A Midnight Reprieve for the CVE Database
The CVE database underpins global vulnerability identification and mitigation efforts, and was nearly destroyed by the US government withdrawing funding.
Introduction
The Common Vulnerabilities and Exposures (CVE) database is a cornerstone of global cybersecurity and underpins the effort to catalogue and address vulnerabilities in a centralised and organised manner. This enables individuals and organisations from across the digital ecosystem from customers to vendors to coordinate their responses. This article looks at the recent funding crisis and the potential impacts to global cybersecurity.
The Funding Crisis Unfolds
On the 15th of April, MITRE, who manage and operate the CVD database notified the CVE Board that the US government had not renewed their contract which was set to expire the next day. This abrupt decision threatened to disrupt a system that underpins how organisations across the world track and address software vulnerabilities.
This move was unexpected and in response, members of the CVE board proposed a new non-profit entity that would be independent of the any single government and importantly neutral.
A Last-Minute Reprieve
As the deadline came and went, and the database moved into read only mode, the concern and pressure reached a crescendo. This in turn led to CISA extending Mitre’s contract for 11 months, delaying an immediate shutdown. However, what happens in 11 months is unknown. What we expect is that industry will step in in the short term to keep funding going, however the availability guaranteed by being a US government service (US Government services cannot enforce copyright on work they produce. See all the free images and research NASA puts out) is lost and the consequences of that will be unknown.
Global Significance of the CVE Program
The program has been the keystone of vulnerability identification and documentation since 1999. It applies unique identifiers, and through the NVD determines the severity and provides a common language for individuals and organisations to identify, document and mitigate these vulnerabilities. Major technology companies, including Microsoft, Google and Apple rely on CVE listings to prioritize security patches and coordinate responses to emerging threats.
The program's data further feeds into the United States National Vulnerability Database (NVD), further supporting vulnerability management and incident response efforts. If the CVE program shuttered, it would have cascading effects and hinder the ability of organizations to track and address critical security vulnerabilities.
Community Response and Future Outlook
The recent uncertainty has prompted calls for a more resilient and community-oriented model for the CVE program. Commentators of all stripes argue that the program's dependence on U.S. government funding exposes it to the whims of the political class, potentially jeopardizing global cybersecurity coordination. Until this administration cybersecurity was a bipartisan concern for the United States, today it has fallen prey to the slash and burn politics of today.
The proposed CVE Foundation represents a step toward establishing an independent entity capable of sustaining the program's mission and ensuring its neutrality. While the immediate threat of a shutdown has been mitigated, the situation underscores the need for consistent support and long-term planning to maintain the CVE program. The cybersecurity community must build upon the bones of the CVE program ensuring the spirit of cooperation continues on with whatever comes next.
Conclusion
The CVE program's recent funding challenges have highlighted vulnerabilities in the current model of cybersecurity infrastructure support. As the digital landscape continues to evolve, ensuring the stability and independence of essential programs like CVE is paramount. The establishment of the CVE Foundation and the extension of MITRE's contract represent crucial steps toward securing the program's future. However, sustained collaboration and investment are necessary to uphold the integrity of global cybersecurity efforts
Subscribe to our newsletter and we will let you know what is happening with the CVE database.