‘Stupid and Dangerous': CISA Funding Chaos Threatens Essential Cybersecurity Program
Apr 16, 2025 4:10 PM The CVE Program is the primary way software vulnerabilities are tracked. Its long-term future remains in limbo even after a last-minute renewal of the US government contract that funds it. Illustration:In an eleventh-hour scramble before a key contract was set to expire on Tuesday night, the United States Cybersecurity and Infrastructure Security Agency renewed its funding for the longtime software vulnerability tracking project known as the Common Vulnerabilities and Exposures Program. Managed by the nonprofit research-and-development group MITRE, the CVE Program is a linchpin of global cybersecurity—providing critical data and services for digital defense and research.
The CVE Program is governed by a board that sets an agenda and priorities for MITRE to carry out using CISA's funding. A CISA spokesperson said on Wednesday that the contract with MITRE is being extended for 11 months. 'The CVE Program is invaluable to the cyber community and a priority of CISA,' they said in a statement. 'Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners' and stakeholders' patience.'
MITRE's vice president and director of the Center for Securing the Homeland, Yosry Barsoum, said in a statement on Wednesday that, 'CISA identified incremental funding to keep the Programs operational.' With the clock ticking down before this decision came out, though, some members of the CVE Program's board announced a plan to transition the project into a new nonprofit entity called the CVE Foundation.
'Since its inception, the CVE Program has operated as a US government-funded initiative, with oversight and management provided under contract. While this structure has supported the program's growth, it has also raised longstanding concerns among members of the CVE Board about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor,' the Foundation wrote in a statement. 'This concern has become urgent following an April 15, 2025 letter from MITRE notifying the CVE Board that the US government does not intend to renew its contract for managing the program. While we had hoped this day would not come, we have been preparing for this possibility.'
It is unclear who from the current CVE board is affiliated with the new initiative other than Kent Landfield, a longtime cybersecurity industry member who was quoted in the CVE Foundation statement. The CVE Foundation did not immediately return a request for comment.
CISA did not respond to questions from WIRED about why the fate of the CVE Program contract had been in question and whether it was related to recent budget cuts sweeping the federal government as mandated by the Trump administration.
Researchers and cybersecurity professionals were relieved on Wednesday that the CVE Program hadn't suddenly ceased to exist as the result of unprecedented instability in US federal funding. And many observers expressed cautious optimism that the incident could ultimately make the CVE Program more resilient if it transitions to be an independent entity that isn't reliant on funding from any one government or other single source.
'The CVE Program is critical and it's in everyone's interest that it succeed," says Patrick Garrity, a security researcher at VulnCheck. 'Nearly every organization and every security tool is dependent on this information and it's not just the US, it's consumed globally. So it's really, really important that it continues to be a community-provided service and we need to figure out what to do about this because losing it would be a risk to everyone.'
Federal procurement records indicate that it costs in the tens of millions of dollars per contract to run the CVE Program. But in the scheme of the losses that can occur from a single cyberattack exploiting unpatched software vulnerabilities, experts tell WIRED, the operational costs seem negligible versus the benefit to US defense alone.
Despite CISA's last-minute funding, the future of the CVE Program is still unclear for the long term. As one source, who requested anonymity because they are a federal contractor, put it: 'It's all so stupid and dangerous.'
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Forbes
a day ago
- Forbes
New Chrome, Edge Deadline—Update And Restart All Browsers Now
Don't leave it too late. Google made headlines this week, releasing an emergency Chrome update and confirming it had quietly stopped attacks by pushing out changes to all browsers. This is not just a Chrome issue. Microsoft has also updated Edge to mitigate the same threat. With Chrome so dominant on Windows desktops, it's easy to overlook that Edge runs on the same Chromium platform and is often vulnerable to the same vulnerabilities. That's certainly the case here, and it means all users need to take note. CISA has now mandated federal staff update os stop using all Chromium browsers by June 26. 'This vulnerability could affect multiple web browsers that utilize Chromium,' it says, 'including, but not limited to, Chrome, Microsoft Edge, and Opera.' This is only mandatory for federal staff, but all users should do the same. Microsoft warns Edge users that its latest update 'contains a fix for CVE-2025-5419 which has been reported by the Chromium team as having an exploit in the wild.' This echoes Google's initial warning from June 2, which with its own emergency update. For its part, America's cyber defense agency warns this is a 'Chromium V8 contains an out-of-bounds read and write vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page." While browser vulnerabilities affect mobile platforms and Macs, the primary risk is with Windows PCs. Chrome dominates with a 65% market to Edge's 14%, albeit that is slowly growing. Other browsers remain also-rans outside Apple's ecosystem and Safari. Given Google's and CISA's warnings, updating immediately is critical. As Qualys points out, 'currently, no publicly available information exists regarding exploiting this Google Chrome vulnerability by any specific threat actors. The absence of reports does not necessarily mean the vulnerability is not being exploited.' As ever with such threats, the maximum risk is the period between public disclosure and the majority of users applying updates. Attackers know they're on the clock. That's why Google and others do not issue any further detail at this early stage.
