Cybersecurity World On Edge As CVE Program Prepares To Go Dark (forbes.com) 127
The CVE and CWE programs are at risk of shutdown as MITRE's DHS contract expires on April 16, 2025, with no confirmed renewal. Without continued funding, the ability to standardize, track, and respond to software vulnerabilities could collapse, leaving the cybersecurity community scrambling in a fragmented and dangerously opaque environment. Forbes reports: "Failure to renew MITRE's contract for the CVE program, seemingly set to expire on April 16, 2025, risks significant disruption," said Jason Soroko, Senior Fellow at Sectigo. "A service break would likely degrade national vulnerability databases and advisories. This lapse could negatively affect tool vendors, incident response operations, and critical infrastructure broadly. MITRE emphasizes its continued commitment but warns of these potential impacts if the contracting pathway is not maintained."
MITRE has indicated that historical CVE records will remain accessible via GitHub, but without continued funding, the operational side of the program -- including assignment of new CVEs -- will effectively go dark. That's not a minor inconvenience. It could upend how the global cybersecurity community identifies, communicates, and responds to new threats. [...] MITRE has said that discussions with the U.S. government are active and that it remains committed to the CVE mission. But with the expiration date looming, time is running short -- and the consequences of even a temporary gap are severe.
MITRE has indicated that historical CVE records will remain accessible via GitHub, but without continued funding, the operational side of the program -- including assignment of new CVEs -- will effectively go dark. That's not a minor inconvenience. It could upend how the global cybersecurity community identifies, communicates, and responds to new threats. [...] MITRE has said that discussions with the U.S. government are active and that it remains committed to the CVE mission. But with the expiration date looming, time is running short -- and the consequences of even a temporary gap are severe.
Targetted by DOGE? (Score:1, Troll)
The CVE system benefits everyone globally, and yet the US taxpayer is funding it alone? This is hardly fair, and makes it a prime target for DOGE. A system controlled solely by the US is also less likely to be trusted by some other countries.
It would be better with a global system, funded by multiple countries to spread the burden.
Re:Targetted by DOGE? (Score:5, Informative)
The CVE system benefits everyone globally, and yet the US taxpayer is funding it alone? This is hardly fair, and makes it a prime target for DOGE. A system controlled solely by the US is also less likely to be trusted by some other countries.
It would be better with a global system, funded by multiple countries to spread the burden.
Perhaps it would be better if we didn’t pretend it cost eleventy billion dollars to run a CVE database.
This should NOT be something so difficult and complex that it couldn’t be taken over easily. By even a “non-profit” for profits sake if that’s what it takes. One is hardly required to be an award-winning writer in order to catalog a library.
And if it’s run efficiently, then it should be of little concern with regards to DOGE.
Re: (Score:2)
^^This
Especially the way CVEs actually work the big vendors Microsoft and friends mostly control the process anyway. The remain effort is really rather minimal record keeping that should not cost much at all.
The thing is a common database was needed. This is an example where government did a good thing, they stepped in set up industry group, used their sponsorship to get buy in, proved some value. It is time to fly the "mission accomplished" banner and step aside.
Now they should step away. There is no reas
Re: (Score:2)
It is time to fly the "mission accomplished" banner and step aside.
Are you saying it's time to let it go to hell and let competing interests (some of which are malicious) to take it over?
Because that's what I associate with that banner, and is also the concern of it going away.
Re: Targetted by DOGE? (Score:2)
So destroy the valuable resource without any clue of a replacement ? We are the single most attacked nation in this way. Are you waiting of the private sector? Musk?? To "do it again" and revolutionize something?
Re:Targetted by DOGE? (Score:4, Insightful)
This should NOT be something so difficult and complex that it couldn’t be taken over easily.
This is purely a question of governance. The program's stewards have done a wonderful job of maintaining it so far. Simply flinging it to someone else because it's easy is a great recipe for enshitification.
