.m.wikipedia.org/wiki/Poe's_law at work hehe. Misunderstandings happen and I be can e.g. mark it as /s to be more obvious but well, now you know. (btw don't want to claim anything and without offense, but I know people who likely would say they are autistic don't understanding this and this is totally fine! Cause taking respect for their needs is good.)
@TheRealPomax

Poe's law - Wikipedia

LumiWorx Apr 16

@adisonverlice @briankrebs ... and speaking of #DOGEcoin:

New commits in at least 2 repos, 2 weeks ago: https://github.com/dogecoin

4 days ago: https://bitcoinist.com/dogecoin-major-upgrade/

There are plenty of DOGEcoin #repos as official sources and forks that are all open and maintained; and ample enough support material that is likewise very up to date.

I stumbled upon their official repo while searching for something else, but I don't know who's who, to know if any/all are related to the #DOGE DOGgiE boys.

Dogecoin

Dogecoin has 10 repositories available. Follow their code on GitHub.

GitHub

adison verlice Apr 16

@lumiworx well at least it's open source then...now *that* would call for CVE if it had vulnerabilities.. it's software, so that would be what would have CVEs.

LumiWorx Apr 16

@adisonverlice @briankrebs ... well, my reason for posting this wasn't for any ties to CVE's, but just to point out that there actually is a public project known as DOGEcoin.

And again, I have no idea if it's even remotely related to DOGE, I simply don't know the political terrain well enough, nor do I have the contacts or tools to investigate properly.

Typositoire Apr 15

@briankrebs This needs to happen

Simply Simon Apr 15

@briankrebs CVE Score - 10.1.

Compromise_bi_flag

@Salty @briankrebs IMO, if there was ever a time a "goes to 11" reference were needed, it'd be here.

Arena Cops 🇺🇦✌Apr 15

@briankrebs Shouldn't officers from FBI, CIA, DIA, NSA, Department of Homeland Security & other agencies consequently all have their stopping hands on the shoulders of everyone serving "DOGE" & enemies of the United States?

#RuleOfLaw #DefendTheConstitution #DefendTheUnion #DOGE #Espionage #DataTheft #DataBreach #NationalSecurityThreat #ObstructionOfNationalDefense #USPol #USPolitics

John Abbe (aka Slow)Apr 16

@ArenaCops @briankrebs Show them this, and they might actually sit up and take note:

"This declaration details DOGE activity within NLRB, the exfiltration of data from
NLRB systems, and – concerningly – near real-time access by users in Russia. Notably,
within minutes of DOGE personnel creating user accounts in NLRB systems, on
multiple occasions someone or something within Russia attempted to login using all of
the valid credentials (eg. Usernames/Passwords)."

https://whistlebloweraid.org/wp-content/uploads/2025/04/2025_0414_Berulis-Disclosure-with-Exhibits.s.pdf

Steve Hersey Apr 16

@slowenough @ArenaCops @briankrebs

Sadly, this all fits within the notion that bumbling wannabe-dictators are removing all the mechanisms that would stop them from doing any arbitrary thing they want to, with utter disregard for the real-world consequences of removing those mechanisms.

It's fascist dictatorship, but run by clowns.

Arena Cops 🇺🇦✌Apr 16

@n1xnx @slowenough @briankrebs The least & worst entertaining clowns, that are causing real harm to real people.

Peter Amstutz Apr 16

@ArenaCops
@briankrebs
Have you seen who Trump has appointed to the FBI, DHS, etc? You could hack their accounts and post their nudes for all to see and the only response would be to try to find the hackers and send them to El Salvador, not to fund the CVE database. Cyber security takes forethought and insight into the underlying problems and systems and these people don't do nuance.

noplasticshower Apr 16

@briankrebs lol

Gary McGraw Apr 16

@briankrebs penetrate and patch is dead. Long live penetrate and patch.

++

Question: what do these nations use for similar distribution of vlunerability information, to address the confusion/lack of information?

BrianKrebs Apr 15

@Amgine well presumably the attackers call these things by different names (without CVEs in them) prior to their being indexed by MITRE and the affected vendors. The longer defenders don't know how to call the same thing the same thing, that's advantage attackers, IMO.

