The contract with MITRE has been extended.<p><a href="https://www.forbes.com/sites/kateoflahertyuk/2025/04/16/cve-program-funding-cut-what-it-means-and-what-to-do-next/" rel="nofollow">https://www.forbes.com/sites/kateoflahertyuk/2025/04/16/cve-...</a><p>My guess indefinitely.<p>DOGE might be a bunch of idiots, but in the entire DOD, there are non-idiots.
I wish this hadn't happened.<p>I wonder what level of compartmentalisation inside DHS means they didn't see this as having sufficient downsides?<p>I ask this, because I don't think anyone in the subject matter specialist space would have made a strong case "kill it, we don't need this" and I am sure if asked would have made a strong case "CRISSAKE WE NEED THIS DONT TOUCH IT" -But I could believe senior finance would do their own research (tm) and mis-understand what they saw in how other people work with CVE, and who funds it.
> A coalition of CVE Board members launched a new CVE Foundation "to ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program."<p>> <a href="https://www.thecvefoundation.org" rel="nofollow">https://www.thecvefoundation.org</a><p><a href="https://mastodon.social/@serghei/114346660986059236" rel="nofollow">https://mastodon.social/@serghei/114346660986059236</a>
The real irony here is that a lot of ycombinator founders and the people reading HN were exactly the ones making this possible and now start to wonder why the snake eats its own tail.
Weren't there major problems with the current CVE implementation, especially with the waves of script kiddies and AI tools spamming the database and the fact that projects who take security seriously have little to no say in the "score" that gets assigned?
If you work on OSS software on CVE management, then you already know that NVD funding reductions have been ongoing for more than a year.<p>April 2024, <a href="https://nvd.nist.gov/general/news/nvd-program-transition-announcement" rel="nofollow">https://nvd.nist.gov/general/news/nvd-program-transition-ann...</a><p><pre><code> NIST maintains the National Vulnerability Database (NVD).. This is a key piece of the nation’s cybersecurity infrastructure. There is a growing backlog of vulnerabilities.. based on.. an increase in software and, therefore, vulnerabilities, as well as a change in interagency support.. We are also looking into longer-term solutions to this challenge, including the establishment of a consortium of industry, government, and other stakeholder organizations that can collaborate on research to improve the NVD.
</code></pre>
Sep 2024, Yocto Project, "An open letter to the CVE Project and CNAs", <a href="https://github.com/yoctoproject/cve-cna-open-letter/blob/main/cve-cna-open-letter.txt">https://github.com/yoctoproject/cve-cna-open-letter/blob/mai...</a><p><i>> Security and vulnerability handling in software is of ever increasing importance. Recent events have adversely affected many project's ability to identify and ensure these issues are addressed in a timely manner. This is extremely worrying.. Until recently many of us were relying not on the CVE project's data but on the NVD data that added that information.</i><p>Five years ago (2019), I helped to organize a presentation by the CERT Director from Carnegie Mellon, who covered the CVE backlog and lack of resources, e.g. many reported vulnerabilities never even receive a CVE number. It has since averaged < 100 views per year, even as the queue increased and funding decreased, <a href="https://www.youtube.com/watch?v=WmC65VrnBPI" rel="nofollow">https://www.youtube.com/watch?v=WmC65VrnBPI</a>
This makes me wonder what other stuff most people don't know exists but is important to our society has quietly disappeared in the last few weeks. We know about this one because we know it's important. What are the things we don't know about?
The latest contract[1] (I hope this is the right one) for MITRE's involvement with CVE and CWE programs was USD$29.1m for the period 2024-04-17 to 2025-04-16 with optional extension of expenditure up to USD$57.8m and to an end date of 2026-04-16.<p>Seemingly MITRE hasn't been advised yet whether the option to extend the contract from 2025-04-16 to 2026-04-16 will be executed. And there doesn't appear to be any other publicly listed approach to market for a replacement contract.<p>[1] <a href="https://www.fpds.gov/ezsearch/jsp/viewLinkController.jsp?agencyID=7001&PIID=70RCSJ24FR0000018&modNumber=0&transactionNumber=0&idvAgencyID=7001&idvPIID=70RSAT20D00000001&actionSource=searchScreen&actionCode=&documentVersion=1.5&contractType=AWARD&docType=C" rel="nofollow">https://www.fpds.gov/ezsearch/jsp/viewLinkController.jsp?age...</a>
Practically speaking, how much could it cost to maintain the CVE database?<p>Given its enormous value, isn't this something that the community, especially FAANG (MAANA?) could step up and fund as a nonprofit?