Re: Targetted by DOGE? (Score:2)
Posting vulnerabilities is a tightrope walk between getting software companies to take newly identified bulbs seriously and ensuring users have adequate warning before an unpatched zero day takes out critical infrastructure.
It's not just being a librarian maintaining a database. No doubt it's at least two
Re: (Score:1)
Why don’t you take it over AC if you’re so frugal?
Re:Targetted by DOGE? (Score:5, Insightful)
And the problem with thinking like a business is not everything is a "profit" line item. Government's job is never about "profit".. yes, there is a balance between expendiatures and intake. but its not exact..
Like for instance.. how most people think is:
Direct Income Taxes = Income
Everthing else = Expenses
But the reality is more complicated than that.. Like the CVE program... that 100M that the US government spends, helps to reduce cost by many companies (US and otherwise) as well as agencies by reducing threat exposure and vulnerability costs (from threat actors and breaches) which in turn make those agencies spend less money (or allow companies to generate more profit) which in turn for companies earn more in taxes (income taxes).. Same for non-US companies that deal with the US.. most have provisions and contracts in place to mitigate risk by doing audits against such CVE's which means they earn more money, and have a greater interest in doing business with the US, because of the mutual benefit), which generates "soft power" because is a tangible benefit/perk for such an arrangement..
When everything becomes a transaction, there is simply far less of an incentive to do business since everything becomes a process and cost.. many have to weigh the penalty vs. benefit.. and it starts tipping more against the US than for it. (its one reason why a lot of companies simply don't focus on specific geographic markets.. there is very little benefit so they may deal with a larger region as a whole but simply ignore the sub locations because of that "cost".
Basically 100M in the federal budget is practically free, but the benefits to US companies and others is immeasurable... and just like "insurance" everyone bitches about it UNTIL they need it and then they kiss their agent, up until that time, they curse the name as an expense.
Re: (Score:2)
Yet for the most part people buy insurance even if they don't have to. I know a lot home owners that don't have a mortgage. Therefore there is no outside entity forcing them the carry a policy. I don't know anyone who choose to skip it. ( i have heard stories about people in hurricane alley and fire country priced out but that is different ).
The IT industry compared to others is still 'young' but it is maturing. We went from basically zero standards and practices in the 80s and early 90s to what today i
Re: Targetted by DOGE? (Score:2)
What organizations should be running the cve program name three? What private entity based on profit would do so without being subsidized through the federal government?
Re: (Score:2)
MITRE - is non profit. They mostly get government funds but there is nothing stopping them from taking money from the Microsoft of the world to fund the program.
OWASP or similar could certainly operate it.
Some new organization could be stood up or spun off from MITRE..
Lots big software vendors would love to contribute to because it assures they have a pipe line to get quality information to assess other vendors based on.
Re:Targetted by DOGE? (Score:4, Interesting)
Public policy should be like driving a car on the highway. You don't provide constant steering inputs, you nudge the wheel a little bit one way or the other to course correct or do cornering when required.
Now talk about Trump withholding funding from Harvard due their political beliefs.
Re: (Score:2)
It costs 100M a year..
You're off by a factor of about fifty there, but apart from that have a gold star for effort.
Re: (Score:2)
I did a lot of searching. The only thing I could find was from 2006 when it was reported to cost 1.2 million. So I'd guess 100 million is a good high water mark.
Re: (Score:2)
Re: (Score:3)
Current cost is around 2 million. And given that they process 40,000 CVEs a year that's probably not bad value for money.
According to Krebs [krebsonsecurity.com], the cost is $40M a year [usaspending.gov].
Re: (Score:2)
Which is chump change in comparison to the value.
How many data breaches have been prevented by having this information publicly available and widely distributed so people can patch their shit? How much would all of that costs businesses and taxpayers?
Re: (Score:2)
I made no comments on the value vs the cost, only that the number provided for said cost appeared to be incorrect.
