Near Miss – Funding is Not the Only Threat to the CVE Program

by Steven J. Schuchart Jr., posted in Secure
S. Schuchart

Summary Bullets:

• The foundations of the cybersecurity industry shook as the CVE program is nearly ended over short-sighted budget considerations.

• It is hard to convey how crucial the CVE system is worldwide.

This news was kept in the dark. If it would not have been for a leak of an internal memo to social media, it would have hit the cybersecurity landscape like a musket ball to the forehead. The Common Vulnerabilities and Exposures (CVE) system is a load-bearing piece of the world’s cybersecurity infrastructure, and it was still perilously close to being suspended. The current US administration’s FIRE – READY – AIM approach to cost cutting was to blame for what could have been a catastrophic loss.

The funds to renew the contract to the organization that runs the CVE program were withdrawn. After an earthquake of protest by the cybersecurity community, CISA has restored funding for the next 11 months. After that, renewal of the contract in 2026 is anybody’s guess.

Since 1999, the CVE program has been widely used in cybersecurity and enterprise IT as a centralized repository and reference for vulnerabilities in software, hardware, and services and forms the basis for the US National Vulnerability Database. The CVE system is paid for by the US Cybersecurity and Infrastructure Security Agency (CISA), then operated and administered by The MITRE Corporation, a not-for-profit company that manages federally funded research and development centers, known as FFRDCs.

It is hard to convey how crucial the CVE system is worldwide. Cybersecurity organizations would and could name new vulnerabilities in their own nomenclature. Each vulnerability could have a different name, number, and overall nomenclature, making it extremely difficult to identify the same vulnerability between cybersecurity organizations. The CVE system solved that, providing a central naming authority and dissemination of vulnerability intelligence used by every major Computer Emergency Response Team (CERT) and company across the globe. Stopping the CVE program, even for a brief time, would have had a considerable negative impact on the ability of every company, government, and organization to manage the risk of vulnerabilities.

Declining Trust and Splintering
This has been a wakeup call. Up until now, the CVE system has been steadily funded with the support of both US major political parties in rare agreement on the value of the system. Cuts to the CVE system were never discussed: The system worked well and is considered a success. Now, there is considerable trepidation in relying on funding solely by the US government. Several members of the CVE board have announced they have established The CVE Foundation, a separate non-profit group focused solely on maintaining the CVE service if funding for MITRE to operate it is lost again. The European Union Agency for Cybersecurity (ENISA) has created the European Union Vulnerability Database, which issues IDs for vulnerabilities, but also lists the associated CVE ID. Work for this new database began in June 2024, before the CVE funding issue was widely known, and is a sign of growing distrust of US government control of the CVE system.

There is a real danger of information regarding vulnerabilities being splintered into multiple sources. When it comes to vulnerabilities, there are no winners in a splintered system. Lack of central identification of vulnerabilities is what prompted the creation of the CVE system in the first place. The utility of a worldwide vulnerability database, open for all to use, is the only logical approach. Hopefully, this wake-up call about the CVE system spurs more action to address all concerns and assure a standardized and centralized approach to vulnerability information.

Leave a Reply