It looks like the decision has been reverted, for now at least:
<a href="https://www.forbes.com/sites/kateoflahertyuk/2025/04/16/cve-program-funding-cut-what-it-means-and-what-to-do-next/" rel="nofollow">https://www.forbes.com/sites/kateoflahertyuk/2025/04/16/cve-...</a>
It’s a reckless move to cut funding so abruptly, but taking a step back from the short-term chaos, it probably <i>is</i> an anomaly that this was government funded. All of private tech relies on it, and private tech is big enough to pay for it. I hope that the trillion dollar babies consider this an opportunity to pool together to form a foundation that funds this, and a bunch of other open source projects run by one random person in Nebraska.
Is MITRE's CVE program redundant with NIST's National Vulnerability Database? I'm having a hard time telling how the two are related, or if NVD is simply performing the same service as MITRE.
Why is this sponsored by such an American gov entity?<p>I guess it's one of those things you never think about until it goes wrong.<p>The world would do well to move this kind of stuff out of the US quickly, just like ICANN and stuff.
> In a stunning development<p>Who is still stunned by these things? They want you to be stunned; they want you to tell everyone else that you're stunned to spread feelings of terror and powerlessness. If you actually are stunned, you are stunningly ignorant. If you are not and still saying it, perhaps to emphasize your unhappiness, you are a 'useful idiot'. Either way, if you are saying it, you are a useful idiot.<p>You should have known decades ago: The GOP impeached a President for lying about sex; they fabricated intelligence to invade another country (killing thousands of Americans and 100,000+ Iraqis) - and that was all before 2004. They've voted almost unanimously, multiple times, to bankrupt the country (by refusing to authorize debt for existing obligations). Nobody (i.e., the Dems failed to) stopped them or made them pay a price, so why wouldn't they keep doing those things. (Edit: And if you object because the analysis criticizes one side and therefore you reject it as partisan, that's a big part of the reason nothing was done.)<p>This time they published Project 2025, telling you what they were going to do.
The title of this article is simply false. The CVE Program is a separate entity from MITRE and is most definitely not ending. The CVE Program has been acquiring assets from MITRE for years now. That is why the main site shifted from cve.mitre.org to cve.org. MITRE has always simply been the workhorse of the program, and now that is being shifted to others (CVE foundation, which has global representation).
Some companies are already clueless when it comes to CVE management. Probably won’t see the effects immediately but give it a few more years for new generation of vulns to be created/found and we will be back to early 2000s level security.<p>Open season on American corporations for domestic and foreign hackers.<p>If program isn’t brought back then CVE database likely to be fragmented amongst the “private” CVE databases.<p>Sec Corp A has 700 well documented CVEs but Sec Corp B has 702 CVEs in their database since NIST funding pulled. What do corps do? Maybe some of them with massive budgets setup contracts with both to get “full spectrum coverage”. Maybe other non-technical companies that think of IT as strictly a cost will go with the cheapest or forego it all together.<p>Who knows maybe we get ~~~free labor~~~ open source community to pick up the slack?<p>This country with the orange man administration is quickly going to shit. Not in a “I dislike {opposing party} way” either. In a “I dislike authoritarian regimes” way.
Including this as a prime example, the overall trend seems to be that we're going back to the bad old days where a kid gets to code the entire security infrastructure because the CEO thinks he's smart and then the bugs are covered up with legal threats (because they were able to mislead the courts), obfuscation, while being easily discoverable by 3rd parties. Another example is the way the bug bounty gimmick is run and most researchers never disclose their findings nor are they patched in any consistent manner, plus the companies threaten to sue you for disclosing even if it's 100 years later.
Reminds me of Trump's first term where he said if we stopped testing for Covid, we'd stop catching new cases and case numbers would go down. If you stop testing for vulnerabilities then vulnerabilities go down. Easy stuff.
As a newly minted cynic, this seems like a cynical play to save someone's budget.<p>Step 1: Post discreetly to a forum with minimal information and an absurdly short deadline<p>Step 2: Phone your friend, the former board member, to make your case on LinkedIn<p>Step 3: Ring up a friendly journalist and give them a tip<p>Step 4: Reference the insuing chaos as justification for keeping your project funded<p>Note that the article carefully avoids pinning the blame on DOGE or the Whitehouse while heavily implying it. MITRE is technically a private entity, albeit a non-profit. And the very last paragraph of the article states:<p>> A CISA spokesperson told CSO, “CISA is the primary sponsor for the Common Vulnerabilities and Exposure (CVE) program… Although CISA’s contract with the MITRE Corporation will lapse after April 16, we are urgently working to mitigate impact and to maintain CVE services on which global stakeholders rely.”<p>To be clear, the point isn't to say that the CVE program isn't valuable, nor is it to say that it's <i>good</i> for a shenanigan like this to be necessary.<p>The point is that, unless you're directly involved in this subject (not impacted—involved), it's probably best to maintain a "wait and see" attitude rather than succumb to catastrophizing this news.
I didn't realize that CVE was funded by the DHS. Isn't it better for it to be independent and not funded by an intelligence agency?<p>It's enough of a public good to have a common advisory for vulnerabilities that FAANG should just kick it a few million a year. How much can it possibly cost to run this anyway?
