CVE program faces swift end after DHS fails to renew contract

https://www.enisa.europa.eu/news/another-step-forward-toward...

OSV is made by Google/Alphabet and therefore also prone to Trump intervention (see Gulf of Mexico executive order).

The circl.lu might be actually a potential cooperation partner.

(Vuldb is down right now)

I don't think the EU has any interest in this. They've been aware of the risk of relying on the US for software security for years, but AFAIK there have been no efforts to do anything about it. Maybe the current situation will kick some butts into gear ...

Off topic: your username is very appropriate given the situation.

MITRE is a non-profit. All the EU has to do is reach out to MITRE and be willing to fund the project.

This should be work for the ENISA: https://www.enisa.europa.eu/

https://www.enisa.europa.eu/topics/vulnerability-disclosure

They have a tender going on tracking best practices: https://www.enisa.europa.eu/procurement/vulnerability-disclo...

So they will take 12 months to selected for the tender...18 months pondering on the report...and in 3 years they make a tender out for a solution...

This would be hilarious. That would be a good thumb in the eye to the current administration who complained long and loud about how Obama let ICANN leave US possession. Just imagine the campaign commercials in 2026,

>The POTUS transferred our cyber defenses to the EU

Ouch

[dead]

> Sovereign Tech Fund

It's actually been upgraded to the Sovereign Tech Agency now

And maybe the sidn fund?

Codeberg might be a nice cooperation partner for hosting the git repositories. Gonna write them!

I'm also visiting the local CCC chapters here this week, maybe it makes sense to have a separate e.V. where the CCC chapters are beneficiaries?

+1 for ccc.de

Apart from the few maniacs On Here who seek out the unregulated intentionally. Raw milk (all those tasty diseases). "Research chemicals" (don't hear so much about that lately, but there were whole microdosing fads).

Will all of these things be free of micro plastics and other contaminants?

If so, is there a signup page?

Not talking about politics is itself a political position (in favor of status quo).

It’s really a question of time and place. There are many foundational topics in life, such as politics, religion, and philosophy. But it’s not always helpful or appropriate to discuss them in a particular setting.

That said, HN already has an extremely wide range of subject matter, so I wouldn’t say politics should be out of place here. It can, though, become a divisive distraction that disrupts other conversations, so I can appreciate that some limits are needed.

Everything was always political. Laws, the economy, conflcit. How is any person not affected by these? The government is responsible for all or a large part of how a country functions.

People who say "I'm not political" are deflecting to avoid conflict

Everything already was, you just didn't recognize it because it was to your benefit / in your interests.

That's because we got reliant on the funds from government. Maybe it's time to break the dependency.

Agree, but it goes both ways, with technology (that many of us here have helped create and maintain) also reaching out into every facet of society and community, many times in close symbiosis with the political powers that be, to the detriment of said society and community.

Not 100% sure what I wanted to say, maybe that said politics (and the political as a whole) wouldn't have invaded almost our entire lives without the help of technology.

> cut everything, recklessly, indiscriminately

Mostly discriminately, tbh.

Destroy, destroy, destroy. Promise to rebuild but don't. Take it all.

People will not submit vulns as happily to such business.

Most of vulns will go unaddressed because company like palantir will most likely want only really good vulns like 0-click RCE.

MITRE has a trademark on the term CVE.

[flagged]

>>They thought they voted for something different

Like what exactly? I mean the guy ran on cutting the budget by 2 trillion. In his last term he gave tax breaks yo the rich. Where did they think the cuts were coming from?

He ran very hard on raising tarrifs. Which demonstrably raise prices (thats literally their goal.) But now people claim "I didn't vote for this."

In truth they voted for him because he was the Republican on offer and they're die-hard Republican. The Republican party has made no secret of its agenda for decades.

I get it, people are good at cognitive dissonance. But this is the place for blunt truth. They voted for this. I'm not letting Republicans got off the hook here. They voted for this.

Just like to my Republican friends who are upset that CVE is cut. You voted for this. The general public benefit from CVE even though they dont know it exists. Just like you benefitted from dozens of other programs you didn't know existed, but have also been cut.

That's the problem with cuts. They ultimately end up hurting everyone.

Now clearly there's some fat that could be trimmed. Companies do it all the time. Done well its good. Swinging a hatchet in a crowded elevator does not seem like "Done well".

> They thought they voted for something different.

They voted for the leopards to eat other people’s faces, not their’s.

