News that the CVE Program, which tracks and maps disclosed cybersecurity vulnerabilities, is at imminent risk of collapse due to federal funding drying up, has rattled the global cybersecurity community and spawned numerous alternative proposals. But as the story evolved this morning, CVE’s sponsor CISA told The Stack that it has renewed funding for the programme.
"The CVE Program is invaluable to cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience" a spokesperson emailed us shortly before noon.
We reliably understand this to be a renewal for just 11 months.
The cat has been truly put among the pigeons however. Alternatives seem to be emerging fast: One CVE Program board member today revealed plans for a new non-profit “CVE Foundation” to pick up on MITRE’s work (The Department of Commerce-backed National Vulnerability Database or NVD is arguably in even worse a crisis than the CVE Program) and Luxembourg's Computer Incident Response Center has launched its GVCE, which it describes as a "new decentralized approach to identifying and numbering security vulnerabilities." More below, read on...