Re: (Score:2)
The figures seem to be all over the place, the $2M I quoted was mentioned as a "funding shortfall" for the next FY, but then I've also seen $15M total and, as you say, $40M.
Whatever the actual figure is, it seems to be money well spent in terms of stopping huge numbers of attacks on infrastructure and companies by alerting people to problems. This is one area where you really don't want to skimp.
Re: (Score:2)
"Government's job is never about "profit""
But I consider the 'Return On Investment' for my payment of taxes, fees, etc., at all levels of government.
We should 'profit' from some governmental activities, reasonable regulation for instance. Preventing the use of plainly harmful pesticides, at least some of them, good. Claiming to teach Moroccans to make pottery, not so obvious.
Sadly, our federal government in the US is so dysfunctional that it takes an axe to even start the process of reform. And it is nowher
Re: Targetted by DOGE? (Score:5, Insightful)
Eventually we will be forced to acknowledge how much this DOGE nonsense cost us by running things like a man who has gone bankrupt at least 7 times with he himself admitting nothing he has been involved with ever turned a profit.
Re: (Score:2)
This should NOT be something so difficult and complex
Those are some of the most famous last words among software system projects. Please carry on while I grab my popcorn.
Re: (Score:2)
And if it’s run efficiently, then it should be of little concern with regards to DOGE.
Yes, for all the thoughtful analysis they do before slamming a wrecking ball through functional and useful things the government does, right?
Pull your head out of your ass. There's a litany of examples of them just cutting shit and then figuring out that stuff had really good reasons to exist, and having to scramble to get those people back.
Re: (Score:2)
This is the official battle cry of Dunning Kruger.
Re: (Score:2, Insightful)
I'm not sure if this is from the 'penny wise pound foolish' side or the 'barbarians are now inside the gates and setting things on fire' side of th
Re: (Score:2)
Re:Targetted by DOGE? (Score:4, Interesting)
The CVE system benefits everyone globally, and yet the US taxpayer is funding it alone?
Hear hear! Even if we ignore who funds it, let's consider who runs it, who controls it...why would anyone in the world want all that power of information concentrated in the US? Especially when everyone in the world talks so much shit about the US on every front... Fine. Let's take our g'damn ball and go home. Nobody wants to be like that, but seriously, WTF? How much BS can anyone take before they finally just don't feel like playing anymore?
"But, but, there's gonna be disruption while new alternatives are developed"...yes. Correct. Rip the f'king bandaid off cause that's the only way anyone is actually going to make a change.
Re: (Score:3, Interesting)
"why would anyone in the world want all that power of information concentrated in the US?"
It wasn't a problem until la Presidenta decided to go to economic war against the world (excepting those nice Russians, Norks, and Hungarians). The world then noticed that la Presidenta could not be trusted further than they could spit a two-headed rat.
There is no goodwill left for the U.S., and all la Presidenta's targets will be signing deals with China. Nice shot la Presidenta, you took 80 years of faith the U.S. an
Re: (Score:2, Informative)
It wasn't a problem until la Presidenta decided to go to economic war against the world (excepting those nice Russians, Norks, and Hungarians).
See anyone without advanced TDS (a large portion of slashdot) can see you are lying right in your own post. If Trump was really going to 'economic' war rather than simply realigning policy to suit what he thinks are US interest. We'd actually see stuff like lifting sanctions on Russia, maybe even making support of Ukraine contingent on EU policy choices etc. He isn't.
It isn't about the rest of the world, and it isn't mistreating on allies, it setting some boundaries and expectations. Kinda like asking t
Re: Targetted by DOGE? (Score:4, Insightful)
Trump complains about a deficit that had nothing to do with tariffs. If trade were equal the united states of America would still be spending a lot more that they make. So the idea that for example a nation that produces something and sells it to the united states of America cheaper than anyone else.....cannot produce and promote a local product which ultimately competes with the import the united states of america wants to sell them containing a majority of components that the importer either produces themselves or trades locally for. Them there is the point of united states of America referencing a domestic production element that does not exist. The united states of America simply cannot produce what it needs at a competitive cost and rather buy from a nation who's cost per unit can be as much as 1/10th the cost of producing locally. So Trump's economic solution is to threaten the world economy to force them produce even cheaper products while buying more products produced in the united states of America that they the importer of products from the united states of America can produce locally thus hurting their own regional economies. Extortion. A direct attack on the economies of all involved. So I don't understand your stance at all.
