Skip to content(if available)orjump to list(if available)

CVE Foundation

CVE Foundation

79 comments

·April 16, 2025
Visit

alexmorley

Edit suggests the contract has been renewed last minute.

https://www.forbes.com/sites/kateoflahertyuk/2025/04/16/cve-...

null

[deleted]

Shank

Are there any non-Forbes sources that confirm this?

shagie

https://www.itpro.com/security/confusion-and-frustration-mit...

> However, in an updated statement, the agency revealed it intends to maintain the database in a bid to prevent a lapse in CVE services.

> “The CVE Program is invaluable to the cyber community and a priority of CISA,” a spokesperson said.

> “Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.”

Searching for that last passage:

https://www.bleepingcomputer.com/news/security/cisa-extends-...

> "The CVE Program is invaluable to cyber community and a priority of CISA," the U.S. cybersecurity agency told BleepingComputer. "Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners' and stakeholders' patience."

And https://www.reuters.com/world/us/us-agency-extends-support-l...

> WASHINGTON, April 16 (Reuters) - U.S. officials have said at the last minute that they're extending support for a critical database of cyber weaknesses whose funding was due to run out on Wednesday.

> The planned lapse in payments for the MITRE Corp's Common Vulnerabilities and Exposures database spread alarm across the cybersecurity community. The database, which acts as a kind of catalog for cyber weaknesses, plays a key role in enabling IT administrators to quickly flag and triage the myriad different bugs and hacks discovered daily.

chris_wot

Let me guess, Elon's DOGE crew were part of this and screwed up yet another thing that is essential for U.S. security?

plasma_beam

It hasn't posted to FPDS yet:https://www.fpds.gov/ezsearch/fpdsportal?q=PIID%3A%2270RCSJ2...

Assuming this is the correct contract, which it appears to be, it had an option period starting today through March of next year. DHS just needed to exercise the option.

DeepYogurt

Main page news on https://www.cisa.gov/

marcusb

Just social media posts, with claims they received the info from CISA https://infosec.exchange/@metacurity/114347467581760027

Supposedly, MITRE will make a statement today. Time will tell.

Edit - it is MITRE, not CISA, which the poster expects to make a statement.

ForOldHack

This was 0 minutes ago. Glad to see how important CVE is to security personel.

numpad0

Why would that be important???

throawayonthe

[dead]

hobofan

To all the comments doubting the legitimacy:

Here is a LinkedIn post by one of the CVE board members (literally the first one on the list here[0]): https://www.linkedin.com/posts/peterallor_cve-foundation-act...

I'm sure if you look at some of the contact information of other CVE board members and their broadcasting platforms you will also find something.

[0]: https://www.cve.org/programorganization/board

layer8

Tod Beardsley seems to confirm it as well: https://infosec.exchange/@todb

Xunjin

Ngl, I would love a more “clear confirmation” he just boosted and posted a meme.

hobofan

He boosted a post that is 1:1 an announcement of the project.

How much more of a "clear confirmation" do you want? An announcement from their non-existent personal press secretaries that just says the exact same text as that post he boosted?

I think people here need to take a step back and realize that the people and board involved here are more like linux kernel maintainers that are not generally public figures and not C-level executives of a Fortune 500 company.

Yes, since it's cybersecurity a bit more caution than usual is probably warranted, but it's not like the CVE DB has gone offline and everyone is currently scrambling to find the new legitimate replacement. Let's let this situation breathe for a few hours/days instead of being overly cautious and spending all energy on skepticism.

dang

Related ongoing threads:

CVE program faces swift end after DHS fails to renew contract [fixed] - https://news.ycombinator.com/item?id=43700607

Replacing CVE - https://news.ycombinator.com/item?id=43708409

Vox_Leone

I think it's time the biggest players in the software industry step up, maybe through a formal consortium. This model would make sense because they benefit the most. Big tech companies rely on CVEs to secure their own products;

They have the means. With their massive revenue and dedicated security teams, these companies could easily fund CVE operations. A consortium approach spreads responsibility fairly;

Shared responsibility, shared benefits. Security is everyone's problem.

jpleger

Hahaha, CVE was created because industry refused to track and report on things in a consistent and transparent manner. When given the option, business will almost always choose the easy path, and things like vulnerability management programs will be set back years if not decades when the external accountability goes away.

In general, lawyers and CTOs would probably love to see CVE go away or be taken over by industry.

Source: been working in security for 20+ years.

SOLAR_FIELDS

Because CVE means accountability. It’s very easy to shift accountability onto someone for an unpatched CVE. If given the chance to escape that accountability I’m sure every megacorp would jump at it.

anon6362

Yup. I'd say around 15% of very severe incidents are ever announced publicly. In most cases, the default is cover-up and hope no one finds out.

