Public
- Public
- Network
- Groups
- Featured
- Popular
- People

Conversation

Notices

Embed this notice
BrianKrebs (briankrebs@infosec.exchange)'s status on Wednesday, 16-Apr-2025 05:51:04 JST BrianKrebs

I boosted several posts about this already, but since people keep asking if I've seen it....
MITRE has announced that its funding for the Common Vulnerabilities and Exposures (CVE) program and related programs, including the Common Weakness Enumeration Program, will expire on April 16. The CVE database is critical for anyone doing vulnerability management or security research, and for a whole lot of other uses. There isn't really anyone else left who does this, and it's typically been work that is paid for and supported by the US government, which is a major consumer of this information, btw.
I reached out to MITRE, and they confirmed it is for real. Here is the contract, which is through the Department of Homeland Security, and has been renewed annually on the 16th or 17th of April.
https://www.usaspending.gov/award/CONT_AWD_70RCSJ23FR0000015_7001_70RSAT20D00000001_7001
MITRE's CVE database is likely going offline tomorrow. They have told me that for now, historical CVE records will be available at GitHub, https://github.com/CVEProject
Yosry Barsoum, vice president and director at MITRE's Center for Securing the Homeland, said:
“On Wednesday, April 16, 2025, funding for MITRE to develop, operate, and modernize the Common Vulnerabilities and Exposures (CVE®) Program and related programs, such as the Common Weakness Enumeration (CWE™) Program, will expire. The government continues to make considerable efforts to support MITRE’s role in the program and MITRE remains committed to CVE as a global resource.”
In conversation about a month ago from infosec.exchange permalink
Attachments
1. MITRE | SOLVING PROBLEMS FOR A SAFER WORLD" April 15, 2025 Dear CVE Board Member, We want to make you aware of an important potential issue with MITRE’s enduring support to CVE. On Wednesday, April 16, 2025, the current contracting pathway for MITRE to develop, operate, and modernize CVE and several other related programs, such as CWE, wil expire. The government continues to make considerable efforts to continue MITRE’ role in support of the program If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure. MITRE continues to be committed to CVE as a global resource. We thank you as a member of the CVE Board for your continued partnership. Sincerely, Yosry Barsoum VP and Director Center for Securing the Homeland (CSH) 7515 Colshire Drive ® McLean, VA 22102-7539 ® (703) 983-6000
  https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/343/825/030/064/900/original/e3075f25266481ee.png
2. Untitled attachment
- iced depresso repeated this.
- Embed this notice
  feld (feld@friedcheese.us)'s status on Wednesday, 16-Apr-2025 09:00:22 JST feld
  in reply to
  
  @briankrebs time to just go back to posting on full-disclosure mailing list and having no embargoes, let people figure it out from there :)
  
  In conversation about a month ago permalink
- Embed this notice
  BrianKrebs (briankrebs@infosec.exchange)'s status on Wednesday, 16-Apr-2025 09:00:24 JST BrianKrebs
  in reply to
  - James Berthoty
  Pretty cool explainer on why MITRE's CVE is so central to the the process of how a vulnerability disclosure becomes official, and widely recognized. From James Berthoty on LinkedIn @jamesberthoty
  In conversation about a month ago permalink
  Attachments
  1. I'm just a Vuln: How a disclosure becomes a finding 1. Vulnerability Discovered and disclosed optionel CVE Numbering Authority PPTs Funded by Corporations Themselves. Pr 1. Validotes the issue and assigns a CVE << __ 2. Usually a Title & Effected Product Only See - Raa EA 2. MITRE FA\ Adobe] B® Microsof{ Google ~~~ Funded by Department of Homeland Security, CISA, amount not public 1. Publishes to CVE.org C/E <----This could go away debian aff pa \ = Cisco a (This might be & GroMuB Security Advisory For example, which may or may not become a CVE) pes N ae 3. WD AN y3 _ Funded by Department of Commerce, NIST, $2.5 Al A 3rd Party Vuln Enrichment Vendors = — -°F%°7 ©" 1 Pulls VES from CVE.org ~ R 2. Adds: CVSS, CPE, CWE, Config & Mitigation mre N Vulncheck [IS J Lawful Albatross a] pr AN Te Vv oz 2 TOA Security Scammers ~~ 4. CISA issues KEV when relevant Funded by DHS, $3 Billion % [i snyk (Many security tools have internal numbering systems for their discovered vulnerabilities that might not get a CVE)
    https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/344/685/978/817/115/original/12c950c971c2d99e.png
  Haelwenn /элвэн/ :triskell: likes this.
- Embed this notice
  翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Wednesday, 16-Apr-2025 12:08:08 JST 翠星石
  in reply to
  
  @briankrebs Too be honest, https://www.cve.org/ was already totally useless, as it doesn't show anything unless your computer carries out arbitrary remote code execution via JavaScript (a severe vulnerability).
  In conversation about a month ago permalink
  Attachments
  1. No result found on File_thumbnail lookup.
    
