Latest news with #CommonVulnerabilitiesandExposuresProgram
Forbes
17-04-2025
- Forbes
CVE's Near Cybersecurity Miss Averted — But The World Must Step Up
The cybersecurity world, shocked by the near-shutdown of the CVE system — a quiet crisis that nearly ... More disrupted the backbone of global vulnerability coordination. In cybersecurity, some moments pass quietly. Others expose deep fault lines. The near shutdown of the Common Vulnerabilities and Exposures Program — operated by MITRE and funded by the United States Cybersecurity and Infrastructure Security Agency — was the latter. With just hours left before funding expired, CISA, already operating under intense budget pressure, extended the contract and narrowly averted disruption to the backbone of global vulnerability coordination. This wasn't a budget hiccup or a DOGE sensational headline. It was a warning flare. For more than two decades, CVE has served as the global catalog of known cybersecurity vulnerabilities. Everyone — from intelligence agencies and infrastructure operators to security vendors and open-source developers — relies on it. Yet one nation has carried the cost while the entire world benefits. That model is no longer sustainable — and it never truly was. MITRE is a federally funded research and development center — a nonprofit that operates exclusively in the public interest. It runs multiple research centers on behalf of agencies like the Department of Defense, Department of Homeland Security, Federal Aviation Administration and the Centers for Medicare and Medicaid Services. Unlike commercial firms, MITRE doesn't sell products or compete for private contracts. Its mandate is to solve problems too complex, sensitive or mission-critical for the private sector to address alone. In cybersecurity, MITRE is best known for stewarding: • CVE: Common Vulnerabilities and Exposures, the global identifier system for software flaws • ATT&CK: a framework of adversary tactics and techniques • CWE: Common Weakness Enumeration, a catalog of software design weaknesses MITRE operates quietly but critically — a trusted technical authority at the center of digital defense. And for the record — MITRE doesn't stand for anything. It's a legacy name, like RAND. Originally affiliated with the Massachusetts Institute of Technology, the organization has long since outgrown its acronymic roots. CVE is the Rosetta Stone of vulnerability management. Every known software flaw receives a unique identifier, enabling defenders, vendors and governments to coordinate response, issue guidance and deploy patches with precision. Without CVE: • Teams use inconsistent naming conventions • Alerts become fragmented • Security tools lose interoperability • Threat intelligence sharing breaks down As Jen Easterly, the prior Director of CISA, noted this week, CVE is more than a database — it is 'a pillar of operational resilience and national security.' And it came dangerously close to collapse. The Trump administration has made clear its intent to streamline federal spending and question programs that do not yield direct national benefit. Whether this latest contract drama was the result of oversight or intentional brinkmanship, the outcome is the same — a critical global system was nearly put at risk because of domestic budget negotiations. So the shock to the system happened. On April 15, MITRE issued a stunning warning: funding for the CVE system would expire within 24 hours. The cybersecurity community responded with alarm. A breakdown in this system would mean chaos — confusion among defenders, delayed patching and increased exposure to active threats. Hours before the deadline, CISA issued an eleven-month extension. But while the short-term crisis was averted, the structural risk remains. CVE is a global system — yet it lives entirely on American funding. Since 1999, MITRE has operated CVE under U.S. government sole sponsorship. That funding has enabled a global system — but the burden has fallen squarely on one agency, and one country. The European Union has its own database, but it is largely unknown. Nations across Asia, the Middle East Gulf States and beyond all consume CVE data and build tools around it — without meaningful financial contribution. Meanwhile, cybersecurity vendors spend millions annually on conference booths, marketing activations and branded swag. Redirecting even a fraction of those budgets toward shared infrastructure like CVE would likely do more to secure their customers — and strengthen their credibility — than another oversized LED wall or fancy drone display at the upcoming RSA conference. This crisis genuinly creates the opportunity for reform. A newly announced nonprofit — the CVE Foundation — has emerged as a potential future steward of the CVE system. This is the right move — but it needs broad support, generous funding and real structure. The best solution is to transition CVE to a multi-stakeholder foundation model, governed by both private industry and international governments, with MITRE as the technical anchor — not the financial underwriter. Here's what that model should include: • Private Sector Co-Funding: Security vendors, cloud providers and software giants should contribute proportionally. They all benefit from CVE — it's time they help sustain it. In fact, this may be one of the highest-return investments a company can make from its marketing budget. • Global Buy-In and Funding: Countries outside the United States must step up. The European Union maintains its own vulnerability catalog, but it lacks global adoption and visibility. CVE has become the de facto international standard — the common language for cybersecurity coordination across borders. It's time for allied nations, especially those who rely on CVE for their own national defense and critical infrastructure, to redirect a portion of their cybersecurity budgets toward sustaining this shared system. Funding a globally relied-upon platform is not charity — it's strategic investment in collective resilience. • Independent Oversight: The new CVE Foundation must be neutral, community-driven and resilient — free from sole reliance on any one government. Let MITRE continue operating CVE. Their technical stewardship is excellent. But move the financial dependency to a diversified global model before the next contract cliff. The near-collapse of CVE was a stark reminder of just how fragile our cybersecurity foundations can be. It exposed the risks of relying on a single point of failure — and the assumption that one nation will indefinitely shoulder the weight of a global system. This isn't about blame. It's about modernization. A vulnerability catalog used by every business and government on Earth cannot hinge on the budget cycles of a single capital. The system held — for now. But what comes next must be deliberate, strategic and shared. Why should American taxpayers alone fund a tool the entire world depends on? Should the security of our digital infrastructure rise and fall with domestic politics? If the world relies on CVE — the world must help fund CVE.