Import substitution industrialization (Score:2)
Them there is the point of united states of America referencing a domestic production element that does not exist.
As I understand Mr. Tangerine Man's argument, he wants to make it exist. The President has realized that American manufacturing is a baby [wikipedia.org], and it needs a crib to protect it as it grows. When South American countries enacted stiff tariffs in the mid-20th century to encourage domestic manufacturing, the policy strategy was called import substitution industrialization [wikipedia.org].
Re: (Score:2)
Don't you think that maybe a structured arrangement of when tariffs on certain goods would go into effect, allowing that domestic production to be actually built might have been a good idea? E.g. "we want to shift basic electronics production back to the US, so in 18 months we're putting tariffs on importation of resistors, capacitors, diodes, etc. - hey Texas Instruments, Motorola, et. al., start building factories, you're gonna have a market."
That's not what we got, was it? We got instant tariffs, then
Re:Targetted by DOGE? (Score:4, Insightful)
because the situation has been forced to be so lop sided
FTFY.
To maintain the Pax Americana the US forced Europe not to have strong militaries. They didn't want a rearmament of Germany etc. leading to a repeat of WW2.
Now that the US has decided it doesn't want the advantages of being the global Empire, and opted to become poor, Europe will do what the US has forcibly preventing it from doing for over 70 years. So in a few years, decades tops, the EU is going to be the second superpower embarrassing the US, adding to the China threat, and making things even so much funnier for Americans.
Aka, how to shoot one's foot, geopolitical edition.
Re: (Score:2)
See anyone without advanced TDS (a large portion of slashdot) can see you are lying right in your own post. If Trump was really going to 'economic' war rather than simply realigning policy to suit what he thinks are US interest.
How's your 401k doing this quarter?
Re: (Score:2)
If you are consumed by quarterly performance of your financial investments, you are doing it wrong.
Or you're nowhere near as secure as you hoped, no fault of the system. You just have to understand it, and act accordingly.
FWI, my portfolio has been noticeably reduced lately. I expect this to be temporary. It historically has been temporary. My horizon is not the next quarter.
Re: (Score:2)
What a sad gaslighter to actually claim no tariffs on Russia isn't a thing.
Re: (Score:2, Informative)
There is no goodwill left for the U.S.
This isn't a chicken or egg problem.
"La Presidenta" was *elected* in response to established hostility in the world against the US (including from inside the country) who has, historically, tried to do the right thing by everyone. He didn't try to hide his intentions until he got in office and then open up a big can of whoop ass he had hidden behind his back. He waved that can around in the air to make sure everyone KNEW what they were voting for. And they voted for it. You don't do that as a population
Re: (Score:3, Informative)
No he was elected due to decade long concerted erfort to make Americans dumber that finally paid off, but now the dog doesn't know what to do with the car it caught and is just shitting all over the place.
Re: (Score:2)
now the dog doesn't know what to do with the car it caught
Wait what? You have dogs? I thought they all got eaten by immigrants. Oh except for the one executed summarily by a senator with a bullet.
We really are in a dumb timeline.
Re:Targetted by DOGE? (Score:4, Insightful)
"La Presidenta" was *elected* in response to established hostility in the world against the US (including from inside the country)
Just because Republican feel triggered by the world does not mean there was actual hostility, that's being a snowflake.
He didn't try to hide his intentions until he got in office
Except for threatinging Greenland, threatening annexation of Canada not just deportations but to 3rd party nation work camps, none of those were mentioned. The rest of his stupid shit sure but thats point 3...
everyone KNEW what they were voting for.
