Skip to main content

mastodon - Link to source

Wow. CVE database is in serious trouble, tomorrow.

The cyber industry as a whole is in trouble also really, it’s the elephant in the room - the collapse of the White House’s support for cybersecurity is obvious and pronounced due to widespread cutbacks.

This entry was edited (8 months ago)
in reply to Kevin Beaumont

Kevin Beaumont
mastodon - Link to source
Kevin Beaumont

My take on the CVE contract issue for businesses: don’t overreact, wait and see what impacts are.

The NVD backlog was already pretty crazy.. the US gov has gotta put real funding into this area if it wants to retain control of cyber standards.

in reply to Kevin Beaumont

Kevin Beaumont
mastodon - Link to source
Kevin Beaumont
Just as an update to this - @briankrebs has confirmed with MITRE the letter is real, and as it stands the CVE database is likely to go offline tomorrow.
@BrianKrebs
This entry was edited (8 months ago)
in reply to Kevin Beaumont

Kevin Beaumont
mastodon - Link to source
Kevin Beaumont

To widen it out - CVE is the globally recognised system orgs use for vulnerability management.

Every vulnerability management product uses CVEs. Vulnerability management is a core part of cybersecurity - often, the most important part.

Additionally, CVE is written into several US government standards that orgs have to follow.

So the US Government not funding it is a major and historic own goal.

in reply to Kevin Beaumont

Kevin Beaumont
mastodon - Link to source
Kevin Beaumont
There's an argument that MITRE should try to keep everything alive and run things without funding and contracts etc.. but, honestly? My take - stop doing everything that isn't in the contract. Force the issue.
in reply to Kevin Beaumont

Matt Blaze
mastodon - Link to source
Matt Blaze
Can they afford to even? They're a non profit R&D org with just about everyone on soft contract money.
in reply to Matt Blaze

Andrew C. Dingman
mastodon - Link to source
Andrew C. Dingman
@mattblaze Right now, I gather we can't afford anything. And I'm not sure if it would be legal for us to perform on a lapsed contract even if we could afford it. But at this point, what I know is what's in the public letter, and that's about it.
@Matt Blaze
in reply to Kevin Beaumont

Kevin Beaumont
mastodon - Link to source
Kevin Beaumont
CISA comment on CVE situation - they say the contract “will” lapse tomorrow. infosec.exchange/@metacurity/1…

Metacurity (@metacurity@infosec.exchange)

Attached: 1 image Regarding the end of MITRE's CVE program, here's a statement that a CISA spokesperson gave me for a piece I'm writing.
Infosec Exchange
This entry was edited (8 months ago)
in reply to Kevin Beaumont

Kevin Beaumont
mastodon - Link to source
Kevin Beaumont
NextGov piece on the CVE mess. nextgov.com/cybersecurity/2025…

MITRE-backed cyber vulnerability program to lose funding Wednesday

Organizations across industry, government, national security and critical infrastructure rely on the CVE Program, which serves as the de-facto global standard for vulnerability identification and management.
David DiMolfetta (Nextgov/FCW)
in reply to Kevin Beaumont

Kevin Beaumont
mastodon - Link to source
Kevin Beaumont
DOGE have terminated MITREs contracts, they say they will be laying off nearly 500 people. This will have impacts beyond CVE - think MITRE ATT&CK etc. virginiabusiness.com/nova-govc…

NoVa govcon firm Mitre to lay off 442 employees after DOGE cuts contracts

Listen to this article Federal contracting firm Mitre, which has dual headquarters in McLean and Massachusetts, expects to lay off 442 people in Virginia in two months.
Beth JoJack (Virginia Business)
in reply to Kevin Beaumont

Kevin Beaumont
mastodon - Link to source
Kevin Beaumont
If you want to know how stupid the CVE situation is - CISA are trying to source last minute funding or look at taking CVE management in house, but they themselves have had a massive budget cut where the staff trying to fix it are also at risk of being cut.
in reply to Kevin Beaumont

Kevin Beaumont
mastodon - Link to source
Kevin Beaumont
Looks like the US Government are going to lose control of CVE. thecvefoundation.org/

CVE Foundation

FOR IMMEDIATE RELEASE April 16, 2025 CVE Foundation Launched to Secure the Future of the CVE Program [Bremerton, Washington] – The CVE Foundation has been formally established to ensure the long-term viability, stability, and independence of the Comm…
www.thecvefoundation.org
in reply to Kevin Beaumont

Kevin Beaumont
mastodon - Link to source
Kevin Beaumont
Another effort - gcve.eu/ Global CVE Allocation System. @gcve

GCVE.eu

GCVE: Global CVE Allocation SystemThe Global CVE (GCVE) allocation system is a new, decentralized approach to vulnerability identification and numbering, designed to improve flexibility, scalability, and autonomy for participating entities.
gcve.eu
@gcve.eu
This entry was edited (8 months ago)
in reply to Kevin Beaumont

Kevin Beaumont
mastodon - Link to source
Kevin Beaumont

CISA have, at the last minute, extended the MITRE CVE contract. “The CVE Program is invaluable to cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.” HT @metacurity

It’s unclear how long it has been extended for.

@Metacurity
This entry was edited (8 months ago)
in reply to Kevin Beaumont

Kevin Beaumont
mastodon - Link to source
Kevin Beaumont
Now all we need is for Breachforums to get back online and the threat intelligence industry is alive again!
in reply to Kevin Beaumont

Kevin Beaumont
mastodon - Link to source
Kevin Beaumont

MITRE’s statement is interesting as they included trademark and copyright symbols on terms like CVE.. one to watch as people try to start their own systems.

mastodon.social/@bagder/114349…

in reply to Kevin Beaumont

Kevin Beaumont
mastodon - Link to source
Kevin Beaumont
The CVE Foundation now lists the people involved thecvefoundation.org/frequentl… @thecvefoundation

CVE Foundation - Frequently Asked Questions

What do you believe? We believe that CVEs are the cornerstone of cybersecurity defense. Without a common language to communicate about vulnerabilities, chaos follows.
www.thecvefoundation.org
@The CVE Foundation