Yahoo
2 days ago
- Yahoo
Jen Easterly to Keynote 2025 Hybrid Identity Protection Conference
Easterly joins identity-first defenders at the award-winning conference, October 7–9 in Charleston, SC HOBOKEN, N.J., June 6, 2025 /PRNewswire/ -- Semperis, a leader in AI-powered identity security and cyber resilience, today announced that Jen Easterly, former Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), will keynote the Hybrid Identity Protection Conference (HIP Conf), taking place October 7-9 in Charleston, SC. A globally recognized leader in cybersecurity and national defense, Easterly led CISA through a transformative period—scaling it into a $3 billion agency with over 10,000 personnel and establishing it as a cornerstone of U.S. cyber defense. A combat veteran, former Morgan Stanley executive, and cybersecurity pioneer, Easterly brings decades of experience at the intersection of security, technology, and resilience. "Defenders working in hybrid identity environments set the standard for resilience in a world where adversaries move fast and trust is everything," said Easterly. "We are in an era where adversaries exploit every weakness and identity is the first and last line of defense. I am looking forward to joining this community at the upcoming HIP Conf." HIP Conf is the premier global event for identity-first defenders, uniquely focused on securing hybrid and multi-cloud environments. This year's Semperis' conference will deliver the latest in identity threat detection and response (ITDR); Active Directory, Entra ID, and Okta security; and building operational resilience in a rapidly evolving threat landscape. The 2025 program features a robust lineup of technical sessions and strategic insights from dozens of leaders across industry, government, and academia. Key sessions include: What's New, What's Next? Active Directory Roadmap – Linda Taylor, Principal Software Engineer, Microsoft A Quarter Century, a Quarter Million Breaches: AD Security & Incident Response in 2025 – Michael Van Horenbeeck, CEO, The Collective The State of Identity Security 2026 – Henrique Teixeira, SVP, Strategy, Saviynt, and David Lee, Field CTO, Saviynt Beyond Backups: Practical Steps to Build Operational Resilience – Ben Cauwel, Head of Cyber Security, Capgemini From Hybrid to Full Cloud: Is It Right for You? – Joe Kaplan, Security Delivery Associate Director, Accenture Demystifying Managed Service Accounts: Best Practices & Security Measures to Reduce Risk – Jorge De Almeida Pinto, Senior Incident Response Lead, Semperis Additional speakers and sessions to be announced. Longtime HIP advocate Alex Weinert, Chief Product Officer at Semperis and former VP of Identity Security at Microsoft, returns to the stage for his third consecutive year. "Identity is the new security perimeter, and as organizations modernize their infrastructure, they need to stay ahead of increasingly complex identity-based attacks," said Weinert. "HIP continues to be a go-to event for real-world strategies and community connections. We're proud to be leading this important global conversation." Unlike broader cybersecurity conferences, HIP Conf is purpose-built for practitioners managing and defending hybrid identity environments. The event fosters long-term collaboration, community, and real-world knowledge sharing that continues well beyond the conference. For more information and to register for HIP Conf 25, visit: About the Hybrid Identity Protection Conference Mobile workforces, cloud applications, and digitalization are changing every aspect of the modern enterprise. With radical transformation comes new business risks. The Hybrid Identity Protection Conference (HIP Conf) is the premier educational forum for identity-centric practitioners. Whatever the industry sector or job function, HIP strives to provide its community with the insights and relationships needed to enable and protect today's digitally driven organizations. Learn more about HIP Conf 25 via our social media feeds: X / LinkedIn / Facebook About Semperis Semperis protects critical enterprise identity services for security teams charged with defending hybrid and multi-cloud environments. Purpose-built for securing hybrid identity environments—including Active Directory, Entra ID, and Okta—Semperis' AI-powered technology protects more than 100 million identities from cyberattacks, data breaches and operational errors. As part of its mission to be a force for good, Semperis offers a variety of cyber community resources, including the award-winning Hybrid Identity Protection (HIP) Conference, HIP Podcast, and free identity security tools Purple Knight and Forest Druid. Semperis is a privately owned, international company headquartered in Hoboken, New Jersey, supporting the world's biggest brands and government agencies, with customers in more than 40 countries. Learn more: Follow us: Blog / LinkedIn / X / Facebook / YouTube Media Contact:Bill KeelerSenior Director, PR & Commsbillk@ View original content to download multimedia: SOURCE Semperis Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