The ryme is Humpty Dumpty, had a great fall. Now China and Russian security forces step up their relentless attacks. Let's hope the white house falls first.

I'd say that the rhyme and reason are quite clear [0]. They published a playbook, and they are implementing it at a record pace.

> The NSC [National Security Council] staff will need to consolidate the functions of both the NSC and the Homeland Security Council (HSC), incorporate the recently established Office of the National Cyber Director, and evaluate the required regional and functional directorates.

> Given the aforementioned prerequisites, the NSC should be properly resourced with sufficient policy professionals, and the NSA should prioritize staffing the vast majority of NSC directorates with aligned political appointees and trusted career officials. - Project 2025, pg 52.

> ... History shows that an unsupervised NSC staff can stray from its statutory role and adversely affect a President and his policies. Moreover, while the NSC should be fully incorporated into the White House, it should also be allowed to do its job without the impediment of dually hatted staff that report to other offices. - Project 2025, pg 53.

The goal is to build up a political organisation to use as a weapon, and to scrap the rest - as a legal excuse to say that the political appointments will be necessary.

[0] https://www.project2025.observer/

> Even my die-hard Republican distant relatives are suddenly shocked because programs they benefited from are being cut. They thought they voted for something different.

Out of curiosity, which programs? And is this enough to change their opinion about Trump, or do they still think it'll be worth it?

> This sort of thing is happening across the federal government. There is no rhyme or reason. DOGE has been given an unrealistic target for cuts and they're desperately cutting whatever they can get their hands on

You make it sound like poor DOGE employees are being forced to do this on this kind of schedule, which definitely isn't the impression I got. They're all a bunch of incompetent overconfident weirdos who think they know better and what to do. Is there any pressure to do anything quickly?

And the US federal budget is quite easy to trim. E.g. remove an aircraft carrier from the planned construction pipeline and you've saved $15 billion with no actual ramifications.

Remember, DOGE has nothing to do with money or "efficiency". It's a pure ideological dismantling of the Federal government aimed at eliminating oversight, regulations, assistance and entitlements as envisioned by ultra-conservatives for decades.

This isn't speculation or hyperbole, it's specifically laid out in their published plans: By hobbling or outright eliminating federal agencies responsible for executing the laws passed by Congress, the administration can circumvent the democratic process and impose their extreme vision of limited government on the country, regardless of popular support.

The U.S. system of government relies on established norms as much as it does law. Conservatives realized that they can ignore precedent with impunity if they had an executive willing to do so. They then spelled out exactly how, and are now enacting that plan.

Then SCOTUS's decisions last summer turbo boosted their agenda. The ruling that only Congress can hold the President legally accountable essentially means executive power is unchecked if the legislature is unwilling or unable to Impeach and convict. The President can now confidently ignore the law and judicial orders with a veneer of legality. And this is what he's doing.

(The fact that all this just so happens to benefit Russia after their decade long campaign to destabilize their opponents in the West is a topic for speculation.)

DOGE is about permanently altering how our country works modeled on the right wing worldview, plain and simple. Since that's their overall goal, they're not concerned where they swing the wrecking ball - it's all going to get destroyed eventually.

[flagged]

> Your words don't make any sense in this environment. The idea that any person at an agency could stand up to or convince the DOGE team of anything is preposterous.

Your comment embraces and spreads the powerlessness they want you to feel and spread.

Of course you can stop them - like any other negotiation in life, especially non-friendly ones, you need to make it in Trump's interest either by carrot or stick. Trump has interests; identify them and identify your power in those regards ('power and interest' is the term), and use it.

Also, stop helping them make DOGE the scapegoat. It's Trump.

> someone could be making a profit on this

Yes, there are apparently various ways of profiting from vulnerabilities. The interesting question would be whether any of the regime insiders have a way to profit.

Hanlon's razor. I also tend to impute malice to things I don't like, but I think it's hard to go past stupidity.

> it will be a lot like last time

A lot of people seemed to have had this theory, despite all the evidence to the contrary.

A lot was lost in the midterms and Supreme Court appointments.

Hopefully these 4 years energize people to vote. I know protesting and direct action and so on are also important, but the gradient is not negative for voting for every office you can vote for in every election.

We will see. I understand that money shouldn't be an issue but trust might be, no?

I assume that this comment should go somewhere else or I'm not able to decipher the message ;)

You don't need MITRE

For-profit private journaling is working really well for academia!

> you are in the business of compliance rather than security.

So, most businesses. They all need their ISO/NIST/HIPAA/etc certs.

