U.S. government funding for the Common Vulnerabilities and Exposures program expires April 16.
The security industry is panicking over the potential loss of the CVE program. Run by the MITRE non-profit, the CVE database is a critical tool for tracking the status of vulnerabilities.
CISA just announced a temporary reprieve, but the dangers are obvious. In today’s SB Blogwatch, we look for the opportunities.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Ska punk Rehab.
These are “Interesting” Times
What’s the craic? David DiMolfetta reports: MITRE-backed cyber vulnerability program to lose funding Wednesday
“Multiple impacts to CVE”
Used extensively across sectors, … the CVE Program provides a standardized framework for identifying vulnerabilities and plays a central role in vulnerability management practices. It was first launched in 1999.
…
The CVE Program provides a standardized system for identifying and cataloging publicly known cybersecurity vulnerabilities. Each vulnerability is assigned a unique identifier, designed to help security researchers, vendors and officials communicate consistently about the same issue. Agencies like the Cybersecurity and Infrastructure Security Agency regularly issue vulnerability alerts using CVE standardized language.
…
“If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure,” [said] an internal memo purportedly sent to CVE board members.
Just before we went to press, Sergiu Gatlan tells of a temporary reprieve: CISA extends funding to ensure ‘no lapse in critical CVE services’
“Single point of failure”
“The CVE Program is invaluable to cyber community and a priority of CISA,” the U.S. cybersecurity agency [said]. “Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.”
…
Before CISA’s announcement, a group of CVE Board members announced the launch of the CVE Foundation, a non-profit organization established to secure the CVE program’s independence in light of MITRE’s warning that the U.S. government might not renew its contract. … Over the last year, the individuals involved in the launch have been developing a strategy to transition the program to this dedicated foundation, eliminating “a single point of failure in the vulnerability management ecosystem” and ensuring “the CVE Program remains a globally trusted, community-driven initiative.”
Update: Jeffrey Burt adds context: CISA at the Last Minute Extends Funding
“Questions remain”
The announcement comes after a frantic 24 hours that saw cybersecurity professionals warn about the dire consequences should MITRE’s … CVE [database] stop operating: A situation … they said would severely hamper security efforts and open the door wider to threat groups and adversarial nation-state operators.
…
However, questions remain—including how long the funding will last. … The reports about the government not renewing the contract … shook a cybersecurity industry that in recent weeks has seen … slashing CISA’s budget and workforce, firing the head of the National Security Agency, and targeting former CISA director Chris Krebs and the company he now works for.
Why are they so concerned? These anonymous Tenable Research bloggers blog thuswise: MITRE CVE Program Funding Set To Expire
“Will create difficulties”
The biggest concern stems from the fact that CVE Numbering Authorities, or CNAs, will no longer be able to reserve and assign CVEs for newly discovered vulnerabilities. While CNAs typically try to reserve a block of CVEs, the lack of transparency surrounding the future of the CVE program creates uncertainty surrounding newly discovered vulnerabilities.
…
MITRE’s CVE program also provides a centralized repository of CVEs from which many organizations fetch data and this may disappear. The lack of this centralized repository will create difficulties going forward for tracking new and noteworthy vulnerabilities under a common identifier.
What are the risks? Incipient highlights big problems for software supply chain security:
Basically when any software/library/whatever has a vulnerability, they have to communicate that out themselves, in some format. If I’m developing a product built on 20 libraries, it won’t just be a matter of scanning CVEs for major vulnerabilities any more, so I’m more likely to miss one. (“Always update” doesn’t … work, when to manage a product you realistically have to version pin.
A crisis spells danger and also opportunity—but for whom? elDog suggests a few:
When wet dreams become reality: Lots of fun characters around the world are looking to create some new mischief. Cue the NorKs, the “Internet Research Agency” in [Russia], etc. Since a lot of the CVEs have to do with industrial control systems this could be a fun time to handle crises at major utilities.
But is there a silver lining in this cloud? Dirk Maij has an idea:
It may be an idea to not use a single point of failure authority, but expend this to 3 authorities based in 3 different locations.
Or are we over-reacting? sinij hopes against hope:
There is no way this is intentional defunding. This must be malicious compliance by someone trying to create exactly this kind of headline. … This will likely get fixed.
On the other hand, some question the need for a non-profit program. Some such as mike_hearn:
Why is it the government’s job to do this, especially given the prior widespread view that they’re doing a bad job? Is the software industry so immiserated by poverty that it cannot organize its own distribution of security bulletins?
…
There is a whole ecosystem of security companies to help you understand vulns in your stack. … There seems nothing specific to CVEs that requires government involvement, but the existence of the tax funded scheme does discourage the creation of competitors that might function better.
OK, OK, but do we really want multiple CVE authorities? doublelayer thinks MITRE sholud continue, but with different funding:
One possibility is to fund this by voluntary contributions from companies. I honestly wouldn’t be surprised if that happened. … The general utility of it is why it made sense to fund it as a public good, but I don’t remember too many governments volunteering to help with the bill.
…
From my reading, MITRE received $29 million for two years, but I’m not sure that all the $14.5 million annually went to the various databases listed. MITRE does various other things, and I don’t know if any of those were also included in the contract.
Voluntary contributions, you say? DarkOx agrees:
There is no reason the tax payer should continue to foot the bill for what is really post-sale QC that the industry should have been doing more effectively all along. The list of CNAs, etc. is essentially a who’s-who of big tech. They don’t need the rest of us paying this—Adobe, EA, Microsoft, Cloudflare, GE, IBM, etc. all have plenty of money to throw at this.
Meanwhile, kornel suggests a depressing analogy with paywalled scientific papers:
More likely some commercial vendor will jump in … to become the Elsevier of security compliance.
And Finally:
Amy vs. Luca? I said, “Yes, yes, yes.”
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
