The CVE (Common Vulnerabilities and Exposures) database is widely used across many cybersecurity tools, allowing the tracking of vulnerabilities.
The CVE program has been in existence for 25 years but today MITRE — the non-profit organization which looks after the database — has announced that its contract with the US Department of Homeland Security to operate the CVE Program hasn’t been renewed.
Matt Saunders, DevOps lead, at The Adaptavist Group, says:
Like many pieces of open source software, the CVE database has become a dependable resource for all teams with any concern over security, and its centralization and dependability has allowed DevSecOps teams to build pipelines to get fixes out quickly, for all manner of software security issues.
Losing it will make our software harder to secure, and its absence will mark a victory for cybercriminals across the world. It feels possible that funding for this will move to one of the big players in global cybersecurity, or perhaps a consortium of them, as the health of the CVE MITRE database is undoubtedly of global benefit. There’s an opportunity here for the private sector, who will benefit the most from this, to step up and keep it going in the public interest, though there are also inevitable concerns around it falling into the hands of a single private entity.
In a letter leaked on social media platform BlueSky, MITRE vice president Yosry Barsoum confirmed that US government funding for the CVE database and the Common Weaknesses Enumeration (CWE) programs would expire.
While the news sent ripples through the industry, there does seem to have been a last minute reprieve with Forbes reporting that the US Cybersecurity and Infrastructure Security Agency said it had extended the contract with MITRE.
Chris Burton, head of professional services at Pentest People says, “It’s completely understandable there are concerns about the government pulling funding for the MITRE program, it’s a troubling development for the security industry. If the issue is purely financial, crowdfunding could offer a viable path forward, rallying public support for a project many believe in. If it’s operational, there may be an opportunity for a dedicated community board to step in and lead. Either way, this isn’t the end, it’s a chance to rethink and reimagine. Let’s not panic just yet; there are still options on the table, as a global community, I think we should see how this unfolds.”
Describing the potential withdrawal of funding as, “…a tragic blow for the cybersecurity industry,” Kevin Robertson, CTO of Acumen Cyber, says, “MITRE’s program is currently the most widely used CVE database, so it will be difficult for organizations to find a suitable alternative. Vendor specific vulnerability databases or the National Vulnerability Database are reasonable alternatives, but neither are as comprehensive or streamlined as MITRE’s program.”
It seems that CVE is safe for now but perhaps this should be a call to wake up to the risks of the industry’s reliance on a single source of information.
Image credit: cifotart/depositphotos.com
