My guess is that they’ll be phased out next year. The long-term goal seems to be transitioning the CVE program into something more like an industry-led consortium. (If you did not notice they operate zero budgeting approach: cut everything and if something is very important reverse it. But you cut first and then ask questions.)
It’s worth noting that MITRE is a DoD contractor (with minor contracts from other agencies like this one). Having the CVE program operated by a company funded by the U.S. military raises valid concerns about conflicts of interest—especially in an ecosystem that depends on neutrality and global trust.
I've seen no sign of long-term goals, much less any mechanisms being put in place for follow-through on those goals.
It seems like people keep making the mistake of believing there's a detailed plan, while all evidence tells us there isn't. I guess it's the normal human tendency to see order in the chaos.
MITRE is a non-profit company that operates Federally Funded Research and Development Centers (FFRDCs), which are owned and funded by the federal government and contracted out to companies like MITRE to operate them.
While MITRE does have contracts with DoD (and many other agencies across the federal government as part of the FFRDCs they operate), they are not the same as a stereotypical DoD contractor as their non-profit status motivates them to work in the public interest.
MITRE is not a DoD contractor. They are a not-for-profit institution committed to the public interest that operates six Federally Funded Research and Development Centers.
... and that industry led consortium will have a board all paid princely sums, and an executive leadership team that is conflicted to the hilt and paid kingly sums, and they will charge exorbitant rents in order to keep the lighthouse lit.
There's flaws with every approach, but I much prefer the approach where this sort of thing is treated as a public good, rather than as yet another soon-to-be walled garden.
Thanks. It's always a puzzle what to do with threads based on articles that have since been superseded by later developments. Do we start a new thread based on a new article? The new article / thread usually fails to do very well, partly because there just was a big discussion, and partly because hearing about something getting fixed is less interesting and exciting than the original stimulus.
I've been playing recently with putting [fixed] at the end of the original title to indicate this sort of state change to the reader. Not sure if that's the best way, nor if the situation has genuinely been fixed or not, but I guess it's better than nothing. Swapping out the article and title would probably be too much of a rug pull on the existing thread.
The contract expired today, but had an option period through March of 2026. DHS just needed to exercise the option.
Edit: Note the contract ended today April 16 - so performance would stop midnight tonight if the option wasn't exercised. Government contracts routinely go down to the wire like this, and often are late getting exercised. Why the uproar over this one? Did CISA signal to MITRE that they weren't going to exercise the option?
> Did CISA signal to MITRE that they weren't going to exercise the option?
An internal letter sent to CVE board members was making the rounds yesterday warning the current contract ("contracting pathway") would expire. The letter was authenticated by Brian Krebs[0]. Once Krebs authenticated the letter, people more or less assumed CISA was pulling funding, at least based on the infosec social media posts I saw.
CISA officials responded to multiple media inquiries (including the OP) with a statement that more directly said the contract would expire:
Although CISA’s contract with the MITRE Corporation will lapse after April 16, we are urgently working to mitigate impact and to maintain CVE services on which global stakeholders rely.[1]
I wonder what level of compartmentalisation inside DHS means they didn't see this as having sufficient downsides?
I ask this, because I don't think anyone in the subject matter specialist space would have made a strong case "kill it, we don't need this" and I am sure if asked would have made a strong case "CRISSAKE WE NEED THIS DONT TOUCH IT" -But I could believe senior finance would do their own research (tm) and mis-understand what they saw in how other people work with CVE, and who funds it.
> I wonder what level of compartmentalisation inside DHS means they didn't see this as having sufficient downsides?
This was not a carefully-weighed decision based on a cost-benefit analysis. This was a political order, consistent with the administration's policy of "cut everything, recklessly, indiscriminately."
There are many problems going on right now, but in terms of cuts this is one of the most problematic: everything is secret, with no oversight or deliberation. It's indistinguishable from corrupt malice because it's not done with open thoughtfulness.
"We are paying MITRE how much? Bigballs and co will write a better ststem in 1 week and have it integrated with xAI. How hard could it be? Send out a first draft of an xAI contract to our DHS contact"
> perhaps the thinking is to radically change approaches?
If there had been a replacement or reform plan for even one single iota of the things this admin has cut, I might give them the benefit of the doubt. But there's not. It's just kill, kill, kill.
This sort of thing is happening across the federal government. There is no rhyme or reason. DOGE has been given an unrealistic target for cuts and they're desperately cutting whatever they can get their hands on. If you look at the federal budget it's nearly impossible for DOGE to hit their stated goals without touching benefits like medicare and social security (which are off limits so far) so the only option is deep, deep cuts into the narrow slice of the federal budget that excludes those protected categories.
There is no rhyme or reason to what gets cut, other than someone under pressure to hit KPIs (dollars cut) was desperately searching for things that looked easy to cancel.
