{"id":48354,"date":"2025-07-04T16:55:51","date_gmt":"2025-07-04T20:55:51","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=48354"},"modified":"2025-07-05T00:36:07","modified_gmt":"2025-07-05T04:36:07","slug":"common-vulnerabilities-and-exposures-cve-funding","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2025\/07\/04\/common-vulnerabilities-and-exposures-cve-funding\/","title":{"rendered":"Common Vulnerabilities and Exposures (CVE) Funding"},"content":{"rendered":"

Cynthia Brumfield<\/a> (via Hacker News<\/a>):<\/p>\n

\n

After DHS did not renew its funding contract for reasons unspecified, MITRE’s 25-year-old Common Vulnerabilities and Exposures (CVE) program was slated for an abrupt shutdown on April 16, which would have left security flaw tracking in limbo.<\/p>\n<\/blockquote>\n\n

Gavin D. Howard<\/a> (via Hacker News<\/a>):<\/p>\n

The CVE system has been less good about securing our infrastructure than they\nhave been about giving headaches to some of the most important projects. Curl\ngets bogus CVEs<\/a> all the time and has to spend precious time dealing with\nthem<\/a>. Postgresql does too<\/a>. The Linux kernel went a different route and\njust spams CVEs<\/a> so that kernel CVEs essentially become worthless.<\/p>

Worthless? Does that mean that CVEs were actually worth something to people?<\/p>

Yes, absolutely. Script-kiddies that consider themselves “security researchers”\ntry to find bugs in big projects and then get them labeled as CVEs so they can\nadd those CVEs to their résumés<\/a>. As one user on Hacker News said<\/a>,\n“Unfortunately, the CVE database(s) are too noisy to be useful.”<\/p>

In fact, it got so bad that Curl decided to do extra work<\/em> to become a\nCNA<\/a>, just so they can reject spurious reports and avoid the NVD<\/a> from\ngiving excessively high vulnerability scores.<\/p><\/blockquote>\n\n

CVE Foundation<\/a> (via Hacker News<\/a>):<\/p>\n

\n

The CVE Foundation has been formally established to ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program, a critical pillar of the global cybersecurity infrastructure for 25 years.<\/p>\n<\/blockquote>\n\n

Jessica Lyons<\/a>:<\/p>\n

\n

Earlier this week, the widely used Common Vulnerabilities and Exposures (CVE<\/a>) program faced doom as the US government discontinued<\/a> funding for MITRE, the non-profit that operates the program. Uncle Sam U-turned at the very last minute<\/a>, and promised another 11 months of cash [via CISA] to keep the program going.<\/p>

Meanwhile, the EU is rolling its own.<\/p>

The European Union Agency for Cybersecurity (ENISA) developed and maintains this alternative, which is known as the EUVD<\/a>, or the European Union Vulnerability Database.<\/p>\n<\/blockquote>\n\n

Previously:<\/p>\n