WIRED
16-04-2025
- Business
- WIRED
‘Stupid and Dangerous': CISA Funding Chaos Threatens Essential Cybersecurity Program
Apr 16, 2025 4:10 PM The CVE Program is the primary way software vulnerabilities are tracked. Its long-term future remains in limbo even after a last-minute renewal of the US government contract that funds it. Illustration:In an eleventh-hour scramble before a key contract was set to expire on Tuesday night, the United States Cybersecurity and Infrastructure Security Agency renewed its funding for the longtime software vulnerability tracking project known as the Common Vulnerabilities and Exposures Program. Managed by the nonprofit research-and-development group MITRE, the CVE Program is a linchpin of global cybersecurity—providing critical data and services for digital defense and research. The CVE Program is governed by a board that sets an agenda and priorities for MITRE to carry out using CISA's funding. A CISA spokesperson said on Wednesday that the contract with MITRE is being extended for 11 months. 'The CVE Program is invaluable to the cyber community and a priority of CISA,' they said in a statement. 'Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners' and stakeholders' patience.' MITRE's vice president and director of the Center for Securing the Homeland, Yosry Barsoum, said in a statement on Wednesday that, 'CISA identified incremental funding to keep the Programs operational.' With the clock ticking down before this decision came out, though, some members of the CVE Program's board announced a plan to transition the project into a new nonprofit entity called the CVE Foundation. 'Since its inception, the CVE Program has operated as a US government-funded initiative, with oversight and management provided under contract. While this structure has supported the program's growth, it has also raised longstanding concerns among members of the CVE Board about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor,' the Foundation wrote in a statement. 'This concern has become urgent following an April 15, 2025 letter from MITRE notifying the CVE Board that the US government does not intend to renew its contract for managing the program. While we had hoped this day would not come, we have been preparing for this possibility.' It is unclear who from the current CVE board is affiliated with the new initiative other than Kent Landfield, a longtime cybersecurity industry member who was quoted in the CVE Foundation statement. The CVE Foundation did not immediately return a request for comment. CISA did not respond to questions from WIRED about why the fate of the CVE Program contract had been in question and whether it was related to recent budget cuts sweeping the federal government as mandated by the Trump administration. Researchers and cybersecurity professionals were relieved on Wednesday that the CVE Program hadn't suddenly ceased to exist as the result of unprecedented instability in US federal funding. And many observers expressed cautious optimism that the incident could ultimately make the CVE Program more resilient if it transitions to be an independent entity that isn't reliant on funding from any one government or other single source. 'The CVE Program is critical and it's in everyone's interest that it succeed," says Patrick Garrity, a security researcher at VulnCheck. 'Nearly every organization and every security tool is dependent on this information and it's not just the US, it's consumed globally. So it's really, really important that it continues to be a community-provided service and we need to figure out what to do about this because losing it would be a risk to everyone.' Federal procurement records indicate that it costs in the tens of millions of dollars per contract to run the CVE Program. But in the scheme of the losses that can occur from a single cyberattack exploiting unpatched software vulnerabilities, experts tell WIRED, the operational costs seem negligible versus the benefit to US defense alone. Despite CISA's last-minute funding, the future of the CVE Program is still unclear for the long term. As one source, who requested anonymity because they are a federal contractor, put it: 'It's all so stupid and dangerous.'
