All posts tagged: CVE

CISA’s Reversal Extends Support for CVE Database

CISA’s Reversal Extends Support for CVE Database

Image: CROCOTHERY/Adobe Stock The nonprofit organization MITRE, which maintains the Common Vulnerabilities and Exposures (CVE) database, said on April 15 that the US government funding for its operations will expire without renewal; however, in a last-minute reversal announced the morning of April 16, CISA said it has extended support for the database. At the same time, CVE Board members have founded the CVE Foundation, a nonprofit not affiliated with the US federal government, to maintain the CVE program. The CVE program, which has been in place since 1999, is an essential way to report and track vulnerabilities. Many other cybersecurity resources, such as Microsoft’s Patch Tuesday update and report, refer to CVE numbers to identify flaws and fixes. Organizations called CVE Numbering Authorities are associated with MITRE and authorized to assign CVE numbers. “CVE underpins a huge chunk of vulnerability management, incident response, and critical infrastructure protection efforts,” wrote Casey Ellis, founder of crowdsourced cybersecurity hub Bugcrowd, in an email to TechRepublic. “A sudden interruption in services has the very real potential to bubble up …

The CVE program for tracking security flaws is about to lose federal funding

The CVE program for tracking security flaws is about to lose federal funding

Funding is about to run out for the Common Vulnerabilities and Exposures (CVE) program – a system used by major companies like Microsoft, Google, Apple, Intel, and AMD to identify and track publicly disclosed cybersecurity vulnerabilities. The program helps engineers identify how bad an exploit is and how to prioritize applying patches or other mitigations. MITRE, the federally funded organization behind the program, confirmed to The Verge that its contract to “develop, operate, and modernize” CVE will expire on April 16th. First launched in 1999, the CVE program houses a database where participating organizations can assign IDs to known cybersecurity vulnerabilities. The IDs consist of the letters “CVE” followed by a year and a number, such as CVE-2022-27254, allowing security professionals to monitor details about the vulnerabilities that may impact the devices we use every day and systems that contain information critical to practically everything we do. Lukasz Olejnik, a security and privacy researcher, said in a post on X that a lack of support for CVE could “cripple” cybersecurity systems around the globe. “The …