Simple Nomad Apr 15

@briankrebs @Amgine And that was the original purpose behind CVE back when it came into existence in the late 90s - remove the confusion. And that was when tech wasn't nearly as interconnected and interdependent as it is now.

I was thinking more along the lines of how does China or Russia or Iran inform their industry of risks and dangers from, for example, Stuxnet or Stars.

Do they maintain something equivalent to MITRE?

@briankrebs
@simplenomad

The implication I am trying to make is: addressing vulnerabilities is a shared responsibility in common with most computer users everywhere. It is only a limited subset, those wishing to use those vulnerabilities to do harm, who want to interrupt such work.

FL | エフル Apr 15

@Amgine @briankrebs thats a very interesting question....and sadly it does not look good either

For instance, in china the CNCERT used to maintain a national vulns db. Vulns were named "CNCVE-(year)-(id)", broadly following MITRE path

But, since few years, a new policy order Chinese citizens to declare vulns on a new portal, the CNNVD (not to be confused with the CNVD, which is something else - also vulns related). This portal is not maintained by the CNCERT, but by the Chinese MSS. It is also partially nonpublic.

Yes, vulnerabilities management was effectively removed from the Chinese CISA and given to the Chinese NSA...

Vulns from the CNNVD are named "CNNVD-(year)(month)-(id)". However, there is multiple reports of intentional witholding/alterations on the platform: obvious lies on discovery/published dates; vulns not being published despite having huge impact including in China; etc...

@fl @briankrebs

Argh.

Andrey DarkCat09 Apr 16

TIL that "Federal service for technical and export control" (ФСТЭК) has its own vulnerability database, and they even accept reports: https://bdu.fstec.ru/contacts/vulreport

(Skip TLS errors, they use govt's certificate authority)

@Amgine @briankrebs

icrawler Apr 17

@Amgine @briankrebs

Also in Russia there's a similar database, https://bdu.fstec.ru/vul (root cert is issued by Russian domestic CA, thus won't be trusted by most of the browsers)

Todd Knarr Apr 15

@briankrebs They don't care. All they see is money the government isn't giving to their favorite companies.

Expertenkommision Cyberunfall Apr 15

Uncertainty is the fuel facism needs

Telepyleia Apr 15

@briankrebs the current government benefits.

@briankrebs That's just so stupid and pointless.

@briankrebs I wonder how FEDRAMP's vulnerability scanning and reporting requirement feels about this. https://www.fedramp.gov/assets/resources/documents/CSP_Vulnerability_Scanning_Requirements.pdf

Evan Light Apr 15

@briankrebs Umm... so... given the complexity of the, what, thousands of different unique services that power the contemporary internet, we're... fucked?

Christos Argyropoulos MD PhD Apr 15

@elight @briankrebs Everyone gets to find out about everyone's else Only Fans subscriptions in a few months

@briankrebs So you know that terrible Red Dawn remake...maybe it wasn't so terrible.

I can't even fathom how this is a good idea in their minds.

@Dreugan@mastodon.social @briankrebs yeah, that Red Dawn remake was also edited in post to make China feel better about not being the villains.

@hal8999 @briankrebs Bottom line over accuracy.

ClipHead Apr 16

@_Dreugan_ @briankrebs
No....it was terrible.
And the original is equally bad.

@ClipHead @briankrebs The original is great, hush.

I was more referring to the premise on the invasion in the remake.

ClipHead Apr 16

@_Dreugan_ @briankrebs
It is? 😅
Okay.

Yeah, I know. And funny to see that they had to change all the flags in postproduction to North Korean ones, to not upset China.

@ClipHead @briankrebs You can't hate some good 80s Swayze cheese.

ClipHead Apr 16

@_Dreugan_ @briankrebs

Nothing against Swayze. Milius is an asshole, imho.

@ClipHead @briankrebs Fair point.

ClipHead Apr 16

@_Dreugan_ @briankrebs ✌️

Urbilateria@Enric Apr 15

@briankrebs This is a disaster. There are no alternatives? Europe?

Stefan Daschek Apr 16

@urbilateria Apparently there is: https://euvd.enisa.europa.eu/ @briankrebs

EUVD

EU Vulnerability Database (EUVD) - the official EU repository for timely, curated cybersecurity vulnerability intelligence and remediation guidance.

Urbilateria@Enric Apr 16

@noniq @briankrebs good! Thanks a lot!