Mitre’s CVE program—which offers standardized naming and various informational resources regarding cybersecurity vulnerabilities—was on the verge of being discontinued, as the US Department of Homeland Security did not renew the contract. Fortunately, it received funding for an additional eleven months at the last moment.

This is significant. The CVE program stands as a crucial component of common infrastructure that benefits all. Its loss would thrust us back into an environment where there is no unified method to discuss vulnerabilities. It’s quite astonishing to consider that the US government may compromise its own security in this manner—though it’s probably no more bizarre than other actions the US is currently taking that counter its own interests.

Sasha Romanosky, a senior policy researcher at the Rand Corporation, described the termination of the CVE program as “tragic,” a feeling shared by numerous cybersecurity and CVE specialists contacted for their views.

“CVE naming and assignment to software products and versions form the bedrock of the software vulnerability ecosystem,” Romanosky stated. “Without this system, we cannot track newly identified vulnerabilities. We cannot evaluate their seriousness or foresee their exploitation. Moreover, we would certainly struggle to make informed decisions regarding their remediation.”

Ben Edwards, a principal research scientist at Bitsight, expressed to CSO, “My response is one of sadness and disappointment. This is a crucial resource that definitely should be funded, and failing to renew the contract is an error.”

He further noted, “I am optimistic that any disruption will be short-lived and that if the contract is not renewed, other participants within the ecosystem can continue where MITRE has ceased operations. The decentralized structure and transparency of the system facilitate this, but it will certainly be a challenging transition if responsibilities must shift to another organization.”

More comparable quotes can be found in the article.

I suspect we will find a way to maintain this program without the involvement of the US government. However, a bit of advance notice would have been appreciated.