- CVE financing gets financing at last minute postponement
- A miter head told CVE board members that government financing is about to expire
- Some have called the move “ruthless and ignorant”
US Government Financing to CVE, a program that publicly shows known software vulnerability, will continue for the time being, despite the first reports it would expire.
Cuts made by the US government everywhere had meant that CVE could have lost funding, which could largely erode cyber security for all organizations, from small businesses to critical infrastructure companies.
However, a spokesman for CISA revealed that the organization performed an option period on the contract “to ensure that there will be no lapse in critical CVE services”.
CVE extension
“The CVE program is invaluable to the cyber community and a priority of CISA,” the comment added.
Sponsored by US CyberSecurity and Infrastructure Security Agency (CISA), CVE, or common vulnerabilities and exposures is a program operated by Mitre Corporation, a US government -funded nonprofit that manages federal sponsored research and development.
The program works by assigning a unique identifier to any newly discovered vulnerability, allowing cyberSecurity prophers, software developers and organizations to properly identify and address deficiencies in software.
Nextgov Says Yosry Barsoum, director of Mitre’s Center for Securing the Homeland, recently sent an internal memo to CVE board members who warned about the possibility of losing funding. When the memo leaked to social media, Mitre confirmed its legitimacy.
“If a break in service should be made, we expect more influences on CVE, including deterioration of national vulnerability databases and advisors, tool providers, event response operations and all kinds of critical infrastructure,” the message warned.
“Ruthless and ignoring”
CVE was not the only program at risk of losing state funding. Common Writish Enumeration (CWE), another Mitre-driven program, also risk losing funding at the same time. CWE is a catalog of software and hardware security weaknesses that focus on the basic causes of the underlying programming or design errors that attackers can utilize.
Nextgov says Cisa is looking at “significant cuts” over several of its teams, including with contractors. Some contracts were already terminated, while others will simply be left to expire.
We could say that CVE avoided the ball as the consequences could be quite bleak.
House Science Committee Ranking Member Zoe Lofgren D-Calif. And the Committee on Homeland Security Ranking member Bennie Thompson, D-Miss. Called the funding to “ruthless and ignorant” and said it would undermine cyber security around the world.
“The program for common vulnerabilities and exposures ensures that any service, device and system removes discovered vulnerabilities,” Nextgov quoted a statement.
“From your personal computer to the electric network to nuclear facilities – they are all dependent on CVE. Removing this contract allows malicious actors to operate in the dark. We urge the Department of Homeland Security to fully restore funding to this program before disaster strikes.”
Chris Burton, head of professional services at Pentest People, believes that society could step up in the government’s place.
“It is quite understandable that there is concern that the government is drawing financing for the miter program, it is a troubled development for the security industry,” he told Techradar Pro in a mailed statement.
“If the question is purely financial, crowdfunding could offer a viable path forward, which collects public support for a project that many believe. If it is operational, there may be an opportunity for a dedicated community board to step in and lead. Whatever, this is not the end, it is a chance to reconsider and reimagine.
Via Nextgov
