alexmorley3 days ago
Edit suggests the contract has been renewed last minute.
https://www.forbes.com/sites/kateoflahertyuk/2025/04/16/cve-...
[deleted]3 days agocollapsed
Shank3 days ago
Are there any non-Forbes sources that confirm this?
shagie3 days ago
https://www.itpro.com/security/confusion-and-frustration-mit...
> However, in an updated statement, the agency revealed it intends to maintain the database in a bid to prevent a lapse in CVE services.
> “The CVE Program is invaluable to the cyber community and a priority of CISA,” a spokesperson said.
> “Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.”
Searching for that last passage:
https://www.bleepingcomputer.com/news/security/cisa-extends-...
> "The CVE Program is invaluable to cyber community and a priority of CISA," the U.S. cybersecurity agency told BleepingComputer. "Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners' and stakeholders' patience."
And https://www.reuters.com/world/us/us-agency-extends-support-l...
> WASHINGTON, April 16 (Reuters) - U.S. officials have said at the last minute that they're extending support for a critical database of cyber weaknesses whose funding was due to run out on Wednesday.
> The planned lapse in payments for the MITRE Corp's Common Vulnerabilities and Exposures database spread alarm across the cybersecurity community. The database, which acts as a kind of catalog for cyber weaknesses, plays a key role in enabling IT administrators to quickly flag and triage the myriad different bugs and hacks discovered daily.
chris_wot3 days ago
Let me guess, Elon's DOGE crew were part of this and screwed up yet another thing that is essential for U.S. security?
shagie3 days ago
My {conspiracy | belief | suspicion} is that this was something that as part of the DoD they saw "Mitre Corporation" and that organization's relationship with MIT and were pulling funding for anything "elite liberal academia" (even distantly related) combined with the "we're pulling back from anything cybersecurity" ( https://news.ycombinator.com/item?id=43228029 ). (edit) I've run out of invocations of Hanlon's Razor and it needs a long rest before its recharged. (/edit)
I don't believe it was a mistake - they wanted to pull its funding (and still intend to do). Note the wording of the statement:
> Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services.
We are now in the option period.
At some point in the future, that option period will expire.
neodymiumphish3 days ago
This type of option exercise is extremely common in government contracts. I don’t think there’s much to read into on that front.
shagie3 days ago
The option is common (its particulars of the award is at https://www.usaspending.gov/award/CONT_AWD_70RCSJ24FR0000019... ). The fact that the option needed to be done rather than DHS continuing to support CVE and related programs is an abandonment of the responsibilities of the organization to try to keep computer systems secure.
https://www.cisa.gov/news-events/directives/bod-22-01-reduci...
A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems.
Section 3553(b)(2) of title 44, U.S. Code, authorizes the Secretary of the Department of Homeland Security (DHS) to develop and oversee the implementation of binding operational directives.
Federal agencies are required to comply with DHS-developed directives.
...
Remediate each vulnerability according to the timelines set forth in the CISA-managed vulnerability catalog. The catalog will list exploited vulnerabilities that carry significant risk to the federal enterprise with the requirement to remediate within 6 months for vulnerabilities with a Common Vulnerabilities and Exposures (CVE) ID assigned prior to 2021 and within two weeks for all other vulnerabilities. These default timelines may be adjusted in the case of grave risk to the Federal Enterprise.
snickerbockers3 days ago
I would feel a lot better about my skills knowing that bigballs also had difficulty figuring out what the correct syntax for this particular engine's version of \w and how many layers of backslash escapes are needed.
gtani15 hours ago
reddit thread w/sources seem credible but 11 months only and still dependent on single funder
https://old.reddit.com/r/netsec/comments/1k0dodx/mitre_suppo...
plasma_beam3 days ago
It hasn't posted to FPDS yet:https://www.fpds.gov/ezsearch/fpdsportal?q=PIID%3A%2270RCSJ2...
Assuming this is the correct contract, which it appears to be, it had an option period starting today through March of next year. DHS just needed to exercise the option.
DeepYogurt3 days ago
Main page news on https://www.cisa.gov/
marcusb3 days ago
Just social media posts, with claims they received the info from CISA https://infosec.exchange/@metacurity/114347467581760027
Supposedly, MITRE will make a statement today. Time will tell.
Edit - it is MITRE, not CISA, which the poster expects to make a statement.
ForOldHack3 days ago
This was 0 minutes ago. Glad to see how important CVE is to security personel.
marcusb3 days ago
?
