A funding cut is forcing the nonprofit MITRE Corporation to end support for a 25-year-old program that helps the cybersecurity industry track and patch software vulnerabilities.
On Tuesday, the nonprofit said, “Funding for MITRE to develop, operate, and modernize the Common Vulnerabilities and Exposures (CVE) Program and related programs, such as the Common Weakness Enumeration (CWE) Program, will expire” tomorrow, April 16.
MITRE VP and Director Yosry Barsoum issued the statement after a letter from him circulated on social media, warning about the expiring support and potentially disruptive consequences.
“If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure,” the letter said.
This Tweet is currently unavailable. It might be loading or has been removed.
The news is raising alarms in the cybersecurity community since MITRE administers the CVE Program, which acts as an important resource for companies and security researchers to report and patch software vulnerabilities in a standardized format. MITRE is also among the groups that issues CVE ID numbers for such flaws; the CVE Program database currently spans over 270,000 vulnerabilities.
Whether CVE.org will go offline tomorrow remains unclear. But MITRE says that historical CVE records will remain available on a GitHub page, suggesting the valuable cybersecurity resource could go under unless it receives more funding.
MITRE didn’t elaborate on the funding issue. But a US government site shows that a $29 million contract to the nonprofit for a number of programs is set to expire on Wednesday. Despite the funding expiring, Barsoum said in his statement: “The government continues to make considerable efforts to support MITRE’s role in the program and MITRE remains committed to CVE as a global resource.”
MITRE previously told PCMag that its support for the CVE Program was sponsored by the Cybersecurity and Infrastructure Security Agency (CISA), which operates under the Department of Homeland Security. CISA didn’t immediately respond to a request for comment.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Although MITRE is pulling back from the CVE Program, the project is also maintained with the help of numerous organizations. This includes over 400 so-called “CVE Numbering Authorities” such as Google, Apple, and Microsoft, which can issue CVE numbers and already routinely roll out their own patches.
The CVE Program has also transitioned to its own board following years of direct management under MITRE. “The board runs the program, the board makes all the programmatic decisions, MITRE enables all those decisions with us,” explained Shannon Sabens, a current board member, in a 2021 podcast.
In addition, CyberScoop reports that the CVE program has built up its resiliency over the years, which could soften the blow from any funding cuts. Still, the abrupt ending of MITRE’s support is triggering fears the CVE program might collapse without a central authority to help administer it.
Recommended by Our Editors
Casey Ellis, founder at bug bounty platform Bugcrowd, said: “Hopefully this situation gets resolved quickly. CVE underpins a huge chunk of vulnerability management, incident response, and critical infrastructure protection efforts. A sudden interruption in services has the very real potential to bubble up into a national security problem in short order.”
Without the CVE program, security researcher Navid Fazle Rabbi noted that “private cybersecurity firms may step in to provide vulnerability tracking services, potentially leading to proprietary systems that may not be freely accessible or standardized.”
Tim Peck, a threat researcher at Securonix, also said: “One of these consequences could be that the CNAs (CVE Numbering Authorities) and researchers may be unable to obtain or publish CVEs in a standardized manner. This would delay vulnerability disclosures and affect coordinated disclosure timelines. Notes on patching and remediations could be delayed offering a greater window of time to attackers to engage in exploitation.”
Meanwhile, the National Institute of Standards and Technology maintains its own vulnerability database that’s designed to provide more details about a flaw. But NIST has been facing a growing backlog.
About Michael Kan
Senior Reporter
