Kevin BeaumontApr 15, 2025

Wow. CVE database is in serious trouble, tomorrow.

The cyber industry as a whole is in trouble also really, it’s the elephant in the room - the collapse of the White House’s support for cybersecurity is obvious and pronounced due to widespread cutbacks.

Show threadKevin BeaumontApr 15, 2025
Show threadKevin BeaumontApr 15, 2025

My take on the CVE contract issue for businesses: don’t overreact, wait and see what impacts are.

The NVD backlog was already pretty crazy.. the US gov has gotta put real funding into this area if it wants to retain control of cyber standards.

Show threadKevin BeaumontApr 15, 2025
Just as an update to this - @briankrebs has confirmed with MITRE the letter is real, and as it stands the CVE database is likely to go offline tomorrow.
Show threadKevin BeaumontApr 15, 2025

To widen it out - CVE is the globally recognised system orgs use for vulnerability management.

Every vulnerability management product uses CVEs. Vulnerability management is a core part of cybersecurity - often, the most important part.

Additionally, CVE is written into several US government standards that orgs have to follow.

So the US Government not funding it is a major and historic own goal.

Show threadKevin BeaumontApr 15, 2025
There's an argument that MITRE should try to keep everything alive and run things without funding and contracts etc.. but, honestly? My take - stop doing everything that isn't in the contract. Force the issue.
Show threadKevin BeaumontApr 15, 2025
CISA comment on CVE situation - they say the contract “will” lapse tomorrow. https://infosec.exchange/@metacurity/114344326544856491
Metacurity (@[email protected])

Attached: 1 image Regarding the end of MITRE's CVE program, here's a statement that a CISA spokesperson gave me for a piece I'm writing.

Infosec Exchange
Show threadKevin BeaumontApr 15, 2025
NextGov piece on the CVE mess. https://www.nextgov.com/cybersecurity/2025/04/mitre-backed-cyber-vulnerability-program-lose-funding-wednesday/404585/
MITRE-backed cyber vulnerability program to lose funding Wednesday

Organizations across industry, government, national security and critical infrastructure rely on the CVE Program, which serves as the de-facto global standard for vulnerability identification and management.

Nextgov.com
Show threadKevin BeaumontApr 16, 2025
DOGE have terminated MITREs contracts, they say they will be laying off nearly 500 people. This will have impacts beyond CVE - think MITRE ATT&CK etc. https://virginiabusiness.com/nova-govcon-firm-mitre-to-lay-off-442-employees-after-doge-cuts-contracts/
NoVa govcon firm Mitre to lay off 442 employees after DOGE cuts contracts

Federal contracting firm Mitre, which has dual headquarters in McLean and Massachusetts, expects to lay off 442 people in Virginia in two months. The cuts come after the Trump administration has announced more than $28 million in canceled contracts for the company. Mitre notified the state Wednesday of 442 job cuts in McLean, in compliance […]

Virginia Business
Show threadKevin BeaumontApr 16, 2025
If you want to know how stupid the CVE situation is - CISA are trying to source last minute funding or look at taking CVE management in house, but they themselves have had a massive budget cut where the staff trying to fix it are also at risk of being cut.
Show threadKevin BeaumontApr 16, 2025
Looks like the US Government are going to lose control of CVE. https://www.thecvefoundation.org/
CVE Foundation

FOR IMMEDIATE RELEASE April 16, 2025 CVE Foundation Launched to Secure the Future of the CVE Program [Bremerton, Washington] – The CVE Foundation has been formally established to ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program, a

Show threadKevin BeaumontApr 16, 2025
Another effort - https://gcve.eu/ Global CVE Allocation System. @gcve
GCVE.eu

Show threadViraptorApr 16, 2025
@GossiTheDog Love the "let me put some anonymous website up and Yolo it" attempts. I'm sure it's a well funded long term commitment. GCVE vs lettuce webcam time...
Show threadUlrich PlateApr 16, 2025
@viraptor @GossiTheDog So they're anonymous just because you've never heard of them?
https://www.circl.lu/mission/rfc2350/
CIRCL » RFC 2350 CIRCL - the CERT for the private sector, communes and non-governmental entities in Luxembourg

CIRCL » RFC 2350 CIRCL - the CERT for the private sector, communes and non-governmental entities in Luxembourg

Show threadViraptorApr 16, 2025
@oya3un @GossiTheDog more of a - there's only one org reference on the contact page in a postal address. No specific people, nothing about goals, funding, GitHub org is not connected to circl, etc. I just expected a "who are we and why should you care about this specific project" page, regardless of whether I know about circl or not.
(Actually, I think I looked at the page initially before contact was even there)
Show threadUlrich Plate
@viraptor @GossiTheDog Just so I understand what you're saying: there's an overnight emergency rescue attempt to sustain the CVE system (one of several in the European Union, by the way) by a very much official state CERT (Luxemburg being rather wealthy might even answer your concerns about funding), backed by a government not in any imminent danger of being taken over by fascist baboons, and you complain about a missing link between the repo of an improvised web site and its mothership?
Apr 16, 2025 at 11:35amWeb
Show threadViraptorApr 16, 2025
@oya3un yeah. Otherwise how do we know it's in any way related? As much as it's an emergency, it's unlikely major changes will be made and full systems established within days.
Meanwhile we've got at least 3 officially-ish looking efforts and more randos popping up with a static site saying they're building a replacement. Which feels like either people aren't communicating well or not all the new orgs are real.
(But yes, I've seen a very early link - now it's been confirmed already)