Metacurity’s post was like 90 minutes ago.
numpad02 days ago
Why would that be important???
throawayonthe2 days ago
[dead]
hobofan3 days ago
To all the comments doubting the legitimacy:
Here is a LinkedIn post by one of the CVE board members (literally the first one on the list here[0]): https://www.linkedin.com/posts/peterallor_cve-foundation-act...
I'm sure if you look at some of the contact information of other CVE board members and their broadcasting platforms you will also find something.
layer8op3 days ago
Tod Beardsley seems to confirm it as well: https://infosec.exchange/@todb
Xunjin3 days ago
Ngl, I would love a more “clear confirmation” he just boosted and posted a meme.
hobofan3 days ago
He boosted a post that is 1:1 an announcement of the project.
How much more of a "clear confirmation" do you want? An announcement from their non-existent personal press secretaries that just says the exact same text as that post he boosted?
I think people here need to take a step back and realize that the people and board involved here are more like linux kernel maintainers that are not generally public figures and not C-level executives of a Fortune 500 company.
Yes, since it's cybersecurity a bit more caution than usual is probably warranted, but it's not like the CVE DB has gone offline and everyone is currently scrambling to find the new legitimate replacement. Let's let this situation breathe for a few hours/days instead of being overly cautious and spending all energy on skepticism.
heresie-dabord3 days ago
> instead of being overly cautious and spending all energy on skepticism.
Given the state of trustworthy information in news and public discourse, it's understandable that people request a credible source.
The thing called "social media" ain't it.
Xunjin3 days ago
I've pointed out that I think a more clear (in this case an explicit message) would be better. You extrapolated to the other end, assuming that I wanted a press release, which I do feel is a false dichotomy. There are more than one existing option here, and a middle ground would certainly be perfect in this context.
dang3 days ago
Related ongoing threads:
CVE program faces swift end after DHS fails to renew contract [fixed] - https://news.ycombinator.com/item?id=43700607
Replacing CVE - https://news.ycombinator.com/item?id=43708409
Vox_Leone3 days ago
I think it's time the biggest players in the software industry step up, maybe through a formal consortium. This model would make sense because they benefit the most. Big tech companies rely on CVEs to secure their own products;
They have the means. With their massive revenue and dedicated security teams, these companies could easily fund CVE operations. A consortium approach spreads responsibility fairly;
Shared responsibility, shared benefits. Security is everyone's problem.
jpleger3 days ago
Hahaha, CVE was created because industry refused to track and report on things in a consistent and transparent manner. When given the option, business will almost always choose the easy path, and things like vulnerability management programs will be set back years if not decades when the external accountability goes away.
In general, lawyers and CTOs would probably love to see CVE go away or be taken over by industry.
Source: been working in security for 20+ years.
SOLAR_FIELDS3 days ago
Because CVE means accountability. It’s very easy to shift accountability onto someone for an unpatched CVE. If given the chance to escape that accountability I’m sure every megacorp would jump at it.
anon63623 days ago
Yup. I'd say around 15% of very severe incidents are ever announced publicly. In most cases, the default is cover-up and hope no one finds out.
To anyone who thinks a libertarian/anarcho-capitalist/Network States "utopia" of Retire All Gubberment Employees (RAGE) is a "good thing", thing about air, water, and soil pollution from sewage to arsenic to particulates to lead to radioactivity. Greedy sociopaths DGAF who they hurt, which is perhaps why James Madison observed: "If all men were angels, no government would be necessary." Obviously, this is not human nature and so some laws, enforcement, and regulators is required indefinitely. Anyone who tells you differently isn't a serious person.
blitzar3 days ago
> biggest players in the software industry step up
While they are at it maybe chuck $5 to the dev maintaining the open source package that your trillion dollar corporation relies on, that your 50,000 leetcoders can't figure out how to write or live without.
nonrandomstring3 days ago
The last people I am ever going to trust about matters of security is US BigTech. Consortium or not. This idea has no legs. We absolutely need an international cyber threat intelligence network, with many checks, balances and oversights. If we're going to ask "who funds it?" then we need to ask "who really benefits from a technology industry?"
_DeadFred_3 days ago
Funny people keep saying the government should 'move fast and break things' like Facebook, and leave out that Facebook has committed to $60 billion to $65 billion in expenses to do that process this year. But somehow when it's government moving fast and breaking things that also somehow includes 'having minimal expense'. Something something "Fast, Cheap, or Good, pick two." something something.
HelloNurse3 days ago
As this is security, assume the worst: it isn't legit unless MITRE confirms a handover, and even in that case there's ample room for questioning.
bildiba3 days ago
I haven't been actively monitoring for security vulnerabilities ever since I switched from system administration to software development a few decades back. These days, I just read news that talks about high profile vulnerabilities - I do see CVE a lot more than cert.
