My take on the CVE contract issue for businesses: don’t overreact, wait and see what impacts are.
The NVD backlog was already pretty crazy.. the US gov has gotta put real funding into this area if it wants to retain control of cyber standards.
Conversation
Notices
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 16-Apr-2025 03:58:50 JST 
Kevin Beaumont
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 16-Apr-2025 06:38:48 JST
Kevin Beaumont
Just as an update to this - @briankrebs has confirmed with MITRE the letter is real, and as it stands the CVE database is likely to offline tomorrow.
Haelwenn /элвэн/ :triskell: likes this. -
Embed this notice
Mark Esler (eslerm@cyberplace.social)'s status on Wednesday, 16-Apr-2025 06:42:18 JST 
Mark Esler
@GossiTheDog @briankrebs multiple CVE Board members have confirmed.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 16-Apr-2025 06:45:48 JST
Kevin Beaumont
To widen it out - CVE is the globally recognised system orgs use for vulnerability management.
Every vulnerability management product uses CVEs. Vulnerability management is a core part of cybersecurity - often, the most important part.
Additionally, CVE is written into several US government standards that orgs have to follow.
So the US Government not funding it is a major and historic own goal.
-
Embed this notice
BrianKrebs (briankrebs@infosec.exchange)'s status on Wednesday, 16-Apr-2025 07:01:30 JST 
BrianKrebs
@GossiTheDog See my updates. CVEs will still be issued to CNAs (via API, as long as that's running), but the more manual stuff they do (i.e. issuing cves to non-CNAs) may suffer in the time being.
Haelwenn /элвэн/ :triskell: likes this. -
Embed this notice
daniel:// stenberg:// (bagder@mastodon.social)'s status on Wednesday, 16-Apr-2025 07:01:30 JST 
daniel:// stenberg://
@briankrebs @GossiTheDog yeah, as CNAs we have direct API access so we can still register and publish them as long as they don't shut down the servers
-
Embed this notice
Stefan Eissing (icing@chaos.social)'s status on Wednesday, 16-Apr-2025 07:07:20 JST 
Stefan Eissing
@bagder @briankrebs @GossiTheDog it seems a small step to just have CNAs own a permanent, published number range or prefix and an RSS feed. (which history teaches us will end up in DNS)
Anyone interested can then build their own database.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 16-Apr-2025 07:13:59 JST
Kevin Beaumont
There's an argument that MITRE should try to keep everything alive and run things without funding and contracts etc.. but, honestly? My take - stop doing everything that isn't in the contract. Force the issue.
Mr. Bill repeated this. -
Embed this notice
Lauren Weinstein (lauren@mastodon.laurenweinstein.org)'s status on Wednesday, 16-Apr-2025 07:24:50 JST 
Lauren Weinstein
@GossiTheDog That's tantamount to recommending suicide.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 16-Apr-2025 07:27:48 JST
Kevin Beaumont
CISA comment on CVE situation: https://infosec.exchange/@metacurity/114344326544856491
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 16-Apr-2025 07:52:53 JST
Kevin Beaumont
NextGov piece on the CVE mess. https://www.nextgov.com/cybersecurity/2025/04/mitre-backed-cyber-vulnerability-program-lose-funding-wednesday/404585/
Puniko ? and GreenSkyOverMe (Monika) repeated this. -
Embed this notice
dave (hologram@cyberplace.social)'s status on Wednesday, 16-Apr-2025 12:09:45 JST 
dave
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 16-Apr-2025 16:54:58 JST
Kevin Beaumont
DOGE have terminated MITREs contracts, they say they will be laying off nearly 500 people. This will have impacts beyond CVE - think MITRE ATT&CK etc. https://virginiabusiness.com/nova-govcon-firm-mitre-to-lay-off-442-employees-after-doge-cuts-contracts/
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 16-Apr-2025 17:08:22 JST
Kevin Beaumont
If you want to know how stupid the CVE situation is - CISA are trying to source last minute funding or look at taking CVE management in house, but they themselves have had a massive budget cut where the staff trying to fix it are also at risk of being cut.
Puniko ? and Haelwenn /элвэн/ :triskell: repeated this. -
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 16-Apr-2025 17:22:55 JST
Kevin Beaumont
Looks like the US Government are going to lose control of CVE. https://www.thecvefoundation.org/
Haelwenn /элвэн/ :triskell: likes this. -
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 16-Apr-2025 18:14:57 JST
Kevin Beaumont
Another effort - https://gcve.eu/ Global CVE Allocation System
-
Embed this notice
Viraptor (viraptor@cyberplace.social)'s status on Wednesday, 16-Apr-2025 18:24:46 JST 
Viraptor
@GossiTheDog Love the "let me put some anonymous website up and Yolo it" attempts. I'm sure it's a well funded long term commitment. GCVE vs lettuce webcam time...
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 16-Apr-2025 21:14:36 JST
Kevin Beaumont
CISA have, at the last minute, extended the MITRE CVE contract. “The CVE Program is invaluable to cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.” HT @metacurity
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 16-Apr-2025 21:44:49 JST
Kevin Beaumont
Now all we need is for Breachforums to get back online and the threat intelligence industry is alive again!
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 16-Apr-2025 23:14:35 JST
Kevin Beaumont
CVE extension by CISA = 11 months. https://infosec.exchange/@metacurity/114348047105534455
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 16-Apr-2025 23:31:37 JST
Kevin Beaumont
CVE extension to March 16th 2026
See y’all March 15th 2026 for the last minute renewal 🫡😅
https://www.usaspending.gov/award/CONT_AWD_70RCSJ24FR0000018_7001_70RSAT20D00000001_7001
-
Embed this notice
Misuse Case (misusecase@twit.social)'s status on Wednesday, 16-Apr-2025 23:43:27 JST 
Misuse Case
@GossiTheDog I have to say, as someone who lives in the D.C. area and is plugged into gossip networks of both civil servants and contractors…there is a lot of this kind of thing* going on lately.
*”This kind of thing” being “the contract is off, no, wait, now it’s back on.”
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 17-Apr-2025 05:31:26 JST
Kevin Beaumont
MITRE’s statement is interesting as they included trademark and copyright symbols on terms like CVE.. one to watch as people try to start their own systems.
-
Embed this notice
Trexdrumkit (trexdrumkit@infosec.exchange)'s status on Thursday, 17-Apr-2025 20:32:19 JST 
Trexdrumkit
@GossiTheDog Not seeing any other source than this shady website in every report on this. No board member is actually claiming this foundation, or responding to comments, and there are SEVERAL red flags. Do you have on good authority that this is legit in the slightest?
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 21-Apr-2025 07:32:21 JST
Kevin Beaumont
The CVE Foundation now lists the people involved https://www.thecvefoundation.org/frequently-asked-questions @thecvefoundation
-
Embed this notice
All GNU social JP content and data are available under the