It’s Way Better than what we had before: software vendors making even arbitrarier decisions about how to classify them.

There are far too many bad actors for us to operate as an industry with no yardstick.

Spot on. Vulnerability scanners that make up an organizational Security Score (TM) tend to operate at the wrong level of abstraction, flagging some library somewhere that never runs and has nothing to do with your production flow or architecture, or some test keys with zero security impact. Go explain that to management, because obviously the security tools are right and you are wrong. This sad state of affairs is unfortunately the best that the security industry has been able to deliver. Trying to wrangle complexity by adding more complexity is the craziest notion to me. Yes, no scoring scheme is perfect, but when the scheme introduces more noise, what have we gained (well, security vendors gain, but what have organizations gained).

Yeah like when we bundled in a .js library for client side date processing that has a CVE affecting node.js servers with high score. Our auditors don’t care they tag the whole app as high risk. It doesn’t even run on the server!

Solving this problem in a generalized way is really hard.

Maybe I have a dependency on Foo which has a critical vulnerability in a feature that I don't use. I suppress the warning and all is well. Then two weeks later someone on my team decides to use that feature, not knowing that there's a problem with it. Now we're fucked, and we'll never know because the vulnerability has been suppressed.

Don’t let the perfect be the enemy of good. It is(was?) a very useful and important system.

Trump must be receiving a lot of emails from companies wanting to fill the void, and I bet the Trumpiest of them all is going to be awarded a contract worth 10x the budget CVE had, and do a much worse job.

Most tracking tools have exception processes. But yeah, security as a product family instead of a simple score seems to be a foreign concept at most companies.

This^ and to add to that, at the very least MITRE assigned IDs which is great. Plus they did an initial scoring, which, well… will never be perfect like you said and I’m sure these things evolve throughout time and get better (not talking necessarily CVSS vX).

What a shame on this current gov. administration, if you can even call it that.

Why isn't it a good justification?

I think the question everyone in this thread should ask is: why is it the government's job to do this, especially given the prior widespread view that they're doing a bad job? Is the software industry so immiserated by poverty that it cannot organize its own distribution of security bulletins? Clearly not: GitHub already runs its own vuln tracking scheme that's better integrated with the tooling we use for open source software. The industry routinely sets up collaborations like standards bodies, information sharing groups and more. And there is as whole ecosystem of security companies to help you understand vulns in your stack.

So there seems nothing specific to CVEs that requires government involvement, but the existence of the tax funded scheme does discourage the creation of competitors that might function better.

But, to CVE or not to CVE ... that is not the question. US deficit spending is out of control. This sort of thing had to happen some day. It's what Europeans in the 2010s called "austerity" and it always makes some people scream but this graph:

https://fiscaldata.treasury.gov/americas-finance-guide/natio...

... is not sustainable. Up to 1984 overall US debt was stable. Since then its growth rate became dangerous. Debt/GDP ratio is now worse than just after WW2. The federal government is currently spending more on interest than on defense or Medicare:

https://www.crfb.org/blogs/interest-costs-have-nearly-triple...

The US is currently getting its first taste of what parts of Europe started going through in 2008, and unfortunately there's bad news: the cuts you're seeing now are mostly cosmetic. They're what can be done within the current framework of laws, sort of, with lots of bending of the rules and creative interpretations of them and maybe some oversteps. But it's just the start of what's needed. Large scale reform of the laws themselves will be required regardless of whoever wins the next elections.

There are a lot of logical fallacies. Have you heard of the sunk-cost one? Or fallacy fallacy maybe? Or ten-tendril eschatomon fallacy?

In honesty to say "logical fallacy" is spoddy, I advise against for aesthetic reason.

Is there no connection between 2025 funding cuts and previous ones? e.g. If a year of work after the previous cuts resulted in an open-data collaboration between NVD and commercial vendors to share a subset of CC0 vulnerability metadata, could that industry collective now argue for government to share (with companies) the burden of funding an open, decentralized program for CVE tracking? Commercial vendors could still offer additional metadata and analytics, over and above the public baseline.

Edit_1: found a proposed bill, April 2025, https://fedscoop.com/public-private-partnerships-bill-nist-h...

> A bipartisan bill that would establish a nonprofit foundation aimed at boosting private-sector partnerships at the National Institute of Standards and Technology was reintroduced in the House and the Senate.. the proposed foundation structure was described as replicating similar nonprofits that support public-private partnerships at other science agencies.. we encourage a strategy that leverages NIST’s leadership and expertise on standards development, voluntary frameworks, public-private sector collaboration, and international harmonization.. NIST’s funding has been in focus following a budget cut of roughly 12% to $1.46 billion in fiscal year 2024.

