Why hundreds of people employed to keep a database of bugs?
And then they make a giant drama once their massive government funding gets cut.
quotingMITRE’s CVE program is a foundational pillar of the global cybersecurity ecosystem and is the de facto standard for identifying vulnerabilities and guiding defenders’ vulnerability management programs. It provides foundational data to vendor products across vulnerability management, cyber threat intelligence, security information, event management, and endpoint detection and response.
nevent1q…jsqc
Although the National Institute of Standards and Technology (NIST) enriches the MITRE CVE records with additional information through its National Vulnerability Database (NVD), and CISA has helped enrich MITRE’s CVE records with its “vulnrichment” program due to funding shortfalls in the NVD program, MITRE is the originator of the CVE records and serves at the primary source for identifying security flaws.
“If MITRE’s funding goes away, it causes an immediate cascading effect that will impact vulnerability management on a global scale,” Brian Martin, vulnerability historian, CSO of the Security Errata project, and former CVE board member, wrote on LinkedIn.
“First, the federated model and CVE Numbering Authorities (CNA) can no longer assign IDs and send info to MITRE for quick publication. Second, all of that is the foundation for the National Vulnerability Database (NVD), which is already beyond struggling, with a backlog of over 30,000 vulnerabilities and the recent announcement of over 80,000 ‘deferred’ (meaning will not be fully analyzed by their current standards).”
Martin added, “Third, every company that maintains ‘their own vulnerability database’ that is essentially lipstick on the CVE pig will have to find alternate sources of intelligence. Fourth, national vulnerability databases like China’s and Russia’s, among others, will largely dry up (Russia more than China). Fourth [sic], hundreds, if not thousands, of National / Regional CERTs around the world, no longer have that source of free vulnerability intelligence. Fifth [sic], every company in the world that relied on CVE/NVD for vulnerability intelligence is going to experience swift and sharp pains to their vulnerability management program.”