The US government is funded to help non-profit research giant Miter operate and maintain a common Vulnerability and Exposure (CVE) program.
The 25-year-old CVE program is a valuable tool for vulnerability management and provides a de facto standard for identifying, defining and cataloging security flaws published using CVE IDs.
“Funds to develop, operate and modernize CVE and related programs such as the General Defecation Enumeration (CWE) will expire,” said Yosry Barsoum, vice president and director of the Centre for the Protection of Miter’s Hometown.
“If a service break occurs, multiple impacts on CVE are expected, including degradation of national vulnerability databases and advisories, tool vendors, incident response operations, and all kinds of critical infrastructure.”
However, Barsoum pointed out that the government has “continued to put in considerable effort” to support Miter’s role in the programme, and that Miter continues to commit to CVE as a global resource.
The CVE program was launched in September 1999 and was held by MITER with sponsorships from the US Department of Homeland Security (DHS) and the Agency for Cybersecurity and Infrastructure Security (CISA).
In response to this move, cybersecurity company Vulncheck, a CVE Numbering Authority (CNA), announced that it will actively reserve 1,000 CVEs to fill the voids in 2025.
“Service breaks are likely to break down the national vulnerability database and recommendations,” Jason Soroko, a senior fellow at Sericoigo, said in a statement shared with Hacker News.
“This lapse can have a significant impact on tool vendors, incident response operations, and critical infrastructure. Miter emphasizes its ongoing commitment, but warns of these potential impacts if the contract pathway is not maintained.”
Tim Peck, a senior threat researcher at Securonix, told Hacker News that revocation could have significant consequences for the cybersecurity ecosystem, where CNAs and defenders were unable to obtain or publish CVEs, which could lead to delays in vulnerability disclosure.
“In addition, general weakness (CWE) projects are essential for classifying and prioritizing software debilitating,” Peck said. “The outages affect secure coding practices and risk assessments. CVE programs are fundamental infrastructure. They not only have a ‘referenceable list’, but can also be a key resource for vulnerability coordination, prioritization and response efforts.
Source link
