Mishaal Rahman / Android Authority
TL;DR
- Yesterday the organization operating the Common Vulnerabilities and Exposures database (CVE) announced that government funding was about to end.
- The US Cybersecurity and Infrastructure Security Agency (CISA) has now stepped up to extend its option to finance the program.
- The CVE Board has also shared that it’s forming a new CVE Foundation to ensure long-term stability.
The United States government has found itself on bit of a cancelation spree as of late, terminating critical programs with all the subtlety and care of a bull in a china shop. Late yesterday, we got word that the Common Vulnerabilities and Exposures database (CVE) was about to lose its funding. Considering how critical a role the CVE plays in naming and tracking the sort of security vulnerabilities that malware is always looking to exploit, this felt like a huge, unacceptable risk for the tech industry as a whole. Luckily, it now looks like we don’t have anything to (immediately) worry about.
Today we’re getting good news on two separate fronts. First up, BleepingComputer reports that the US Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that CVE funding to MITRE is being extended. A spokesperson shares, “last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services.”
But before that information even arrived, members of the old CVE Board shared their own plan for keeping the CVE program going, through the launch of a new non-profit CVE Foundation. Apparently the Board had been concerned about its reliance on US government funding for some time now, and had been making preparations behind the scenes to reconfigure itself in this new, future-proof form.
The formation of the CVE Foundation marks a major step toward eliminating a single point of failure in the vulnerability management ecosystem and ensuring the CVE Program remains a globally trusted, community-driven initiative.
The Foundation hasn’t yet announced full details of what this new era for it will look like, nor what if anything might change about its operation, but promised to have more to share in the days to come. We imagine that CISA extending funding may complicate that transition a little, but the end result here seems clear: CVE reports aren’t going anywhere, and there are a lot of people who care enough about this program to make sure that remains the case.
