The nonprofit organization MITRE, which maintains the Common Vulnerabilities and Exposures (CVE) database, said on April 15 that the US government funding for its operations will expire without renewal; however, in a last-minute reversal announced the morning of April 16, CISA said it has extended support for the database. At the same time, CVE Board members have founded the CVE Foundation, a nonprofit not affiliated with the US federal government, to maintain the CVE program.
The CVE program, which has been in place since 1999, is an essential way to report and track vulnerabilities. Many other cybersecurity resources, such as Microsoft’s Patch Tuesday update and report, refer to CVE numbers to identify flaws and fixes. Organizations called CVE Numbering Authorities are associated with MITRE and authorized to assign CVE numbers.
“CVE underpins a huge chunk of vulnerability management, incident response, and critical infrastructure protection efforts,” wrote Casey Ellis, founder of crowdsourced cybersecurity hub Bugcrowd, in an email to TechRepublic. “A sudden interruption in services has the very real potential to bubble up into a national security problem in short order.”
Funds were expected to run out on MITRE without renewal
A letter sent to CVE board members began circulating on social media on Tuesday.
“Current contracting pathway for MITRE to develop, operate, and modernize CVE and several other related programs, such as CWE, will expire,” said the letter from Yosry Barsoum, vice president and director of the Center for Securing the Homeland, a division of MITRE.
CWE is Common Weakness Enumeration, the list of hardware and software weaknesses.
“The government continues to make considerable efforts to continue MITRE’s role in support of the program,” Barsoum wrote.
MITRE is traditionally funded by the Department of Homeland Security.
DOWNLOAD: Protect your company with our premade and customizable network security policy.
MITRE did not respond to TechRepublic’s questions about the cause of the expiration or what cybersecurity professionals can expect next.
The foundation has not specified whether the cut in funding is related to the widespread cull by the Department of Government Efficiency (DOGE).
CVE Foundation has been laying the groundwork for a new system for the past year
Prior to CISA’s announcement, an independent foundation said they were prepared to step in to continue the CVE program. The CVE Foundation is a nonprofit dedicated to maintaining the CVE submission program and database.
“While we had hoped this day would not come, we have been preparing for this possibility.” wrote an anonymous CVE Foundation representative in a press release on Wednesday. “In response, a coalition of longtime, active CVE Board members have spent the past year developing a strategy to transition CVE to a dedicated, non-profit foundation.”
The CVE Foundation plans to detail its structure, timeline, and opportunities for involvement in the future. With CISA extending funding, the foundation may not be needed yet – although it may be reassuring to know its services and backups are available.
