Trump defunded the CVE program, the global de facto standard for software vulnerability tracking

mikeymikec · Thursday at 8:00 AM

MITRE-backed cyber vulnerability program to lose funding Wednesday

Organizations across industry, government, national security and critical infrastructure rely on the CVE Program, which serves as the de-facto global standard for vulnerability identification and management.

www.nextgov.com

CVE, global source of cybersecurity info, was hours from being cut by DHS

Board members have launched a nonprofit to take over the program from MITRE.

arstechnica.com

The mind boggles.

dank69 · Thursday at 8:25 AM

Barron will keep us all safe.

brycejones · Thursday at 8:42 AM

so was this waste, fraud, or abuse?

Right now while the orange monkey distracts everyone Voight and his minions are breaking as much shit as they can.

Pens1566 · Thursday at 9:02 AM

Oh my. This is going to be utterly terrible.

hal2kilo · Thursday at 11:53 AM

mikeymikec said:
MITRE-backed cyber vulnerability program to lose funding Wednesday

Organizations across industry, government, national security and critical infrastructure rely on the CVE Program, which serves as the de-facto global standard for vulnerability identification and management.

www.nextgov.com

CVE, global source of cybersecurity info, was hours from being cut by DHS

Board members have launched a nonprofit to take over the program from MITRE.

arstechnica.com

The mind boggles.

Let's throw away all of the locks, build a wall that has no real purpose, and make friends with our enemies. Traitor in the WH.

UNCjigga · Thursday at 12:33 PM

Just playing devil’s advocate here—but this program is pretty well established and I assume ISVs (especially MS, Facebook, Google, Amazon, Apple etc.) are more than capable of funding the program as an ongoing concern. Will this really change anything?

mikeymikec · Thursday at 12:42 PM

UNCjigga said:
Just playing devil’s advocate here—but this program is pretty well established and I assume ISVs (especially MS, Facebook, Google, Amazon, Apple etc.) are more than capable of funding the program as an ongoing concern. Will this really change anything?

I would want tech vulnerability tracking managed by an impartial body, rather than a company deciding to move the goalposts, play revisionism games, or deprioritize requests from competitors in a way that it considers to be personally beneficial, which is almost never beneficial to anyone else. Furthermore, most software companies believe that information transparency and security are mutually exclusive elements, which goes against the very core of an open vulnerability reporting system.

Government backing (normally, GQP bizarroverse aside) adds stability, the body doesn't have to worry about funding.

Mr.IncrediblyBored · Thursday at 12:42 PM

UNCjigga said:
Just playing devil’s advocate here—but this program is pretty well established and I assume ISVs (especially MS, Facebook, Google, Amazon, Apple etc.) are more than capable of funding the program as an ongoing concern. Will this really change anything?

Does it make sense to have software companies control the purse strings of an organization tasked with finding and reporting CVEs in those company's software?

UNCjigga · Thursday at 1:57 PM

Mr.IncrediblyBored said:
Does it make sense to have software companies control the purse strings of an organization tasked with finding and reporting CVEs in those company's software?

An individual company, no—but as a collective, there are tons of industry consortia that set standards for everything and are not truly regulated. I just thought this would be one instance where government funding/control isn’t necessary.

Sounds like that’s what’s happening in this case—https://www.thecvefoundation.org/home

I agree this was a ham-handed way to abruptly cancel funding without adequate warning, a public comment period, or contingency plans to properly transition to an independent foundation.

balloonshark · Thursday at 2:56 PM

Am I the only one worried about an AI created malware boom?

manly · Thursday at 3:15 PM

UNCjigga said:
An individual company, no—but as a collective, there are tons of industry consortia that set standards for everything and are not truly regulated. I just thought this would be one instance where government funding/control isn’t necessary.

Sounds like that’s what’s happening in this case—https://www.thecvefoundation.org/home

I agree this was a ham-handed way to abruptly cancel funding without adequate warning, a public comment period, or contingency plans to properly transition to an independent foundation.

You're right that they could easily pivot away from the status quo (didn't the feds already reverse this inane decision?). Even so, they won't drop the announced plans for a CVE Foundation. Trump admin is totally untrustworthy and incompetent. In the scope of the federal budget, this program doesn't even amount to bread crumbs. It's probably equivalent to the money they'll spend on a powder room for Pete Hegseth.

In semi-related news, didn't an important DoD cybersecurity group resign en masse?

Daddy Vladdy must be so proud of his lapdog Trump and we're not even 100 days in yet.

Trump defunded the CVE program, the global de facto standard for software vulnerability tracking

mikeymikec

Lifer

MITRE-backed cyber vulnerability program to lose funding Wednesday

CVE, global source of cybersecurity info, was hours from being cut by DHS

dank69

Lifer

brycejones

Lifer

Pens1566

Lifer

hal2kilo

Lifer

MITRE-backed cyber vulnerability program to lose funding Wednesday

CVE, global source of cybersecurity info, was hours from being cut by DHS

UNCjigga

Lifer

mikeymikec

Lifer

Mr.IncrediblyBored

Lifer

UNCjigga

Lifer

balloonshark

Diamond Member

manly

Lifer

TRENDING THREADS