Common Vulnerabilities and Exposures (CVE) Funding

Cynthia Brumfield (via Hacker News):

After DHS did not renew its funding contract for reasons unspecified, MITRE’s 25-year-old Common Vulnerabilities and Exposures (CVE) program was slated for an abrupt shutdown on April 16, which would have left security flaw tracking in limbo.

Gavin D. Howard (via Hacker News):

The CVE system has been less good about securing our infrastructure than they have been about giving headaches to some of the most important projects. Curl gets bogus CVEs all the time and has to spend precious time dealing with them. Postgresql does too. The Linux kernel went a different route and just spams CVEs so that kernel CVEs essentially become worthless.

Worthless? Does that mean that CVEs were actually worth something to people?

Yes, absolutely. Script-kiddies that consider themselves “security researchers” try to find bugs in big projects and then get them labeled as CVEs so they can add those CVEs to their résumés. As one user on Hacker News said, “Unfortunately, the CVE database(s) are too noisy to be useful.”

In fact, it got so bad that Curl decided to do extra work to become a CNA, just so they can reject spurious reports and avoid the NVD from giving excessively high vulnerability scores.

CVE Foundation (via Hacker News):

The CVE Foundation has been formally established to ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program, a critical pillar of the global cybersecurity infrastructure for 25 years.

Jessica Lyons:

Earlier this week, the widely used Common Vulnerabilities and Exposures (CVE) program faced doom as the US government discontinued funding for MITRE, the non-profit that operates the program. Uncle Sam U-turned at the very last minute, and promised another 11 months of cash [via CISA] to keep the program going.

Meanwhile, the EU is rolling its own.

The European Union Agency for Cybersecurity (ENISA) developed and maintains this alternative, which is known as the EUVD, or the European Union Vulnerability Database.

Previously:

• curl Takes Action Against AI Bug Reports

curl Cybersecurity and Infrastructure Security Agency (CISA) European Union iOS Linux Mac Open-source Software Security Web

Comments RSS · Twitter · Mastodon

Leave a Comment

Name

E-mail (will not be published)

Web site

Δ