Sure, and so did the other ~49% of the nations that did not vote for him, is he not President to those people as well? Or is the Republican position now "You can fuck over the other side with even the barest of majorities) that position seems to flip depending on whether they are in power. Under Biden they were so so so persecuted!11!
Re: (Score:2)
Talk about shooting yourself in the foot.
Re: (Score:2)
" all this distrust and lack of good will towards the US"
MOST of this distrust and lack of good will towards the US was preexisting. You do not know of the UN? Just one example of the expression thereof...
Re: (Score:2)
And do we consider only the founding, and not decades of actions?
FWIW, also, the US was joined by 25 other governments to establish the UN, in 1942. It was more formally convened in 1945.
That FDR led this effort tells you more than you want to know. A 'new world order' was a stated goal. We see the fruits of that now.
Re: Targetted by DOGE? (Score:2)
And Denmark, just because they had the highest casualties per capita fighting for America in Afghanistan before Trump surrendered, doesn't mean they shouldn't get all humpty over Greenland! America is offering to buy it. It's not like they're going to invade a NATO ally unprovoked. Wha
Re: (Score:2)
I was largely educated before Nixon became President. Clearly you were educated elsewhere, and outside of time.
Then again, true education never ceases.
Re: (Score:2)
Then again, true education never ceases.
Slashdot taught me a lot about human nature, and how rotten and selfish it can be. Even the worst people that I came of age among were more humanitarian than seemingly half of the fuckers around here. I guess that's that kind of morality that the conservatives back home always call the liberal influence of the college.
Re: (Score:2)
"Ten Nazi propaganda tricks as listed by The Advance, organ of the Amalgamated Clothing Workers Union."
No. 9 on that list, was: "Accuse your enemy of having committed all your own crimes."
Feel it?
Re: (Score:2)
No. 9 on that list, was: "Accuse your enemy of having committed all your own crimes."
Yes, that is exactly what the Republicans do. They are continually molesting children while accusing others of doing it, for example. There are literally more child molestations committed by Republican politicians than by drag queens and trans persons combined. Republicans are the pedo party.
Re: Targetted by DOGE? (Score:2)
It's ok that you don't get it. That's the point.
Re: (Score:2)
It's ok that you don't get it. That's the point.
If you had a point, you would have made it a long time ago.
Modded down for criticizing Elon's treason (Score:2)
You maggot scum make us all sick. Literally, because of R fucking brainworm K.
Re: (Score:3)
Especially when everyone in the world talks so much shit about the US on every front...
Give me one example of an allied nation officially talking thrash on the US? Because I can give you a lot of examples of the US officially doing it the other way.
Re: (Score:2)
Be sure to bound the request:
"Give one example of an allied nation officially talking shit BEFORE Trump took office and gave really good reasons to talk shit" is a better framing of the request.
Re: (Score:2)
I mean even with Trump in office I didn't see any official instances. Unless we are like calling polite reasonable criticism 'talking trash'.
European leaders talk waayyy more respectfully about Trump than US ones.
Onofficially, I think there was the one case where someone evesdropped on macron having a private conversation with some other leaders and he said “He was late because he takes a 40-minute press conference off the top” about Trump. Which I wouldn't even call talking trash.
Re:Targetted by DOGE? (Score:4, Interesting)
That is one way of looking at it the other is that most of the software the world uses is from the US.
Maybe we should hold companies responsible for the poor software that they produce rather that limiting liability by virtue of license.
Yes I would agree that we should spread the burden as well as the wealth. Revenue on IP should be taxed in the country where it is sold and the only expenses that may be deducted are those incurred within that country. Royalties as an expense should be reconsidered.
It's hardly fair that countries expense taxpayer funding to protect US IP.
Re: (Score:2)
The US taxpayer would be a huge beneficiary of the system you propose too.
