{"id":3335,"date":"2025-04-17T05:03:41","date_gmt":"2025-04-17T05:03:41","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/04\/17\/cve-program-almost-unfunded-html\/"},"modified":"2025-04-17T05:03:41","modified_gmt":"2025-04-17T05:03:41","slug":"cve-program-almost-unfunded-html","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/04\/17\/cve-program-almost-unfunded-html\/","title":{"rendered":"CVE Program Almost Unfunded"},"content":{"rendered":"\n<div>CVE Program Almost Unfunded<\/div>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>Mitre\u2019s CVE\u2019s program\u2014which provides common naming and other informational resources about cybersecurity vulnerabilities\u2014was about to <a href=\"https:\/\/www.csoonline.com\/article\/3963190\/cve-program-faces-swift-end-after-dhs-fails-to-renew-contract-leaving-security-flaw-tracking-in-limbo.html\">be cancelled<\/a>, as the US Department of Homeland Security failed to renew the contact. It was funded for eleven more months at the last minute.<\/p>\n<p>This is a big deal. The CVE program is one of those pieces of common infrastructure that everyone benefits from. Losing it will bring us back to a world where there\u2019s no single way to talk about vulnerabilities. It\u2019s kind of crazy to think that the US government might damage its own security in this way\u2014but I suppose no crazier than any of the other ways the US is working against its own interests right now.<\/p>\n<blockquote>\n<p>Sasha Romanosky, senior policy researcher at the Rand Corporation, branded the end to the CVE program as \u201ctragic,\u201d a sentiment echoed by many cybersecurity and CVE experts reached for comment.<\/p>\n<p>\u201cCVE naming and assignment to software packages and versions are the foundation upon which the software vulnerability ecosystem is based,\u201d Romanosky said. \u201cWithout it, we can\u2019t track newly discovered vulnerabilities. We can\u2019t score their severity or predict their exploitation. And we certainly wouldn\u2019t be able to make the best decisions regarding patching them.\u201d<\/p>\n<p>Ben Edwards, principal research scientist at Bitsight, told CSO, \u201cMy reaction is sadness and disappointment. This is a valuable resource that should absolutely be funded, and not renewing the contract is a mistake.\u201d<\/p>\n<p>He added \u201cI am hopeful any interruption is brief and that if the contract fails to be renewed, other stakeholders within the ecosystem can pick up where MITRE left off. The federated framework and openness of the system make this possible, but it\u2019ll be a rocky road if operations do need to shift to another entity.\u201d<\/p>\n<\/blockquote>\n<p>More similar quotes in the article.<\/p>\n<p>My guess is that we will somehow figure out how to transition this program to continue without the US government. It\u2019s too important to be at risk.<\/p>\n<p>EDITED TO ADD: Another <a href=\"https:\/\/www.wired.com\/story\/cve-program-cisa-funding-chaos\/\">good article<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Bruce Schneier<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/www.schneier.com\/blog\/archives\/2025\/04\/cve-program-almost-unfunded.html\">Go to bruce schneier<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE Program Almost Unfunded Mitre\u2019s CVE\u2019s program\u2014which provides common naming and other informational resources about cybersecurity vulnerabilities\u2014was about to be cancelled, as the US Department of Homeland Security failed to renew the contact. It was funded for eleven more months at the last minute. This is a big deal. The CVE program is one of [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[57,464,1154,90,1,416],"tags":[87],"class_list":["post-3335","post","type-post","status-publish","format-standard","hentry","category-bruce-schneier","category-cybersecurity","category-dhs","category-national-security-policy","category-uncategorized","category-vulnerabilities","tag-bruce-schneier"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/3335"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=3335"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/3335\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=3335"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=3335"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=3335"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}