We used to look at cert: https://www.kb.cert.org/vuls/ I just did a quick search to confirm that it is still there.
What's the difference/relationship between the two?
iterance3 days ago
The primary difference is that CVE was unexpectedly killed by the US Government yesterday and the program terminates today.
readthenotes13 days ago
How is the failure to renew a contract "unexpected"?
Contracts have end dates. All parties on the contract know them.
Wingy3 days ago
I expect they didn’t see it not being renewed coming because the contract was renewed every time for the past 25 years.
rdl3 days ago
Curious what the MITRE budget was. CISA funding for the CVE program isn't specifically broken out but "tens of millions of dollars per year" is what I've seen, which seems excessive, despite the CVE program being important.
sjones6713 days ago
$40 million per year.
Centigonal3 days ago
For the whole CVE database? That's a steal! One breach of a Capital One or similar destroys orders of magnitude more value.
bane3 days ago
Hear me out, I wonder if the need for a decentralized database of data like this might be an actual good use for block chains?
Requires consensus
Immutable
Distributed
A user who needs the CVE database thus just needs to grab a copy of the ledger off of bit torrent or wherever and parse it for all data or updates, etc. It's not like CVEs get lots of updates, and you need to keep track of all of them forever anyways. Updates could be handled by just adding another entry to the chain, and bad actors couldn't really tamper with it.
sph3 days ago
It does not require consensus. It does not require to be immutable. It’s simply advisory data. There is no gain if one owner decides to censor or tamper with their stored CVE data, apart from annoyance for its users.
You’ll be quite fine with a centralised database and mirrors. We have been fine with that until now.
All that we need is data to be freely available, shared and possibly that other institutions offer to catalogue software vulnerabilities to have some kind of redundancy and duplication.
bane3 days ago
Almost none of what you've said is correct regarding the use and purpose of the CVE database.
FateOfNations2 days ago
As somewhat of an aside, this development doesn't necessarily mean much in the way of changes to the way the program is currently run. The foundation can act as a conduit/collection point for funding from industry, with the program remaining run under a contract with MITRE.
relistan3 days ago
Hopefully this is legit. There is no real info. They say both that they are responding to the announcement and that they have been planning it for a year. I doubt that the last part was intensely planned or they’d likely have announced something sooner.
I suspect some likely fracturing of efforts here. Would be great if everyone did get behind a single solution. I’m not sure if this is it. A US-based non-profit is not maybe the best solution.
inktype3 days ago
Comments are understandably negative as the press release has very little information, but I clicked vouch because I have a reason to believe it is legitimate
edent3 days ago
Care to share your reason with the rest of the class?
ForOldHack3 days ago
The Chinese, and Russians who share data with the N Koreans are prowling around like an oversexed pack of boy scouts 24 hours a day, 7 days a week, and not a single one took Easter week off. Worried?
Cloudstrike turned into the worst peice of garbage since waferlocks...
The single most profitable source of forien funds for N Korea turns out to be stolen vit-xoins, while gov officials are forciblly removed from their desks...
What. Me. Worry?
__MatrixMan__3 days ago
Packs are for cub scouts. It would be an oversexed troop.
[deleted]3 days agocollapsed
OtherShrezzing3 days ago
This is a Google Workspace site thrown up 11hrs ago, and doesn't appear to be linked to from any official source.
I don't think it's credible that CVE as an organisation would produce this website and not link to it from their official site or social media accounts.
pama3 days ago
There is hope people will report this site and google will take it down quickly.
tptacek3 days ago
If this holds up, this seems like a good outcome, a better place to end up than where we were before the US killed Mitre's contract.
xyst3 days ago
As I suspected in other thread, the gutting of the CVE program will lead to a fractured db of CVEs. Wonder how many more will pop up out of the wood works.
excalibur3 days ago
The letter was dated yesterday, and in response they spent the past year working on this?
HelloNurse3 days ago
"While we had hoped this day would not come, we have been preparing for this possibility.
In response, a coalition ..."
This sounds like secret, unofficial contingency planning; "this day" has apparently come very suddenly.
odo12423 days ago
I doubt it’s meant to be “secret” contingency planning, but definitely unofficial contingency planning
excalibur3 days ago
On its face this sounds like a scheme quickly devised by a malicious actor to gain a trusted role. We're starting to see some external corrobboration, so maybe it will turn out to be legitimate after all, but the smart money is always on skepticism.
HelloNurse3 days ago
Definitely. Not showing an immediate threat, such as a copy of the CVE database or a request for money, can be assumed to be the typical approach of a long con rather than a sign of goodwill.
