Mastodon Feed: Post

Mastodon Feed

Boosted by slightlyoff@toot.cafe ("Alex Russell"):
briankrebs@infosec.exchange ("BrianKrebs") wrote:

I boosted several posts about this already, but since people keep asking if I've seen it....

MITRE has announced that its funding for the Common Vulnerabilities and Exposures (CVE) program and related programs, including the Common Weakness Enumeration Program, will expire on April 16. The CVE database is critical for anyone doing vulnerability management or security research, and for a whole lot of other uses. There isn't really anyone else left who does this, and it's typically been work that is paid for and supported by the US government, which is a major consumer of this information, btw.

I reached out to MITRE, and they confirmed it is for real. Here is the contract, which is through the Department of Homeland Security, and has been renewed annually on the 16th or 17th of April.

https://www.usaspending.gov/award/CONT%5FAWD%5F70RCSJ23FR0000015%5F7001%5F70RSAT20D00000001%5F7001

MITRE's CVE database is likely going offline tomorrow. They have told me that for now, historical CVE records will be available at GitHub, https://github.com/CVEProject

Yosry Barsoum, vice president and director at MITRE's Center for Securing the Homeland, said:

“On Wednesday, April 16, 2025, funding for MITRE to develop, operate, and modernize the Common Vulnerabilities and Exposures (CVE®) Program and related programs, such as the Common Weakness Enumeration (CWE™) Program, will expire. The government continues to make considerable efforts to support MITRE’s role in the program and MITRE remains committed to CVE as a global resource.”

MITRE | SOLVING PROBLEMS FOR A SAFER WORLD" April 15, 2025 Dear CVE Board Member, We want to make you aware of an important potential issue with MITRE’s enduring support to CVE. On Wednesday, April 16, 2025, the current contracting pathway for MITRE to develop, operate, and modernize CVE and several other related programs, such as CWE, wil expire. The government continues to make considerable efforts to continue MITRE’ role in support of the program If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure. MITRE continues to be committed to CVE as a global resource. We thank you as a member of the CVE Board for your continued partnership. Sincerely, Yosry Barsoum VP and Director Center for Securing the Homeland (CSH) 7515 Colshire Drive ® McLean, VA 22102-7539 ® (703) 983-6000