The fate of the CVE Program—a database that catalogs publicly disclosed security vulnerabilities—was unknown over the past 24 hours.
Yesterday, it was leaked that the maintainer of the CVE Program, MITRE, sent a letter to CVE board members, saying that funding for the CVE program was set to expire today, April 16.
“If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure,” the letter said.
Most of the funding comes from the U.S. Cybersecurity and Infrastructure Security Agent (CISA), which at the time the letter was published has not renewed the contract. Fortunately, this morning, CISA did renew its contract with MITRE, ensuring the continuation of the CVE program.
Ariadne Conill, co-founder and distinguished engineer at Edera, commented that the loss of the program would be catastrophic. “Every vulnerability management strategy around the world today is heavily dependent and structured around the CVE system and its identifiers,” she said.
In addition, a new foundation has been formed to further ensure the “long-term viability, stability, and independence of the program.”
The CVE Foundation was founded by active CVE board members, who have been working on this for the past year because they were concerned about the program being reliant on a single government sponsor.
“CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself,” said Kent Landfield, an officer of the Foundation. “Cybersecurity professionals around the globe rely on CVE identifiers and data as part of their daily work—from security tools and advisories to threat intelligence and response. Without CVE, defenders are at a massive disadvantage against global cyber threats.”
The CVE Foundation plans to release more information over the next several days about its structure, transition planning, and opportunities for involvement.