    cve-website
- Embed this notice
  BrianKrebs (briankrebs@infosec.exchange)'s status on Wednesday, 16-Apr-2025 13:49:22 JST BrianKrebs
  in reply to
  
  Finally put together a proper story on this funding debacle for MITRE's CVE program.
  "A critical resource that cybersecurity professionals worldwide rely on to identify, mitigate and fix security vulnerabilities in software and hardware is in danger of breaking down. The federally funded, non-profit research and development organization MITRE warned today that its contract to maintain the Common Vulnerabilities and Exposures (CVE) program -- which is traditionally funded each year by the Department of Homeland Security -- expires on April 16."
  https://krebsonsecurity.com/2025/04/funding-expires-for-key-cyber-vulnerability-database/
  In conversation about a month ago permalink
  Attachments
  1. Domain not in remote thumbnail source whitelist: krebsonsecurity.com
    
    Funding Expires for Key Cyber Vulnerability Database
    
    A critical resource that cybersecurity professionals worldwide rely on to identify, mitigate and fix security vulnerabilities in software and hardware is in danger of breaking down. The federally funded, non-profit research and development organization MITRE warned today that its contract…
- Embed this notice
  Philip Weiss (Phil in SF) (kingrat@sfba.social)'s status on Wednesday, 16-Apr-2025 13:49:22 JST Philip Weiss (Phil in SF)
  in reply to
  
  @briankrebs how much is the funding normally?
  
  In conversation about a month ago permalink
- Embed this notice
  BrianKrebs (briankrebs@infosec.exchange)'s status on Wednesday, 16-Apr-2025 14:42:29 JST BrianKrebs
  in reply to
  
  It's worth asking again who would benefit from taking CVE offline? Surely not the United States government, nor its private companies. Not its allies (such as they are now) in Europe. But it almost certainly would help our adversaries, like China and Russia, because confusion and uncertainty works to their advantage always.
  
  In conversation about a month ago permalink
  
  Haelwenn /элвэн/ :triskell: likes this.
  
  Peter Krefting repeated this.
- Embed this notice
  BrianKrebs (briankrebs@infosec.exchange)'s status on Wednesday, 16-Apr-2025 14:42:29 JST BrianKrebs
  in reply to
  
  Probably the last CVE indexed before it goes dark should be CVE-2025-DOGE (critical, local privilege escalation vulnerability that leads to malicious code execution and data exfiltration).
  
  In conversation about a month ago permalink
  
  Haelwenn /элвэн/ :triskell: likes this.
- Embed this notice
  BrianKrebs (briankrebs@infosec.exchange)'s status on Thursday, 17-Apr-2025 00:22:05 JST BrianKrebs
  in reply to
  
  UPDATE: The CVE board today announced the creation of non-profit entity called The CVE Foundation that will continue the program's work under a new, unspecified funding mechanism and organizational structure.
  "Since its inception, the CVE Program has operated as a U.S. government-funded initiative, with oversight and management provided under contract," the press release reads. "While this structure has supported the program's growth, it has also raised longstanding concerns among members of the CVE Board about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor."
  The organization's website, thecvefoundation.org, is less than a day old and currently hosts no content. The announcement said the foundation would release more information about its structure and transition planning in the coming days.
  In conversation about a month ago permalink
  Attachments
  1. FOR IMMEDIATE RELEASE April 16,2025 CVE Foundation Launched to Secure the Future of the CVE Program Bremerton, Washington] - The CVE Foundation has been formally established to ensure the long-term viabily, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program, a critica pillar of the global cybersecurity infrastructure for 25 years. Since ts inception, the CVE Program has operated as U.S. government. funded nitive, with oversight and management provided under contact. While ths structure has supported the prograny’s growth, it has alo raised longstanding concems among members of the CVE Board shout the sustainability and neutrality of globally relicd-upon resource being ted 0 a single ovemment sponsor. “This concern has become urgent following an April 15, 2025 leter from MITRE notifying the ‘CVE Board that the U.S. government docs not intend 0 renew ts contract for managing the program. While we had hoped this day would not come, we have been preparing fo this possibility. In response, a coalition of longtime, active CVE Bosrd members have spent the past year developing a strategy o transition CVE to dedicated, non-profit foundation. The news CVE. Foundation wil focus solly on continuing the mission of delivering high-quality vulnerability identification and maintaining th integrity and availabilty of CVE data for defenders worldwide,
    https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/348/289/245/954/517/original/c772e17d6525f817.png
  2. Untitled attachment
- Embed this notice
  BrianKrebs (briankrebs@infosec.exchange)'s status on Thursday, 17-Apr-2025 00:22:05 JST BrianKrebs
  in reply to
  
  And, just like that there IS content on the foundation's site.
  
  In conversation about a month ago permalink
- Embed this notice
  Dreugan (_dreugan_@mastodon.social)'s status on Thursday, 17-Apr-2025 00:40:33 JST Dreugan
  - Kevin Beaumont
  @GossiTheDog @briankrebs Nothing wrong with a little redundancy.
  
  In conversation about a month ago permalink

Feeds