And it would give smaller businesses (that can't afford fancy tax work around using multiple countries around the world to shift incomes) more even footing hopefully giving space for destructive creation and increased productivity.
Re: (Score:2)
Yes they would. I just laugh how each government manages to pull the wool over voters eyes with promises that money will be returned to the average Joe. The only thing happening in USA is the destruction of the constitution, social system and the average Joe's rights.
This only hurts the average Joe.
Re:Targetted by DOGE? (Score:5, Insightful)
The CVE system benefits everyone globally, and yet the US taxpayer is funding it alone? This is hardly fair, and makes it a prime target for DOGE. A system controlled solely by the US is also less likely to be trusted by some other countries.
It would be better with a global system, funded by multiple countries to spread the burden.
For years we've been hearing how other nations aren't trustworthy enough to have any power over the internet, control over DNS, et al... Now all of a sudden you want us to pay for it... Give us equal rights then ask for money.
If recent days have shown anything, it's that the US should not have control over anything more important than a teaspoon.
Re: (Score:2)
Now all of a sudden you want us to pay for it...
No literally no one is saying that. In fact several countries offered to take it up and projects were quickly started to decentralise it. It's cakeism. You want to control things but then also complain that it costs you money to do so? GTFO.
Re: Targetted by DOGE? (Score:2)
Re: (Score:2)
Right, lets let China run the international collection of vulnerabilities. Or a UN org that will give every nation state equal early access to those vulns.
Being the runner of this program benefits exactly 1 country and that is the US. It's really dumb to give that away.
What MITRE does with CVE's is collect the vulnerabilities the CNAs report and number and publicize them. It's not rocket science (and shouldn't normally cost 100mln) but for the more serious ones it sometimes does entail timed privileged acce
Re: (Score:2)
The CVE system benefits everyone globally, and yet the US taxpayer is funding it alone?
The bulk of software is written here in the USA, for starters, so it seems fair we support this effort. Additionally, by making it global, we get users from around the world to test and submit fixes for free. If we were to limit access to the US, we would lose global contributions towards security.
This is hardly fair,
It's not about fairness, but strategy.
and makes it a prime target for DOGE.
Anything these bastards don't understand is a prime target for DOGE. Remember when it laid off people critical to maintain and secure our nuclear arsenal? And what's the effic
Re: (Score:2)
Yes, because I'm sure that it costs billions of dollars to host a database and have a team of people to review submissions.
Also: there is nothing stopping anyone else from having a parallel organization doing the same task. No reason not to distribute the work to multiple teams, and have multiple sources of information - at the least, we get redundancy that allows for fault tolerance, and in any reasonable scenario we get at least a little assurance that things aren't being "held back" by having some rival
Re: Targetted by DOGE? (Score:3)
Nobody has to trust CVEs -- that's the point. They are verifiable and typically there are proofs of concept which are easily testable. People ignore them at their own peril. (Hint, nobody in security ignores CVEs -- on the contrary, they mine them for exploits).
Re: Targetted by DOGE? (Score:2)
What could possibly go wrong?
Something is terribly wrong. (Score:5, Informative)
What could possibly go wrong?
In reply to your question, there's a detailed firehose submission [slashdot.org].
Re:Targetted by DOGE? (Score:5, Informative)
The above is a ref to the US one. Europe is having a go as well, see https://gcve.eu/ [gcve.eu], run by Luxembourg's CERT.
Looks like Vice-president Trump has handed another thing over to Europe to run with from now on.
Re:Targetted by DOGE? (Score:5, Informative)
Cybersecurity matters (Score:4, Interesting)
There will be a cyber terrorist attack one day, maybe even a cyber-nuke that will make the internet unusable. Everyone in the cybersecurity space are in it for themselves, and its going to bite us all hard. Wannacry, Slammer and Crowdstrike are like 1% of the potential disruption we can face.
