MITRE Corporation oversees the website CVE.org, which provides a database of software vulnerabilities. They circulated a letter to the CVE board stating that the Trump administration did not renew the contract for maintaining the database. This resulted in the contract ending today, potentially impacting future services.
CVE assigns unique identifiers to vulnerabilities for easier tracking and reference. For example, the Shellshock vulnerability is known as CVE-2014-6271, and Heartbleed is identified as CVE-2014-0160. Initially, this database was a service provided by MITRE, but later became a public service funded by CISA, the United States Cybersecurity and Infrastructure Security Agency, who sponsors MITRE for this maintenance.
While this service is crucial, the US government also operates the National Vulnerability Database as another avenue for vulnerability information. It remains uncertain if MITRE will continue to operate CVE.org after the CISA contract expires. The announcement letter stated that this could impact service delivery. The cost for maintaining the CVE and CWE databases in the last fiscal year was $29 million USD.
Source: @0xTib3rius, PC Magazine
TLDR: MITRE Corporation faces uncertainty regarding the future of CVE.org after the US government did not renew their contract for maintaining the software vulnerability database, potentially impacting service delivery.
Leave a Comment