- CVE funding gets last-minute funding reprieve
- A MITRE head told CVE board members that government funding is about to expire
- Some have called the move “reckless and ignorant”
US government funding for CVE, a program that publicly lists known software vulnerabilities, will continue for the time being, despite initial reports it would expire.
Cuts being made by the US government across the board had meant CVE could have lost funding, which could heavily erode the cybersecurity of all organizations, from small businesses to critical infrastructure firms.
However, a CISA spokesperson revealed the organization executed an option period on the contract “to ensure there will be no lapse in critical CVE services”.
CVE extension
“The CVE Program is invaluable to the cyber community and a priority of CISA,” the comment added.
Sponsored by the US Cybersecurity and Infrastructure Security Agency (CISA), CVE, or Common Vulnerabilities and Exposures, is a program run by MITRE Corporation, a US government-funded nonprofit that manages federally sponsored research and development.
The program works by assigning a unique identifier to every newly discovered vulnerability, allowing cybersecurity pros, software developers, and organizations to properly identify and address flaws in software.
NextGov says Yosry Barsoum, the director of MITRE’s Center for Securing the Homeland, recently sent an internal memo to CVE board members, warning about the possibility of losing funding. When the memo leaked to social media, MITRE confirmed its legitimacy.
“If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure,” the notice warned.
“Reckless and ignorat”
CVE was not the only program at risk of losing government funding. Common Weakness Enumeration (CWE), another MITRE-run program, is also at risk of losing funding at the same time. CWE is a catalog of software and hardware security weaknesses that focus on the root causes, the underlying programming or design errors that attackers can exploit.
NextGov says that CISA is looking at “significant cuts” across several of its teams, including with contractors. Some contracts were already terminated, while others will simply be left to expire.
We could say that CVE dodged the bullet, since the consequences could be quite dire.
House Science Committee Ranking Member Zoe Lofgren D-Calif. and Committee on Homeland Security Ranking Member Bennie Thompson, D-Miss. called the funding lapse “reckless and ignorant” and said it would undermine cybersecurity around the world.
“The Common Vulnerabilities and Exposures Program makes sure every service, device, and system is removing discovered vulnerabilities,” NextGov cited a statement.
“From your personal computer to the electric grid to nuclear facilities — they all rely on the CVE. Eliminating this contract will allow malicious actors to operate in the dark. We call on the Department of Homeland Security to fully restore funding to this program before catastrophe strikes.”
Chris Burton, Head of Professional Services at Pentest People, believes the community could step up in the government’s place.
“It’s completely understandable there are concerns about the government pulling funding for the MITRE program, it’s a troubling development for the security industry,” he told TechRadar Pro in a mailed statement.
“If the issue is purely financial, crowdfunding could offer a viable path forward, rallying public support for a project many believe in. If it’s operational, there may be an opportunity for a dedicated community board to step in and lead. Either way, this isn’t the end, it’s a chance to rethink and reimagine. Let’s not panic just yet; there are still options on the table, as a global community, I think we should see how this unfolds.”
Via NextGov
Leave a comment