topic Re: QUICK NOTE: A potential shutdown or disruption of the CVE database—maintained by MITRE in Industry News

QUICK NOTE: A potential shutdown or disruption of the CVE database—maintained by MITRE

Kyaw_Myo_Oo — Wed, 16 Apr 2025 14:49:15 GMT

Dear All,

A potential shutdown or disruption of the CVE (Common Vulnerabilities and Exposures) database—maintained by MITRE (https://cve.mitre.org/)—is rightly raising alarms across the cybersecurity community. While this may sound like a technical issue, it has SERIOUS implications for business risk, operational resilience, and national security.

MITRE warns that funding for critical CVE program expires today

If the CVE database were to become unavailable or unreliable, what alternative sources of vulnerability information do you believe cybersecurity professionals would need to rely on? What are the potential pros and cons of these alternatives?

Updated info : CISA extends MITRE-backed CVE contract hours before its lapse

Share your perspectives and insights. I'm eager to hear more insights from other members of the community

Let's make this a vibrant exchange of ideas. All perspectives welcome!

Re: QUICK NOTE: A potential shutdown or disruption of the CVE database—maintained by MITRE

ericgeater — Wed, 16 Apr 2025 12:17:23 GMT

It will be interesting to hear some alternative solutions, if our government chooses to not roll back this incredibly short-sighted decision.

Re: QUICK NOTE: A potential shutdown or disruption of the CVE database—maintained by MITRE

Spirnia — Wed, 16 Apr 2025 12:33:28 GMT

If funding doesn't come through...

There are alternatives to consider.

NIST has the National Vulnerability Database, NVD: https://nvd.nist.gov/vuln/search

And there's also https://www.cve.org/

Re: QUICK NOTE: A potential shutdown or disruption of the CVE database—maintained by MITRE

Kyaw_Myo_Oo — Wed, 16 Apr 2025 14:50:22 GMT

I appreciate your insights and for sharing your time with us @Spirnia.

Re: QUICK NOTE: A potential shutdown or disruption of the CVE database—maintained by MITRE

Kyaw_Myo_Oo — Wed, 16 Apr 2025 15:02:12 GMT

Dear All,

CISA’s announcement of the Tuesday night extension came just hours after a subset of the CVE Board said it plans to break off to maintain the program under a new body called the CVE Foundation.

“Since its inception, the CVE Program has operated as a U.S. government-funded initiative, with oversight and management provided under contract,” the foundation’s announcement said. “While this structure has supported the program’s growth, it has also raised longstanding concerns among members of the CVE Board about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor.”

Nextgov/FCW has asked MITRE for comment. It’s unclear how long the current extension will remain valid before CISA must initiate a new contract process in line with federal laws.

Updated info : CISA extends MITRE-backed CVE contract hours before its lapse

Re: QUICK NOTE: A potential shutdown or disruption of the CVE database—maintained by MITRE

ericgeater — Wed, 16 Apr 2025 16:53:57 GMT

From CISA's twitter account, April 16:

Re: QUICK NOTE: A potential shutdown or disruption of the CVE database—maintained by MITRE

Kyaw_Myo_Oo — Wed, 16 Apr 2025 17:38:18 GMT

Thanks for sharing @ericgeater.

Re: QUICK NOTE: A potential shutdown or disruption of the CVE database—maintained by MITRE

dcontesti — Thu, 17 Apr 2025 13:29:25 GMT

I just received this from an alternate source;

https://euvd.enisa.europa.eu/

An alternate to CVE

Re: QUICK NOTE: A potential shutdown or disruption of the CVE database—maintained by MITRE

Kyaw_Myo_Oo — Fri, 18 Apr 2025 06:40:46 GMT

Your contribution is appreciated @dcontesti.

Re: QUICK NOTE: A potential shutdown or disruption of the CVE database—maintained by MITRE

learningdaily — Thu, 08 May 2025 13:50:00 GMT

@Spirnia Thanks for suggesting the potential alternatives, but this affects both of the items you suggested.

NIST NVD - it is my understanding from reading this page that the NVD 'enriches' data from the CVE Database, so it may not be a replacement.

cve.org is the program that the OP is refering.

Perhaps a better alternative is https://euvd.enisa.europa.eu/, but let's hope the CVE Foundation gets off the ground as a non-profit so no government could shutdown the service.