Edit_2: is there a shortage of database rows, or people to write a shell script? Why not pre-allocate N CVE IDs for every CNA, while a new plan is worked out? At least one random commercial vendor could foresee the shutdown early enough to reserve CVEs.

> Garrity posted on LinkedIn, “Given the current uncertainty surrounding which services at MITRE or within the CVE Program may be affected, VulnCheck has proactively reserved 1,000 CVEs for 2025,” adding that Vulncheck “will continue to provide CVE assignments to the community in the days and weeks ahead.”

Yes, NVD funding cuts and a growing CVE backlog began in late 2023.

May 2024, https://therecord.media/nist-database-backlog-growing-vulnch...

> Moving forward, cybersecurity companies will have to “fill the void” .. NVD said in April [2024] that it is “working to establish a consortium to address challenges in the NVD program and develop improved tools and methods.” .. CISA acknowledged the concerns and outrage of the security community and said it is starting an enrichment effort called “Vulnrichment," which will add much of the information described by Garrity to CVEs.

The second VulnCon event took place last week and no silver bullet has appeared, https://ygreky.com/2025/04/vulncon-2025-impressions/

  Vulnerability enrichment was mentioned in many talks. However, most organizations seem to handle it internally. There doesn’t appear to be momentum toward a shared or open source solution – at least not yet.

Both CVE (MITRE contract) and NVD are funded by NIST, https://www.securitymagazine.com/articles/100795-understandi...

> Since February 2024, the National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD) has encountered delays in processing vulnerabilities.. caused by factors such as software proliferation, budget cuts and changes in support.. NIST, an agency within the United States Commerce Department, saw its budget cut by nearly 12% this year.

What is incorrect about the post above? There are citations from multiple reputable news outlets for each claim.

People who actually work with CVEs have been posting about this problem on HN for 18 months.

Why do you post this on a comment that is neither of those things then?

important to note: the US's food safety is already really bad. salmonella isn't a thing you have to worry about in first world countries. can't wait to see what plague demon spawns out of a food industry running amok after the FDA gets gutted.

the guy is ultimate small gov. he wants to rip it out by the roots.

> surely they can spare 0.01% of their revenue

They would, if we made companies pay their taxes.

Yes, you can also run such a system based on donations. But I personally think that such a system is important enough to be paid for by the government. When you run on donations, there will always be conflicts of interest and the risk of running out of funds.

But yeah, Mitre being a private organization that was paid for by the government was a problem.

Yes, I'm sure corporations funding the CVE system would go wonderfully. "It would be best if we don't see any severe CVEs for our products this quarter, if you want our funding next quarter."

April 2024 article on the result of NVD funding cutbacks, with comments by Linux Foundation OpenSSF, security startups like ChainGuard and commercial vendors, https://www.securityweek.com/cve-and-nvd-a-weak-and-fracture...

  Threat intelligence firm Flashpoint noted in March 2024 it was aware of 100,000 vulnerabilities with no CVE number and consequently no inclusion in NVD. More worryingly, it said that 330 of these vulnerabilities (with no CVE number) had been exploited in the wild.. Since the start of 2024 there have been a total of 6,171 total CVE IDs with only 3,625 being enriched by NVD. That leaves a gap of 2,546 (42%!) IDs.

This neo-liberal approach has no place for soft diplomacy, which is what US hegemoney relies on.

This isn't just a rapid disassembly of economic structures, any trust and goodwill is completely obliterated as well.

I still find it wild that so many people are trying to frame these decisions through a political lens. This is the actions of a foreign bad actor dismantling critical institutions from within, not "bad policy".

Surely there's an antibody response.

Force of habit. We don't have a framework for talking under these circumstances, so we apply our outdated ones.

As you say, that's exactly what got us here. But the alternatives are very unclear, and seem deeply unpleasant.

It is the belief that it is not in good faith that makes it more important that you try to steelman it.

If the steelmanning fails then you can you can be even more confident that it is in bad faith.

>> I'm trying to steelman

> Why?

It's a sensible practice and good practice

Imagine being eaten alive by a cackling hyena that ambushed you and all the while being like "hmm what is the appropriate steelman here? why do I deserve this? why is this just?"

In reality this would never happen so all these people playing steelman are just detached/insulated.