Yahoo
2 days ago
- Yahoo
Jen Easterly to Keynote 2025 Hybrid Identity Protection Conference
Easterly joins identity-first defenders at the award-winning conference, October 7–9 in Charleston, SC HOBOKEN, N.J., June 6, 2025 /PRNewswire/ -- Semperis, a leader in AI-powered identity security and cyber resilience, today announced that Jen Easterly, former Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), will keynote the Hybrid Identity Protection Conference (HIP Conf), taking place October 7-9 in Charleston, SC. A globally recognized leader in cybersecurity and national defense, Easterly led CISA through a transformative period—scaling it into a $3 billion agency with over 10,000 personnel and establishing it as a cornerstone of U.S. cyber defense. A combat veteran, former Morgan Stanley executive, and cybersecurity pioneer, Easterly brings decades of experience at the intersection of security, technology, and resilience. "Defenders working in hybrid identity environments set the standard for resilience in a world where adversaries move fast and trust is everything," said Easterly. "We are in an era where adversaries exploit every weakness and identity is the first and last line of defense. I am looking forward to joining this community at the upcoming HIP Conf." HIP Conf is the premier global event for identity-first defenders, uniquely focused on securing hybrid and multi-cloud environments. This year's Semperis' conference will deliver the latest in identity threat detection and response (ITDR); Active Directory, Entra ID, and Okta security; and building operational resilience in a rapidly evolving threat landscape. The 2025 program features a robust lineup of technical sessions and strategic insights from dozens of leaders across industry, government, and academia. Key sessions include: What's New, What's Next? Active Directory Roadmap – Linda Taylor, Principal Software Engineer, Microsoft A Quarter Century, a Quarter Million Breaches: AD Security & Incident Response in 2025 – Michael Van Horenbeeck, CEO, The Collective The State of Identity Security 2026 – Henrique Teixeira, SVP, Strategy, Saviynt, and David Lee, Field CTO, Saviynt Beyond Backups: Practical Steps to Build Operational Resilience – Ben Cauwel, Head of Cyber Security, Capgemini From Hybrid to Full Cloud: Is It Right for You? – Joe Kaplan, Security Delivery Associate Director, Accenture Demystifying Managed Service Accounts: Best Practices & Security Measures to Reduce Risk – Jorge De Almeida Pinto, Senior Incident Response Lead, Semperis Additional speakers and sessions to be announced. Longtime HIP advocate Alex Weinert, Chief Product Officer at Semperis and former VP of Identity Security at Microsoft, returns to the stage for his third consecutive year. "Identity is the new security perimeter, and as organizations modernize their infrastructure, they need to stay ahead of increasingly complex identity-based attacks," said Weinert. "HIP continues to be a go-to event for real-world strategies and community connections. We're proud to be leading this important global conversation." Unlike broader cybersecurity conferences, HIP Conf is purpose-built for practitioners managing and defending hybrid identity environments. The event fosters long-term collaboration, community, and real-world knowledge sharing that continues well beyond the conference. For more information and to register for HIP Conf 25, visit: About the Hybrid Identity Protection Conference Mobile workforces, cloud applications, and digitalization are changing every aspect of the modern enterprise. With radical transformation comes new business risks. The Hybrid Identity Protection Conference (HIP Conf) is the premier educational forum for identity-centric practitioners. Whatever the industry sector or job function, HIP strives to provide its community with the insights and relationships needed to enable and protect today's digitally driven organizations. Learn more about HIP Conf 25 via our social media feeds: X / LinkedIn / Facebook About Semperis Semperis protects critical enterprise identity services for security teams charged with defending hybrid and multi-cloud environments. Purpose-built for securing hybrid identity environments—including Active Directory, Entra ID, and Okta—Semperis' AI-powered technology protects more than 100 million identities from cyberattacks, data breaches and operational errors. As part of its mission to be a force for good, Semperis offers a variety of cyber community resources, including the award-winning Hybrid Identity Protection (HIP) Conference, HIP Podcast, and free identity security tools Purple Knight and Forest Druid. Semperis is a privately owned, international company headquartered in Hoboken, New Jersey, supporting the world's biggest brands and government agencies, with customers in more than 40 countries. Learn more: Follow us: Blog / LinkedIn / X / Facebook / YouTube Media Contact:Bill KeelerSenior Director, PR & Commsbillk@ View original content to download multimedia: SOURCE Semperis Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
