CVE Foundation cybersecurity program saved

A critical cybersecurity program is facing uncertainty as a non-profit foundation steps in to take control. The CVE (Common Vulnerability and Exposures) database, managed by cybersecurity firm MITRE for the past 25 years, has been instrumental in identifying potential vulnerabilities in hardware and software systems worldwide. This database plays a crucial role in ensuring the security of automotive and embedded systems. However, MITRE recently announced that the US government will not be renewing its funding for the CVE program.

In response to this funding setback, the CVE Foundation has been officially established to secure the long-term sustainability and independence of the CVE Program. Concerns have been raised by members of the CVE Board regarding the reliance on a single government sponsor for such a globally significant resource. The foundation has been diligently working over the past year to develop a strategy for transitioning the CVE program to a dedicated, non-profit entity.

• Vulnerability found in all major CPU architectures
• Cybersecurity model for embedded systems

“While we had hoped this day would not come, we have been preparing for this possibility,” stated the foundation. They emphasized the importance of ensuring business continuity to prevent any single point of failure in the CVE program. The primary focus of the foundation will be to uphold the mission of providing high-quality vulnerability identification and safeguarding the integrity and availability of data for developers worldwide.

• First DDS developer for automotive security
• Icefall vulnerabilities in industrial equipment

According to Kent Landfield, an officer of the Foundation, “CVE is a cornerstone of the global cybersecurity ecosystem and is too crucial to be left vulnerable itself. Cybersecurity professionals worldwide rely on CVE identifiers and data for their daily tasks, and without CVE, defenders would face significant challenges in combating global cyber threats.” The pressing issue now is securing the necessary funding and determining the governance structure of the foundation. Western governments and major global enterprises like Microsoft and Google are potential supporters due to the strategic importance of industrial and automotive security.

“The establishment of the CVE Foundation is a significant milestone in eliminating vulnerabilities in the vulnerability management ecosystem and ensuring the CVE Program remains a trusted, community-driven initiative on a global scale,” the foundation stated. This move presents an opportunity for the international cybersecurity community to establish governance that aligns with the current global threat landscape.

In the days ahead, the Foundation plans to release more details about its organizational structure, transition plans, and ways for the broader community to get involved. The transition to a non-profit foundation signifies a new chapter for the CVE Program, aiming to secure its future and maintain its critical role in global cybersecurity efforts.