Editor’s note: This is a breaking news story and will be updated as details emerge.
After a 24-hour period of high anxiety for the cybersecurity industry at the prospect of losing the CVE program, the Cybersecurity and Infrastructure Security Agency (CISA) said April 16 it plans on funding the highly valued program.
CISA issued the following statement: “The CVE Program is invaluable to the cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.”
While the news was welcome in the cybersecurity community, no further details were released.
We still don’t know the answers to the following questions: How long CISA funded the program for? How much money was allocated? And if MITRE, which administers the program, would now be able to rehire employees to work on the program?
Word that the CVE program could come to an end sent shockwaves throughout the industry.
Carolyn Crandall, CMO at AirMDR, called CVE identifiers the “Rosetta Stone” for security teams around the globe.
“They enable everyone to speak the same language when tracking threats and prioritizing patches,” said Crandall. “Without this universal standard, we’d see vendors defaulting to their own naming conventions, which creates chaos and confusion.”
In addition to the reversal, a group calling itself “the CVE Foundation” announced it was formally establishing “to ensure the long-term viability, stability and independence of the Common Vulnerabilities and Exposures (CVE) Program.”
The group stated in its announcement that members of the CVE board had longstanding concerns about the sustainability and neutrality of single government sponsor for the CVE Program; MITRE’s April 15 announcement that its contract was expiring reinforced those concerns.
The CVE Foundation is years in the making, according to the release, and “focuses solely on continuing the mission of delivering high-quality vulnerability identification and maintaining the integrity and availability of CVE data for defenders worldwide.”
“CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself,” said Kent Landfield, an officer of the foundation. “Cybersecurity professionals around the globe rely on CVE identifiers and data as part of their daily work — from security tools and advisories to threat intelligence and response. Without CVE, defenders are at a massive disadvantage against global cyber threats.”