To anyone who thinks a libertarian/anarcho-capitalist/Network States "utopia" of Retire All Gubberment Employees (RAGE) is a "good thing", thing about air, water, and soil pollution from sewage to arsenic to particulates to lead to radioactivity. Greedy sociopaths DGAF who they hurt, which is perhaps why James Madison observed: "If all men were angels, no government would be necessary." Obviously, this is not human nature and so some laws, enforcement, and regulators is required indefinitely. Anyone who tells you differently isn't a serious person.

blitzar

> biggest players in the software industry step up

While they are at it maybe chuck $5 to the dev maintaining the open source package that your trillion dollar corporation relies on, that your 50,000 leetcoders can't figure out how to write or live without.

nonrandomstring

The last people I am ever going to trust about matters of security is US BigTech. Consortium or not. This idea has no legs. We absolutely need an international cyber threat intelligence network, with many checks, balances and oversights. If we're going to ask "who funds it?" then we need to ask "who really benefits from a technology industry?"

_DeadFred_

Funny people keep saying the government should 'move fast and break things' like Facebook, and leave out that Facebook has committed to $60 billion to $65 billion in expenses to do that process this year. But somehow when it's government moving fast and breaking things that also somehow includes 'having minimal expense'. Something something "Fast, Cheap, or Good, pick two." something something.

HelloNurse

As this is security, assume the worst: it isn't legit unless MITRE confirms a handover, and even in that case there's ample room for questioning.

bildiba

I haven't been actively monitoring for security vulnerabilities ever since I switched from system administration to software development a few decades back. These days, I just read news that talks about high profile vulnerabilities - I do see CVE a lot more than cert.

We used to look at cert: https://www.kb.cert.org/vuls/ I just did a quick search to confirm that it is still there.

What's the difference/relationship between the two?

iterance

The primary difference is that CVE was unexpectedly killed by the US Government yesterday and the program terminates today.

readthenotes1

How is the failure to renew a contract "unexpected"?

Contracts have end dates. All parties on the contract know them.

Wingy

I expect they didn’t see it not being renewed coming because the contract was renewed every time for the past 25 years.

rdl

Curious what the MITRE budget was. CISA funding for the CVE program isn't specifically broken out but "tens of millions of dollars per year" is what I've seen, which seems excessive, despite the CVE program being important.

sjones671

$40 million per year.

Centigonal

For the whole CVE database? That's a steal! One breach of a Capital One or similar destroys orders of magnitude more value.

bane

Hear me out, I wonder if the need for a decentralized database of data like this might be an actual good use for block chains?

Requires consensus

Immutable

Distributed

A user who needs the CVE database thus just needs to grab a copy of the ledger off of bit torrent or wherever and parse it for all data or updates, etc. It's not like CVEs get lots of updates, and you need to keep track of all of them forever anyways. Updates could be handled by just adding another entry to the chain, and bad actors couldn't really tamper with it.

sph

It does not require consensus. It does not require to be immutable. It’s simply advisory data. There is no gain if one owner decides to censor or tamper with their stored CVE data, apart from annoyance for its users.

You’ll be quite fine with a centralised database and mirrors. We have been fine with that until now.

All that we need is data to be freely available, shared and possibly that other institutions offer to catalogue software vulnerabilities to have some kind of redundancy and duplication.

bane

Almost none of what you've said is correct regarding the use and purpose of the CVE database.

FateOfNations

As somewhat of an aside, this development doesn't necessarily mean much in the way of changes to the way the program is currently run. The foundation can act as a conduit/collection point for funding from industry, with the program remaining run under a contract with MITRE.

relistan

Hopefully this is legit. There is no real info. They say both that they are responding to the announcement and that they have been planning it for a year. I doubt that the last part was intensely planned or they’d likely have announced something sooner.

I suspect some likely fracturing of efforts here. Would be great if everyone did get behind a single solution. I’m not sure if this is it. A US-based non-profit is not maybe the best solution.

inktype

Comments are understandably negative as the press release has very little information, but I clicked vouch because I have a reason to believe it is legitimate

edent

Care to share your reason with the rest of the class?

ForOldHack

The Chinese, and Russians who share data with the N Koreans are prowling around like an oversexed pack of boy scouts 24 hours a day, 7 days a week, and not a single one took Easter week off. Worried?

Cloudstrike turned into the worst peice of garbage since waferlocks...

The single most profitable source of forien funds for N Korea turns out to be stolen vit-xoins, while gov officials are forciblly removed from their desks...

What. Me. Worry?

__MatrixMan__

Packs are for cub scouts. It would be an oversexed troop.

null

[deleted]