Starting Wednesday, the Common Vulnerabilities and Exposures database will be taken offline. The nonprofit MITRE Corporation is forced to cancel by far the most widely used catalog of vulnerabilities. An alternative will not be provided immediately, leaving the cybersecurity field out in the cold.
The reason for the CVE database going offline is that its funding ends today. This is evident from an email seen by Reuters and others. The US Department of Homeland Security (DHS), which includes the Cybersecurity and Infrastructure Security Agency (CISA), has confirmed that the contract for this database has ended.
Enormous consequences
The cause seems obvious: the far-reaching cost-cutting campaign under the U.S. DOGE Service, led by Elon Musk. The consequences are enormous, as the MITRE database is considered the gold standard for classifying and tracking vulnerabilities. Huntress researcher John Hammond emphasizes that the security world will lose “the language and jargon” for addressing its problems. He said he cursed when he saw the news; understandably so, we might add.
Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, is also deeply pessimistic. He told The Register that the consequences will be disastrous. Before the emergence of MITRE’s database, there was a confusing array of different technical terms and classifications. From 1999, when the CVE database began, the CVE became established as the standard for referring to vulnerabilities.
Other payers?
By far the biggest problem with this state of affairs is its suddenness. MITRE confirmed (or was only able to confirm) a day before the contract expired that its own CVE database was in trouble. This leaves no time to arrange an alternative database or alternative financing, something that may otherwise have been quite attainably.
The CVE Program will remain available as a historical document via GitHub. The question is how long it will take to create a successor to the database. It is likely that it will continue to use the same terminology as before. The CVE database is not as American as it seems. Although the U.S. government has control over it (as has once again become apparent), the content of the MITRE information is the result of international cooperation. The Register has already counted several hundred partners from 40 countries that help fill the database.
It should be possible to come up with a private alternative, although it will take time for the dust to settle and a clear successor to emerge. It’s a messy situation, to put it lightly. Tech companies would do themselves a favor by contributing financially to any such alternative, since it is often their solutions that are kept up to date by the CVE database.
Integrating an alternative CVE database will also be a challenge. After all, system administrators and security companies rely on the information provided by MITRE, particularly when prioritizing certain vulnerabilities. In a security landscape where threats are on the rise (and AI is assisting attackers), weakened Computer Emergency Response Teams (CERTs) are anything but desirable. They will need to find their ground truth for vulnerabilities someplace else.
Also read: When is a critical vulnerability actually dangerous?