Re: (Score:2)
Too many people don't take it seriously,
While some CVEs have been important, to some extent the way CVEs have been handled are part of why it's taken less seriously than it should.
For every very real CVE, there's like 10 that are actually kind of laughable, someone found a bug and tries to rationalize it as a vulnerability to pad their credentials. MITRE tends to err on the side of "CVE is valid, side with the reporter in a disagreement unless it's overwhelmingly obviously stupid".
This was specifically written up by a curl developer:
https://dani [daniel.haxx.se]
I know right? (Score:1)
Re: (Score:3)
It isn't so much a matter of outrage, as one of recognizing value and leadership early on.
The US is paying because was leading the effort in the first place. The sum is very likely not large, but the activity was important and high-profile in its domain, so the US administration, at the time when it wasn't led by morons, thought it valuable enough to fund.
Quite possibly due to the trivial amount involved and to the benefits of the domestic software industry, it didn't see it worthwhile to seek money from th
Re: (Score:2, Interesting)
Yes and the right wing trumptard apologists defending this dumb shit and absolutely flooding the comments makes me wish /. were half as good as it was 25 years ago.
Re: I know right? (Score:3)
The irony is that half of the insipid comments are being made by people with 5 digit UIDs.
Re: (Score:2)
Yes, yes, yes, this is soft-power on a global stage and it's what the US has leveraged since WWII to attain what we have/had. Sure something like this costs us money but nation states, particularly on the level of how they interact with other nations are not businesses, it's not just look at particular project and see if it's profitable, it has to be taken as a cohesive whole. Taking away the CVE program is going to make us poorer, just full stop,
Conservatives here want it both ways, they want all that res
Re: (Score:2)
Two proposed alternatives (Score:5, Interesting)
https://www.thecvefoundation.org/ [thecvefoundation.org]
https://gcve.eu/news/ [gcve.eu]
Re: (Score:3)
"While remaining compatible with the traditional CVE system, GCVE introduces GCVE Numbering Authorities (GNAs). GNAs are independent entities that can allocate identifiers without relying on a centralised block distribution system or rigid policy enforcement."
So suddenly we've got multiple entities, potentially giving different IDs to the same vulnerability and potentially giving it different ratings. That doesn't sound like a good thing.
Re: (Score:2)
Re: (Score:3)
That GVCE one sounds exactly like what isn't needed.
"While remaining compatible with the traditional CVE system, GCVE introduces GCVE Numbering Authorities (GNAs). GNAs are independent entities that can allocate identifiers without relying on a centralised block distribution system or rigid policy enforcement."
So suddenly we've got multiple entities, potentially giving different IDs to the same vulnerability and potentially giving it different ratings. That doesn't sound like a good thing.
This was already established practise for MITRE just not standardized. Google and Microsoft had blocks of CVE and administered them internally.
Re: (Score:2)
Much more actually. CNAs aren't a high bar and many bigger projects have their own block allocation of numbers. cUrl had to get one to avoid getting hosed by a "9.8" severity overflow bug (basically you could overflow a retry timeout (64-bit) so instead of waiting forever, it waits a little less than forever, and that could be a DDoS vector - OMG! Hitting a webserver
Malicious compliance (Score:2)
Re: (Score:3)
"There is no way this is intentional defunding." You do realize that doing this because Elmo is too stupid to realize the consequences is just as bad, yes?
And how many Billions and Billions of $ will he now claim he's saved, although the Maggots will eat it up because they do not get math.
Re:Malicious compliance (Score:4, Interesting)
You haven't been paying attention have you? Well thought out competent decision making has not been this administrations strong suit.
Re: (Score:2)
What flavor was your kool aid this morning?
Re: Malicious compliance (Score:2)
Cybersecurity World on Edge?? (Score:3)
tl;dr but I really thought they'd be using Firefox. I am disappoint.
