CVE Foundation eyes year-end launch following 11th-hour rescue of MITRE program
In late March, the nonprofit research organization MITRE celebrated the 25th anniversary of the Common Vulnerability and Exposures (CVE) program, a widely hailed scientific achievement funded by the U.S. government and administered by MITRE.
The CVE program is the global bedrock of contemporary vulnerability management, cataloging and assigning unique identifiers to software vulnerabilities. Until April 15, cybersecurity defenders and data scientists seemed unshakeable in embracing the program, which had already overcome challenges to achieve its silver anniversary.
On that day, and for reasons that are still unclear, the world learned from a leaked memo signed by MITRE executive Yosry Barsoum that the Cybersecurity and Infrastructure Security Agency (CISA) failed to sign a contract extension with MITRE for its CVE program funding and that the effort would come to a halt in approximately 36 hours.
About 17 hours later, CISA reversed course with an 11-month contract extension, ensuring no immediate disruption in the critical program.
When it appeared the program would end, cyber defenders panicked. “Did it scare everyone?” vulnerability expert Peter Allor asked rhetorically when speaking with CyberScoop as an officer of the newly formed CVE Foundation. “Absolutely. Why? Because it was so sudden, it was the 11th hour, 59th minute. It gave a doomsday feel to it.”
Since then, industry organizations have scrambled to move this foundational effort away from its dependence on a single funder. “That little threat of defunding caused people to wake up,” Sasha Romanosky, senior policy researcher at the RAND Corporation, told CyberScoop. “It lit this spark of energy under people in a way I haven’t seen before.”
Along the way, a schism seems to have emerged between CVE experts who want to continue embracing the CISA-MITRE funding mechanism albeit with greater participation by new parties — and those who believe it’s time to move the system to a private-sector funding model that removes the U.S. government as the central body and opens the door to a much broader endeavor.
So, what happened?
It’s unclear how CISA’s funding of the CVE program seemingly came close to ending. Experts think it was simply a case of contract negotiations gone sideways.
“I don’t think they had their act together,” Allor said, referring to the Department of Homeland Security, CISA, and MITRE. “I just think that they were trying to figure out how they were going to negotiate with one another, and the three parties were trying to figure out how that worked.”
Several other experts liken the situation to a previous CVE-related funding lapse that affected — and continues to affect — the functioning of the National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD). The NVD contains MITRE’s CVE data enriched with other vulnerability severity and exploitation metrics, and is the primary source of CVE information for a good portion of the cybersecurity industry.
“This played out exactly like the NVD issue played out,” Jerry Gamblin, an expert in the CVE ecosystem, told CyberScoop. “That contract just kind of expired, and people started asking, ‘Hey, why did that contract expire?’ And there is still no good answer on why they let that contract lapse.”
On April 23, Matt Hartman, CISA’s acting executive assistant director for cybersecurity, denied that the MITRE program came close to collapse, saying press reports “inaccurately implied the program was at risk due to a lack of funding.”
“To set the record straight, there was no funding issue, but rather a contract administration issue that was resolved prior to a contract lapse,” he said. “There has been no interruption to the CVE program, and CISA is fully committed to sustaining and improving this critical cyber infrastructure.”
Shifting the sector away from US government funding
Immediately following the contract imbroglio, CVE alternatives sprang to life. First, the European Union Agency for Cybersecurity (ENISA) unveiled its alternative, the EUVD, or the European Union Vulnerability Database, in beta.
Similar to NIST’s NVD, the EUVD organizes disclosed bugs by their CVE-assigned unique ID, documents their impact, and provides vulnerability information from multiple sources, including advisories supplied by vendors and CSIRTs (such as the members of the EU CSIRTs network), as well as other relevant stakeholders.
Another European initiative thrust into the spotlight is the GCVE: Global CVE Allocation System, developed by CIRCL.eu, the Computer Incident Response Center in Luxembourg. The GCVE is a new, decentralized system for identifying and numbering security vulnerabilities, using its own numbering authorities and independent entities that can allocate GCVE identifiers.
Finally, and most prominently, a group of CVE board members quickly unveiled their plans to establish the CVE Foundation, an entirely new system funded by private-sector organizations and multiple governments.
“There are so many groups stepping forward to say, ‘We want to create something better,’” Ben Edwards, principal research scientist at Bitsight, told CyberScoop. “We want to help. We want to do something right here. I think that’s a very big strength of our industry.”
Yet Edwards, like the other CVE experts who spoke to CyberScoop, is leery of creating a splintered CVE regime. “If CISA and MITRE went away, we would have a huge fracturing because so many people would want to step in and fill that power void created. And there’s going to be a long period of chaos, I imagine, of everybody trying to do the right thing.”
Most CVE experts favor bringing European and international partners into a bigger tent while also seeking to reduce the funding monopoly the U.S. government has on the project, particularly as experts view the current administration as unpredictable. “I don’t think there is a single organization out there that thinks having all of your income coming from one place is a good idea,” Jay Jacobs, founder of Empirical Security and chief data scientist emeritus and founder of the Cyentia Institute, told CyberScoop. “And that’s exactly what we have with the CVE program.”
Jacobs’ co-founder at Empirical Security, Michael Roytman, underscores the need to move away from the U.S. government as a sole funding source. “A healthy distrust of over-reliance on one particular actor to provide critical infrastructure is good,” he told CyberScoop. “The funding could dry up, whether it’s the government or even the private sector. You want resiliency in something that is that critical.”
A year-end timeline?
Allor says the CVE Foundation could be up and running by December.
“Who owns this problem is the real question,” Allor said. “I would postulate that the software producers own this problem.”
“That doesn’t mean governments don’t have a need,” he added. “They absolutely have a need. They need to be at the table, but they can’t solely be at the table. At the end of the day, they don’t produce this. They don’t fix it.”
Allor contends that the CVE program is a matter of national security and the country can’t “rely on a government that will wait until the 11th hour to ensure its continued functioning.”
“Why are we putting the entire ecosystem at risk if it is a national security issue?” Allor said. “How did you miss your mission if it was critical to national security? That’s just ridiculous.”
The answer for Allor and CVE Foundation board members is “that we need something more reliable, broader supported, with input from all concerned, and that allows us to focus on the most impactful part.”
Allor said dozens of private-sector companies, plus four non-U.S. governments, have already pledged support to get the foundation up and running. However, former CISA Director Jen Easterly has come down hard on the CVE Foundation, whose board contains members from the independent CVE program board that oversees the current MITRE program.
In a LinkedIn post, Easterly accused CVE Foundation board members of duplicity, saying that “while sitting on the governing board of one of the most critical cybersecurity programs in the world, some members were ostensibly working in secret to build a separate organization to assume control of that very program. And they didn’t resign while doing so, given the obvious conflict of interest.”
Easterly also argued that while “software vendors should have a voice in the CVE Program,” the effort “should be funded by the government and governed by independent stakeholders who are a balanced representation of the ecosystem.”
When asked about the prospect of the CVE Foundation launching its rival effort by December, a MITRE spokesperson told CyberScoop: “MITRE appreciates the recent overwhelming support for the CVE and CWE [common weakness enumeration] programs that the global cyber community, industry, and government has expressed. MITRE remains committed to CVE and CWE as a global resource for the greater good.”
As the parties continue talking, Gamblin said he doesn’t want to “pick sides.”
“I just want to see the program survive and be healthy,” he said, “in whatever way is the most beneficial for people who aren’t able to spend money on intelligence feeds” that depend on CVE records.