[deleted]3 days agocollapsed
LiamPowell3 days ago
Edit: See other comments. Some CVE board members have posted this on their social media accounts however there's still nothing on any official CVE channels. It's a little concerning that this was upvoted to the top of the front page before those comments had been posted given that this is a newly registered domain running on Google sites for something that it says has been in the works for a year.
Original comment:
Why is this being upvoted? There's no reference to it on the CVE website and the domain was only registered after the letter leaked despite the website claiming this was in the works for a year.
Additionally the WHOIS claims that the registrant is "CVE Foundation" which can not be found using the IRS search tool for tax-exempt organisations (note that MITRE does show up here): https://apps.irs.gov/app/eos/
_verandaguy3 days ago
Seconding this. A program like CVE still has to be built on (to some extent, and at least in the initial stages) traditional, non-cryptographic trust.
Who runs this thing? Who's funding it? Who's reviewing, testing, and approving the reports? Assigning them IDs?
I'm hoping for the best, and I'm willing to give the benefit of the doubt because of the frankly crap timing around this whole mess, but on its face, in its current state, I wouldn't trust this org at all.
ForOldHack3 days ago
It's a sad day when the CVE has to issue a CVE for the U.S. government. The meta... The meta ...
stavros3 days ago
We're all just happy to see it.
ForOldHack3 days ago
Extremely. We are all extremely happy to see it. No data Sharimg with the Whitehouse, keep the tsunami at bay.
Not, "All your updates are belong to us."
And...
A personal thanks to every security researcher who has contributed. In.The last year. I see a CVE, and specifically look for the out-or-band update and patch everything that powers up.
One breach on an old ladies laptop, who had the sence to bring it right to me. Keep those covers on the cameras folks.
[deleted]3 days agocollapsed
oldpersonintx3 days ago
[dead]
[deleted]3 days agocollapsed
melodyogonna3 days ago
Very nice!
LunaSea3 days ago
The Foundation should refuse to procure data to US governmental services and affiliated companies providing services to it.
1970-01-013 days ago
There's nothing official about CVE moving.. Why should I trust anything on thecvefoundation.org? If you're going to do it, be serious about all of it. Setup something like "CVE.arpa" which immediately displays very serious credibility. Write an official handoff letter. Put out an official statement for its new home. What has been done here is another half-baked half-measure attempt at solving a very political problem.
ta12433 days ago
Yeah, in the USA, where organisations and officers are continually threatened by an adversarial government.
No thanks.
Harvard for example doesn't kow-tow to the reigime, and look what happens. Non-profits in the USA are not independent.
throwawaymaths3 days ago
A non profit is independent if they don't take federal money? Like EFF, for example.
Maybe CVEs should be tracked by a nongovernmental agency, like how UL works.
mschuster913 days ago
> A non profit is independent if they don't take federal money? Like EFF, for example.
The problem is the seat of the non-profit, as long as it is in the US it remains vulnerable to stuff like gag orders (and the UK is similar, see the recent issues with Apple and E2E encryption), or just the administration plainly ignoring the law and just forcing it to shut down or whatnot.
> Maybe CVEs should be tracked by a nongovernmental agency, like how UL works.
The current administration has attacked multiple nongovernmental agencies already, or trampled over federal law.
The only thing I'd trust for now to be a safe haven would be an international organization like the WHO that's backed by diplomatic treaties - but even these aren't safe either, just look at the ICC vs Israel debate, or the constant attacks and conspiracy theories on the WHO.
dmix3 days ago
> as long as it is in the US it remains vulnerable to stuff like gag orders
Only under FISA warrants where you can't reveal the investigation to the public or during a regular trial if the judge determines leaking details of the case will impact justice AFAIK.
mschuster913 days ago
Do you trust this administration to respect the rule of law to that degree? That is the core issue IMHO.
throwawaymaths3 days ago
Probably less than most (but not all) administrations. Almost every administration has trammelled on the rule of law. FDR and Wilson come to mind as among the worsr. At least this administration has many vocal eyes on it.
throwawaymaths3 days ago
> WHO conspiracy theory
OK well we know where you stand on that issue. Too bad pretty much every working molecular biologist agrees that the WHO is covering up COVID origins.
ape43 days ago
Its not hard to imagine the current regime complaining about a CVE issued about a product made by a favored company - eg x.com
odo12423 days ago
Harvard takes a lot of federal money. On the order of millions to billions of dollars.
brazzy3 days ago
However, they just refused demands to compromise their principles in order to keep receiving those billions, while many other organizations caved in to the threats.