Ddos 
The cybersecurity world is bracing for a potential earthquake. The MITRE Corporation, the steward of the critical Common Vulnerabilities and Exposures (CVE) program, has announced that its contract with the U.S. federal government is set to expire on April 16th, jeopardizing the very foundation of vulnerability management globally.
For over two decades, MITRE has meticulously maintained the CVE program, a comprehensive catalog of publicly known cybersecurity vulnerabilities. This resource is indispensable, serving as the bedrock for countless cybersecurity vendors, government agencies, and critical infrastructure organizations worldwide. However, a funding impasse threatens to bring this vital service to a grinding halt.
“On Wednesday, April 16th, funding to develop, operate, and modernize the [CVE] Program and related programs, such as the Common Weakness Enumeration (CWE) Program, will expire,” stated Yosry Barsoum, MITRE’s vice president and director of the Center for Securing the Homeland. This announcement has sent shockwaves through the cybersecurity community.
Once the contract lapses, new CVE entries will cease, and the CVE program website, a central hub for vulnerability information, will eventually become inaccessible. While historical CVE records will be preserved on GitHub, the dynamic and up-to-date nature of the program will be lost.
The CVE program, launched in 1999 and funded by the Cybersecurity and Infrastructure Security Agency (CISA), a division of the Department of Homeland Security (DHS), is more than just a database. It is a critical tool for:
- Vulnerability Identification: Providing a standardized naming convention for publicly known vulnerabilities.
- Incident Response: Enabling swift and coordinated responses to security incidents.
- Vulnerability Management: Facilitating the development of patches and mitigations.
- Critical Infrastructure Protection: Safeguarding essential services from cyber threats.
“The government continues to make considerable efforts to support MITRE’s role in the program and MITRE remains committed to CVE as a global resource,” Barsoum assured. However, the reality of the impending contract expiration paints a far more precarious picture.
CISA, the primary sponsor of the CVE program, acknowledged the contract lapse but offered little clarity on the situation. “Although CISA’s contract with the MITRE Corporation will lapse after April 16, we are urgently working to mitigate impact and to maintain CVE services on which global stakeholders rely,” a CISA spokesperson stated.
However, CISA declined to answer crucial questions regarding the reasons for the contract cancellation, the future of the CVE website, and whether a new vendor would assume MITRE’s responsibilities.
In a letter to CVE program board members, Barsoum warned of “multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure.”
The silence from CVE program board members, including representatives from the federal government and tech giants, further amplifies the uncertainty.
A source within MITRE, speaking anonymously, revealed that DHS and CISA are allowing a significant number of cybersecurity contracts to expire. This follows CISA’s recent decision to cut funding for MS-ISAC and the Election ISAC, vital organizations providing cybersecurity assistance to critical infrastructure.
The prospect of losing the CVE program has alarmed cybersecurity experts. Casey Ellis, founder of Bugcrowd, emphasized that CVE “underpins a huge chunk of vulnerability management, incident response and critical infrastructure protection efforts.”
Furthermore, the situation is compounded by recent layoffs at MITRE’s Virginia office, affecting over 400 employees, reportedly due to canceled contracts following the Trump administration’s funding cuts. This raises serious concerns about the long-term stability of critical cybersecurity programs.
The potential disruption of the CVE program is not merely a technical issue; it is a fundamental threat to global cybersecurity. As the clock ticks towards the April 16th deadline, the cybersecurity community awaits answers and solutions, hoping to avert a crisis that could have far-reaching consequences.
Related Posts:
- Microsoft Defender no longer considered Tor Browser as a trojan
- js Expands CVE Coverage for EOL Releases Despite MITRE Rejection
- PyPI Takes Emergency Measures to Combat Malicious Package Flood
- China-Linked Hackers Target MITRE with ROOTROT Web Shell
About The Author
