By AJ Vicens and Raphael Satter
WASHINGTON (Reuters) โ The defense and research-focused nonprofit MITRE Corporation says funding from the U.S. government runs out on Wednesday for it to maintain a critical database of cyber vulnerabilities used by security researchers and digital defenders the world over.
MITRE manages the Common Vulnerabilities and Exposures (CVE) database which aims to identify, define and catalog publicly disclosed cyber weaknesses, enabling IT administrators to quickly flag and triage the myriad different bugs and hacks discovered daily.
The common numbering scheme, severity scale, and detailed descriptions allow quick communication of highly technical information across organizations and around the world.
MITRE said in an email that the funding โwill expireโ on Wednesday. The Cybersecurity and Infrastructure Security Agency (CISA), whose parent agency funds the contract, confirmed the contract was ending and said โwe are urgently working to mitigate impact and to maintain CVE services on which global stakeholders rely.โ
Reuters couldnโt establish the reason for the contractโs lapse, but CISA is, like the rest of the federal government, undergoing a radical downsizing driven in part by tech tycoon Elon Muskโs U.S. DOGE Service. A spokesperson for DOGE didnโt immediately reply to an email.
Cyber defenders said they were aghast at the news of the programโs lapse. One compared it to suddenly deleting all dictionaries.
โWeโd lose the language and lingo we use to address problems in cybersecurity,โ said John Hammond, the principal security researcher at managed security company Huntress. He said he swore out loud when he heard the news. โI really canโt help but think this is just going to hurt.โ
Organizations around the world lean on the CVE database to triage which vulnerabilities in their digital products need immediate attention versus which ones can be put off, allowing them to manage when and how to update software or patch security holes.
Pulling the plug on the database would cause โan immediate cascading affect that will impact vulnerability management on a global scale,โ said Brian Martin, a historian of computer vulnerabilities.
He said that Computer Emergency Response Teams โ the digital first responders known as CERTs โ would โno longer have that source of free vulnerability intelligenceโ and that โevery company in the worldโ that relied on the database for vulnerability intelligence โis going to experience swift and sharp pains to their vulnerability management program.โ
(Reporting by Raphael Satter and AJ Vicens; Editing by Sonali Paul)
Comments