MITRE’s CVE program has been an important pillar in cybersecurity for over two decades. The lack of certainty surrounding the future of the CVE program creates great uncertainty about how newly discovered vulnerabilities will be cataloged.
Background
On April 15, reports circulated that the contract for funding the Common Vulnerabilities and Exposures (CVE) program along with other related programs, such as Common Weakness Enumeration (CWE), would be expiring on April 16. The letter below was sent to CVE Board Members and published on social media and other fora announcing the expiration of these programs:
The legitimacy of this letter and its contents was confirmed by cybersecurity journalist Brian Krebs in a post on Mastodon. Tenable has also independently confirmed the letter’s legitimacy.
CVE program importance
While flawed in some ways, the CVE program, which recently celebrated its 25th anniversary, has been an important pillar in cybersecurity for over two decades. It provides a common taxonomy for cybersecurity solutions and organizations to track vulnerabilities and exposures. Since its launch in 1999, the CVE program has published over 250,000 CVEs as of the end of 2024.
Risk to CVE program
With the report that the funding for the CVE program is potentially set to expire on April 16, the biggest concern stems from the fact that CVE Numbering Authorities, or CNAs, will no longer be able to reserve and assign CVEs for newly discovered vulnerabilities. While CNAs typically try to reserve a block of CVEs, the lack of transparency surrounding the future of the CVE program creates uncertainty surrounding newly discovered vulnerabilities. The historical CVE database will remain intact on GitHub following the expiration of the CVE program. However, MITRE’s CVE program also provides a centralized repository of CVEs from which m
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: