Confusion and frustration as MITRE CVE program funding expires
Funding for the non-profit MITRE Corporation’s Common Vulnerabilities and Exposures (CVEs) database is set to expire today in a major blow to cybersecurity professionals.
The CVE database is a cornerstone of the international cyber community, bringing together trusted partners to share threat data.
Each security vulnerability within the database is designated a unique CVE ID, giving cybersecurity teams a standardized way to identify, catalog, and shore up defenses against threats to their organizations.
Graeme Stewart, head of public sector at Check Point Software, told ITPro that CVEs are essential for measuring the quality of cybersecurity defenses deployed by organizations.
“It allows practitioners to make a non-partisan assessment of their environment, based upon the needs for patching and remediation,” he said.
“The lower the number of CVEs, the less time spent patching because a system is less vulnerable. It’s an invaluable tool, and private and public sector should be coming together to make sure this valuable work continues.”
The CVE database has been maintained by the MITRE Corporation since 1999, but is now in uncertain waters as the contract between the two lapses. In an email exchange with the Cybersecurity and Infrastructure Security Agency (CISA), the agency confirmed that its contract with the MITRE Corporation is due to expire.
“CISA is the primary sponsor for the Common Vulnerabilities and Exposure (CVE) program, which is used by government and industry alike to disclose, catalog, and share information on technology vulnerabilities that can put the nation’s critical infrastructure at risk,” a CISA spokesperson told ITPro.
“Although CISA’s contract with the MITRE Corporation will lapse after April 16th, we are urgently working to mitigate impact and to maintain CVE services on which global stakeholders rely.”
Funding blow has alarm bells ringing for security pros
No concrete reason has been given for the lapse in contract, and security professionals have registered alarm at the news.
“I am extremely frustrated,” John Hammond, principal security researcher at Huntress, told ITPro.
“It’s like the cybersecurity industry’s common language has been thrown out the window, we just lost the ground that we stand on. This is going to hurt, not help.”
Jen Easterly, former director at CISA, described the CVE system as “one of the most important pillars of modern cybersecurity” in a post on LinkedIn.
“Losing it would be like tearing out the card catalog from every library at once—leaving defenders to sort through chaos while attackers take full advantage.”
Easterly added that this could increase the risk of breaches and ransomware for businesses, drive up security and compliance costs, and erode customer trust.
A huge number of organizations, from the largest names in tech to small cybersecurity teams worried about zero-day exploits, rely on CVEs to prioritize their vulnerability management techniques.
At time of writing, it’s unclear if a replacement database will be sought and operated by another non-profit organization, or if private contractors will be forced to establish a collaborative resource of their own.
Javvad Malik, lead security awareness advocate at KnowBe4, told ITPro the CVE database is of “unparalleled” importance.
“What compounds the gravity of this situation is that there isn’t a “Plan B”,” he said.
“Historically, this endeavour was underwritten by the US government. The discontinuation of funding could not come at a worse time given the global cyber landscape. Alternative options are limited for now. Perhaps a consortium model, some form of public-private partnership, or a non-profit could be the way forward. But it’s something that needs time and effort to put together.”
For now, historical CVE data has been archived in a GitHub repository.
MORE FROM ITPRO
Source link