Damn DOGE shit (Score:1)
DOGE is stealing data, via Russia (Score:4, Informative)
Within minutes after DOGE accessed the NLRB's systems, someone with an IP address in
Russia started trying to log in, according to Berulis' disclosure. The attempts were "near real-time,"
according to the disclosure. Those attempts were blocked, but they were especially alarming.
Whoever was attempting to log in was using one of the newly created DOGE accounts â" and
the person had the correct username and password, according to Berulis.
https://www.npr.org/2025/04/15... [npr.org]
Who cares? Not to worry. (Score:3)
Re: (Score:2)
So they are going to take it out of the competent hands the is running if to 2 milion dollars are year, and send to it the incompetent clown posse under musk to run it badly for 100 million dollars are year, and you don't see a problem with that?
Re: (Score:2)
I think your sarcasm detector needs to get to the shop. [youtube.com]
It's alright, we live in a very Poe's Law type of world today, things are getting weird out there.
this might be a good thing (Score:3)
this might not be the worst thing if there is a response from the market to take over the stewardship of the program for the long term... or DHS finally complies with requests from the government to sperate the bill for this program from a bulk 5 year budget with MITRE for a crap top of other varied services with no clarity as to where the money is actually going and for what... and gets funded in the mean time (fingers crossed).
This program is one of those things that needs a stable, long term funding solution and to be decoupled from the effects of DOGE like antics. Even if it means crowd/industry funded. The problem with industry funding is that a vendor will say- "no, it's not a 9.9 CVE it's a 4... we have a share holder call this week and can't afford this stock drop... have it as a 4 or we withhold funding next year"... Government/crowd funding ensures independence. Government funding in theory ensures stability.
I can't imagine it being too expensive to run this program, and hopefully- the secondary GNA's will take over the work while the MITRE (Primary GNA) goes dark.
For those complaining that the US government is paying for this - MITRE is non-profit, and provides a shit ton of good and services FOR the government, AND the industry/economy... which then is more productive and makes more money as a result. It's as if people forget that nothing exists in a fucken vacuum. Your business relies on many other things to go right and work. You want to run a farm- you need people, health care, housing, infrastructure, vet medicine, fuel, machinery, weather forecasts, clothing, and a market to sell your farmed goods and the list is endless... for any of those things you depend on to work, they themselves have a whole web of sub industries to function/exist... and so on and so on... you eliminate one or DEGRADE it, and it has a negative impact throughout the network... costing potential billions in losses... i.e. CVE program goes down... ability for any organization that utilizes computers to respond to cyber threats is slowed... this then results in more down time and losses for those businesses, and those that rely on their services...
imagine if-
-your payroll processing company is taken offline for a few weeks and thousands of your employees can't get paid
-your bank goes offline and you can't buy/pay for something for a few weeks
-your food/meat processing plant goes offline and can't process your goods that is only viable for a short time and rots as a result...
-or your daughter is pregnant and the hospital computer network is down and she can't get admitted, nor get the medicines their baby needs etc...
It's almost as if that is what taxes are supposed to be used for- enabling the economy for the good/benefit of all. The CVE program is an enabler, it produces more good than it costs.
Wonder what the response would be if the program was taken over by ETH Zurich? would the US feel comfortable with another country running it?
Funding was restored (Score:3)
Funding has been restored [bleepingcomputer.com] by CISA for MITRE to run the CVE program.
Which direction things go given the creation of a few alternative structures remains to be seen.
Relax everybody (Score:2)
https://www.bleepingcomputer.c... [bleepingcomputer.com]
Re: (Score:2)
Consider it a flashing red warning sign. No actual disaster ... yet.
Cybersecurity World On Edge .. (Score:2)
The USA is bowing out (Score:2)
MAGA doesn't like international cooperation, and they currently reign over America. ... everything needs to be looked at through the lens of "What if the US isn't reliable?"
So the international community needs to make a contingency plan for every service provided by a US-based organization.
Financial, economic, scientific, military, technology, Internet,
Re: F*ckheads Are as F*ckheads Do (Score:2)