FWIW, I've never understood why this sort of thing wasn't just directly handled by the NSA --- aren't they the group which should be tasked with cybersecurity?<p>I always suspected that "Department of Homeland Security" would lead to Banana-republic-like shenanigans --- could we defund them?
Important update April 16, 2025: Since this story was first published, CISA signed a contract extension that averts a shutdown of the MITRE CVE program.
Believe me when I say that DOGE is filled with smart people (I know a few of them).<p>Just because they're scattershot cutting doesn't mean they're stupid.
There are quite a few threads on hackernews that were cautiously optimistic about doge with, frankly, pretty naive libertarian takes about how the government works.<p>The government is not particular (in the sense of particularism) and cannot be easily tuned to fix particular problems; rather, its best solutions come through institutional procedure and design, such as the tension between the FAA and the NTSB that, at a first glance, would seem like obviously needless duplication and waste.<p>It is a broad, blunt, wasteful instrument to solve broad, blunt problems in a way that may not be the best but that work far, far better than alternatives that have been tried.<p>That the effort to treat government like a personal budget has ended up destroying important things is a sad inevitability of such efforts. I hope it goes remembered.
Am I missing something or was this literally announced with less than 24 hours of warning that one of the critical components to the cyber security landscape was disappearing.<p>What the fuck are you supposed to do about this. This is something that should have had multiple MONTHS of warning in order to allow those who depend on the CVE infrastructure to plan what to do next with their security posture.
How much was this contract worth?<p>If it was $5000/yr it's very different to if it's $5M/year for what amounts to little more than an instance of mediawiki.
For now, historical CVE records will be available at GitHub:<p><a href="https://github.com/CVEProject">https://github.com/CVEProject</a>
This industry relentlessly lionized Trump and Musk, elevating them to positions of power and handing them the power to destroy at will.<p>This is your moment! Enjoy it!
If there are any Europeans here, I'd love to make my vulnerability database that's accumulated from all linux security trackers and the CVE/NVD open source if I can manage to find some folks who'd help with maintenance.<p>Currently hosting costs are unclear, but it should be doable if we offer API access for like 5 bucks / month for private and 100 / month for corporate or similar.<p>Already did a backup of the NVD in the last couple hours, currently backing up the security trackers and OVAL feeds.<p>Gonna need some sleep now, it's morning again.<p>My project criteria:<p>- hosting within the EU<p>- must have a copyleft license (AGPL)<p>- must have open source backend and frontend<p>- dataset size is around 90-148 GB (compressed vs uncompressed)<p>- ideally an e.V. for managing funds and costs, so it can survive me<p>- already built my vulnerability scraper in Go, would contribute it under AGPL<p>- already built all schema parsers, would contribute them also under AGPL<p>- backend and frontend needs to be built<p>- would make it prerendered, so that cves can be static HTML files that can be hosted on a CDN<p>- needs submission/PoC/advisory web forms and database/workflow for it<p>- data is accumulated into a JSON format (sources are mixed non standard formats for each security tracker. Enterprise distros use odata or oval for the most parts)<p>If you are interested, write me on linkedin.com/in/cookiengineer or here.
CVE was anti-American woke.<p>No, more seriously, just like with shutting down NOAA services, it seems the goal is to:<p>1. cut services (we saved taxpayer money!!)<p>2. at some point later: oh, we actually need those services<p>3. pay <insert your favorite vendor here, preferably one connected to Musk> to provide the service (see! we don't need to pay gov employees!!) (fine print: the vendor costs 2-3x the original cost). But by then no one is looking at the spending numbers anymore.<p>Slick moves.
Forget everything you know and consider that it might be a misguided and risky negotiation tactic.<p>Disclaimer: This is not business advice and should be read using Cartman’s voice.<p>Step 1: Announce publicly that you are not renewing your contract.<p>Step 2: If the market has viable alternatives or the service you are negotiating isn’t that hard to replicate, other actors will manifest to fill in the gaps, especially if your business is attractive. (E.g., The top comment is building an alternative; other comments point to alternative services.)<p>Step 3: Congratulations, you now have leverage for a significant discount with your previous provider because they face the real prospect of losing your business entirely to a competitor. If the competitor is private, you can even double dip by investing in their company before attributing them the contract.
There seems to be little reason for the US government to
pay for this since it is vital information that a lot of
companies rely upon.<p>Some form of a foundation or NGO could be given a reasonable
endowment from the industry to operate the CVE program.<p>O am quite hesitant to trust the DOD to keep track of software vulnerabilities. Some parts are developing and exploiting vulnerabilities. And given a fresh feed of what people find, and usually a delay from notification until publication, which may sometimes just be a bit longer of a delay, would allow the DOD to weaponize the vulnerability for their own use as well.
I don't see why this should be publicly funded, so I don't really see an issue with this. The industry benefits from having a CVE database, so the industry should fund it.