Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security United States IT

US Government Takes Steps to Bolster CVE Program (bleepingcomputer.com) 22

The US government is taking steps to fix the Common Vulnerabilities and Exposures (CVE) system that's been plagued by various problems in recent years. From a report: The CVE was created in 1999 by the MITRE Corporation using US government funding. It is a database that contains identifiers (tracking numbers) for security vulnerabilities. Since its creation, the CVE system has been adopted by the public and private sectors. Most modern cyber-security software use CVE numbers to identify and track cyber-attacks exploiting particular software bugs. Despite being a US creation, the system has been widely adopted in countries all over the globe, which use and recognize the CVE identifiers issued by MITRE's staff and industry partners. [...] On Monday, following a year-long investigation into the CVE program, the Energy and Commerce Committee sent letters to the Department of Homeland Security (DHS) and MITRE Corporation. In these letters, the Committee outlined the investigation's findings and proposed courses of action to fix the issues found with the CVE system. According to the two letters, the Committee says it identified that inconsistent and largely diminishing DHS funding as one of the reasons the program has gone downhill and accumulated its huge backlogs.
This discussion has been archived. No new comments can be posted.

US Government Takes Steps to Bolster CVE Program

Comments Filter:
  • Where it all started (Score:3, Informative)

    by Anonymous Coward on Tuesday August 28, 2018 @10:44AM (#57210976)
    Where it all started: http://seclists.org/oss-sec/20... [seclists.org] and http://seclists.org/oss-sec/20... [seclists.org] and http://seclists.org/fulldisclo... [seclists.org]
  • by Anonymous Coward

    Or the Trump Administration.

    You can't have it both ways.

    • by Anonymous Coward

      The Energy and Commerce Committee is part of Congress, not part of the Trump administration.

    • by Anonymous Coward

      The letters were sent by the House Energy and Commerce Committee, which is part of the legislative branch of the government. It would be appropriate to describe political appointees of President Trump as part of the Trump Administration. I wouldn't consider civil service employees in the executive branch to be part of an administration because they aren't political appointees. Certainly the legislative and judicial branches aren't part of any administration and are supposed to be separate. See the separatio

    • Sure you can. Last time I checked, 2/3 branches of the federal government are not a part of the president's administration.

      • "I want the people to know that they still have 2 out of 3 branches of the government working for them, and that ain't bad. " -- Mars Attacks

  • The Short Version (Score:5, Insightful)

    by EndlessNameless ( 673105 ) on Tuesday August 28, 2018 @11:49AM (#57211530)

    MITRE went from $6.7m funding with 7,370 CVEs in 2012 down to $4.0m with 14,472 CVEs in 2015. So, roughly 60% of the funding for twice the output. And that's not accounting for year-to-year fluctuations, which make budgeting nearly impossible.

    Their solution is sensible:

    To solve this issue, the Committee proposes that DHS officials move CVE's funding from a contract-based funding scheme into the DHS budget itself, as a PPA (Program, Project, or Activity) funding line.

    A formal Program makes a great deal of sense in this case, as its work: has an important impact, will be fairly consistent over time, and has no foreseeable end date.

    • by guruevi ( 827432 )

      You seem to forget that CVE is not the only program and DHS is not the only sponsor. They have more than $4M worth of salaries on their board alone. Since they're a non-profit, the information is quite readily available, they have a total revenue of ~$1.3B.

    • has no foreseeable end date.

      So, just like most government entities.

      I think it's great, doing a good job and they need to fund it. It needs an expiration date though, just like John McCain and everyone else has. If it's still doing a good job and nothing else has appeared to replace it, then extending it for another X years seems easily sensible. If SkyNet earlier appeared and always fixes all bugs everywhere, the maybe it's time to disband it.

      Once Elon and Jeff have become the Borg, THEN we'll see about never-ending committee e

Business is a good game -- lots of competition and minimum of rules. You keep score with money. -- Nolan Bushnell, founder of Atari

Working...