11
The Common Vulnerability and Exposures, or CVE, repository holds the answers to some of information security's most vital questions.
Namely, which security issue are we talking about, exactly, and how does it work?The 25-year-old CVE program, an essential part of global cybersecurity, is cited in nearly any discussion or response to a computer security issue, including Ars posts.
CVE was at real risk of closure after its contract was set to expire on April 16.
The nonprofit MITRE runs CVE and related programs (like Common Weakness Enumeration, or CWE) on a contract with the US Department of Homeland Security (DHS).
A letter to CVE board members sent Tuesday by Yosry Barsoum, vice president of MITRE, gave notice of the potential halt to operations."If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure," Barsoum wrote.Late Tuesday, the Cybersecurity - Infrastructure Security Agency (CISA) "executed the option period on the contract" to ensure a continuation of services, CISA told security site BleepingComputer.
"We appreciate our partners' and stakeholders' patience," a CISA spokesperson was quoted as saying.Nextgov reports that CISA's extension is for 11 months.
News reports have cited midnight on either April 15 or 16 as the potential time when CVE funding would expire.The potential loss of crucial infrastructure for global cybersecurity led some CVE board members to launch the CVE Foundation, a nonprofit pledged to ensure a more secure future for the CVE program than the US government can provide at the moment.
"While we had hoped this day would not come, we have been preparing for this possibility," the group's press release said.
"CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself, Kent Landfield, an officer of the Foundation, said in the release.
