Global security vulnerability database gets 11 more months of funding [u]

Jump to First Reply
AppleInsiderAppleInsider
Posted:
in iOS edited April 16

After the U.S. government initially cut its funding of the CVE database, used to track security vulnerabilities in operating systems and software, CISA has said it will continue to be funded for another 11 months at least.

Blue background with a circular area surrounded by white computer code, creating a visual effect of an empty circle amidst the code text.
The loss of CVE will make it harder to track malware



Early on Wednesday, it was reported that the Common Vulnerabilities and Exposures (CVE) database had its funding cut. Within hours, its funding has been restored for just under one more year.

The CVE is an important part of modern cyber security. It's a central database of vulnerabilities found in operating systems and applications, which can be abused by hackers and malware to attack targets in various ways.

On Tuesday, the defense non-profit MITRE Corporation said its funding to maintain the CVE database would expire on Wednesday. At the same time, the Common Weakness Enumeration (CWE) program would also lose its funding.

The Cybersecurity and Infrastructure Security Agency (CISA) confirmed to Reuters that the contract was ending. The U.S. Department of Homeland Security, parent organization of CISA, funded the contract.

At the time, CISA added that it wasworking to mitigate its impact, and to maintain the CVE services as far as possible. It didn't say whether it was going to formally take over the database at that moment, but it has since confirmed that CVE will remain live.

11 more months

CISA toldBleepingComputer

that the agency executed an option period on the contract on Tuesday night that would ensure no lapse in CVE services.

That period is understood to be 11 months in length, however there is no guarantee that it will be extended further into the future. It is probable that the window of time will be used by CISA to prepare for whatever follows afterward, such as a shutdown of the database or a migration to another entity entirely.

Critical system's big impact



CVE is a critical part of the security ecosystem, and something Apple frequently looks at for issues. Many security updates for iOS and macOS have referenced listings in CVE, allowing researchers to know what issues have been fixed and what vulnerabilities have been stopped.

As a central database that developers and researchers check out, it minimizes duplication of listings and work, so researchers can more easily work together on issues. It's also become the standard way for vulnerabilities to be referred by throughout the security industry.

The initial reports of a loss of funding was immediately responded to by security researchers and other members of the field with a universal outcry that this is a bad thing for security in general.

Former CISA chief Jean Easterley wrote on LinkedIn that the potential shutdown of the CVE database has serious implications for business risk and national security. Likening it to a Dewey Decimal System for cybersecurity, the loss would be profound for researchers.

"Just like librarians trying to find a book in a disorganized library, cybersecurity professionals would be trying to defend your systems without knowing exactly what the threats are or where to find them," writes Easterly.

The ex-agency head added that the loss of CVE would mean an increased risk of breaches and ransomware, higher costs for security, and a loss of trust of consumers and regulators.

Brian Martin, computer vulnerabilities historian, said there would be "an immediate cascading effect" that will harm vulnerability management globally. Computer Emergency Response Teams (CERTs) would not have the major source of vulnerability intelligence at its disposal, Martin adds, while companies will experience "swift and sharp pains" to their security management programs.

Updated on April 16, 2025 at 2:34 P.M. Eastern with the funding extension announcement.



Read on AppleInsider

Comments

  • Reply 1 of 6
    foregoneconclusionforegoneconclusion Posts: 2,992member
    Ransomware...a form of extortion. And which countries are currently run by administrations that like to use extortion as part of their modus operandi? 
    iOS_Guy80dewmebadmonkFileMakerFeller
     4Likes 0Dislikes 0Informatives
  • Reply 2 of 6
    DAalsethdaalseth Posts: 3,284member
    The very definition of penny-wise and pound foolish. 
    iOS_Guy80dewmebadmonk9secondkox2FileMakerFeller
     4Likes 1Dislike 0Informatives
  • Reply 3 of 6
    jesusfreakjesusfreak Posts: 82member
    I'd encourage everyone to write their Congressman and Senators about this.  This should not be a partisan issue.  
    badmonkDAalseth
     2Likes 0Dislikes 0Informatives
  • Reply 4 of 6
    coolfactorcoolfactor Posts: 2,379member
    Good. This should be a globally-funded nonprofit effort, not dependent on government funding.
    9secondkox2DAalsethnetrox
     1Like 2Dislikes 0Informatives
  • Reply 5 of 6
    bulk001bulk001 Posts: 828member
    https://arstechnica.com/security/2025/04/crucial-cve-flaw-tracking-database-narrowly-avoids-closure-to-dhs-cuts/

    End of the world averted. 
     0Likes 0Dislikes 0Informatives
  • Reply 6 of 6
    shaminoshamino Posts: 549member
    Sounds like a perfect use for blockchain technology.

    Migrate the CVE database to a blockchain and encourage multiple entities (tech companies, cloud providers and security-focused non-profits in addition to government agencies) to host mirrors.  There's really no reason something like this should be controlled by a single government-funded organization.  Especially when government programs (of all kinds) can (and always could) be canceled at the drop of a hat.
    9secondkox2kellieDAalseth
     2Likes 1Dislike 0Informatives
Sign In or Register to comment.