QUICK NOTE: A potential shutdown or disruption of ...

Kyaw_Myo_Oo

Dear All,

A potential shutdown or disruption of the CVE (Common Vulnerabilities and Exposures) database—maintained by MITRE (https://cve.mitre.org/)—is rightly raising alarms across the cybersecurity community. While this may sound like a technical issue, it has SERIOUS implications for business risk, operational resilience, and national security.

MITRE warns that funding for critical CVE program expires today

If the CVE database were to become unavailable or unreliable, what alternative sources of vulnerability information do you believe cybersecurity professionals would need to rely on? What are the potential pros and cons of these alternatives?

Updated info : CISA extends MITRE-backed CVE contract hours before its lapse

Share your perspectives and insights. I'm eager to hear more insights from other members of the community

Let's make this a vibrant exchange of ideas. All perspectives welcome!

ericgeater

It will be interesting to hear some alternative solutions, if our government chooses to not roll back this incredibly short-sighted decision.

-----------
A claim is as good as its veracity.

Spirnia

If funding doesn't come through...

There are alternatives to consider.

NIST has the National Vulnerability Database, NVD: https://nvd.nist.gov/vuln/search

And there's also https://www.cve.org/

Kyaw_Myo_Oo

I appreciate your insights and for sharing your time with us @Spirnia.

Kyaw_Myo_Oo

Dear All,

CISA’s announcement of the Tuesday night extension came just hours after a subset of the CVE Board said it plans to break off to maintain the program under a new body called the CVE Foundation.

“Since its inception, the CVE Program has operated as a U.S. government-funded initiative, with oversight and management provided under contract,” the foundation’s announcement said. “While this structure has supported the program’s growth, it has also raised longstanding concerns among members of the CVE Board about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor.”

Nextgov/FCW has asked MITRE for comment. It’s unclear how long the current extension will remain valid before CISA must initiate a new contract process in line with federal laws.

Updated info : CISA extends MITRE-backed CVE contract hours before its lapse

ericgeater

From CISA's twitter account, April 16:

-----------
A claim is as good as its veracity.

Kyaw_Myo_Oo

Thanks for sharing @ericgeater.

dcontesti

I just received this from an alternate source;

https://euvd.enisa.europa.eu/

An alternate to CVE

d

Kyaw_Myo_Oo

Your contribution is appreciated @dcontesti.

learningdaily

@Spirnia Thanks for suggesting the potential alternatives, but this affects both of the items you suggested.

NIST NVD - it is my understanding from reading this page that the NVD 'enriches' data from the CVE Database, so it may not be a replacement.

cve.org is the program that the OP is refering.

Perhaps a better alternative is https://euvd.enisa.europa.eu/, but let's hope the CVE Foundation gets off the ground as a non-profit so no government could shutdown the service.

QUICK NOTE: A potential shutdown or disruption of the CVE database—maintained by MITRE