This is happening everywhere the federal government touches. Most people aren't aware of it until they come around and pull the rug on something that intersects with your own life.
Even my die-hard Republican distant relatives are suddenly shocked because programs they benefited from are being cut. They thought they voted for something different.
Like what exactly? I mean the guy ran on cutting the budget by 2 trillion. In his last term he gave tax breaks yo the rich. Where did they think the cuts were coming from?
He ran very hard on raising tarrifs. Which demonstrably raise prices (thats literally their goal.) But now people claim "I didn't vote for this."
In truth they voted for him because he was the Republican on offer and they're die-hard Republican. The Republican party has made no secret of its agenda for decades.
I get it, people are good at cognitive dissonance. But this is the place for blunt truth. They voted for this. I'm not letting Republicans got off the hook here. They voted for this.
Just like to my Republican friends who are upset that CVE is cut. You voted for this. The general public benefit from CVE even though they dont know it exists. Just like you benefitted from dozens of other programs you didn't know existed, but have also been cut.
That's the problem with cuts. They ultimately end up hurting everyone.
Now clearly there's some fat that could be trimmed. Companies do it all the time. Done well its good. Swinging a hatchet in a crowded elevator does not seem like "Done well".
Something different like gay people, women, immigrants all suffering while they laugh. Who's laughing now? From an outsiders perspective, I sincerely hope that Republicans get to feel a fraction of what these usually marginalised groups feel every day.
You'd think that lessons would incite learning but that has never seemed to be the case throughout history.
Remember, DOGE has nothing to do with money or "efficiency". It's a pure ideological dismantling of the Federal government aimed at eliminating oversight, regulations, assistance and entitlements as envisioned by ultra-conservatives for decades.
This isn't speculation or hyperbole, it's specifically laid out in their published plans: By hobbling or outright eliminating federal agencies responsible for executing the laws passed by Congress, the administration can circumvent the democratic process and impose their extreme vision of limited government on the country, regardless of popular support.
The U.S. system of government relies on established norms as much as it does law. Conservatives realized that they can ignore precedent with impunity if they had an executive willing to do so. They then spelled out exactly how, and are now enacting that plan.
Then SCOTUS's decisions last summer turbo boosted their agenda. The ruling that only Congress can hold the President legally accountable essentially means executive power is unchecked if the legislature is unwilling or unable to Impeach and convict. The President can now confidently ignore the law and judicial orders with a veneer of legality. And this is what he's doing.
(The fact that all this just so happens to benefit Russia after their decade long campaign to destabilize their opponents in the West is a topic for speculation.)
DOGE is about permanently altering how our country works modeled on the right wing worldview, plain and simple. Since that's their overall goal, they're not concerned where they swing the wrecking ball - it's all going to get destroyed eventually.
> This sort of thing is happening across the federal government. There is no rhyme or reason. DOGE has been given an unrealistic target for cuts and they're desperately cutting whatever they can get their hands on
You make it sound like poor DOGE employees are being forced to do this on this kind of schedule, which definitely isn't the impression I got. They're all a bunch of incompetent overconfident weirdos who think they know better and what to do. Is there any pressure to do anything quickly?
And the US federal budget is quite easy to trim. E.g. remove an aircraft carrier from the planned construction pipeline and you've saved $15 billion with no actual ramifications.
I'd say that the rhyme and reason are quite clear [0]. They published a playbook, and they are implementing it at a record pace.
> The NSC [National Security Council] staff will need to consolidate the functions of both the NSC and the Homeland Security Council (HSC), incorporate the recently established Office of the National Cyber Director, and evaluate the required regional and functional directorates.
> Given the aforementioned prerequisites, the NSC should be properly resourced with sufficient policy professionals, and the NSA should prioritize staffing the vast majority of NSC directorates with aligned political appointees and trusted career officials. - Project 2025, pg 52.
> ... History shows that an unsupervised NSC staff can stray from its statutory role and adversely affect a President and his policies. Moreover, while the NSC should be fully incorporated into the White House, it should also be allowed to do its job without the impediment of dually hatted staff that report to other offices. - Project 2025, pg 53.
The goal is to build up a political organisation to use as a weapon, and to scrap the rest - as a legal excuse to say that the political appointments will be necessary.
The ryme is Humpty Dumpty, had a great fall. Now China and Russian security forces step up their relentless attacks. Let's hope the white house falls first.
> Even my die-hard Republican distant relatives are suddenly shocked because programs they benefited from are being cut. They thought they voted for something different.
Out of curiosity, which programs? And is this enough to change their opinion about Trump, or do they still think it'll be worth it?
> I wonder what level of compartmentalisation inside DHS means they didn't see this as having sufficient downsides?
Come on, are you living under a rock right now? There are massive indiscriminate funding cuts to anything that Elon/Doge deems to be "fraud", and they explicitly do not care about the collateral damage.
This is not about the DHS or "compartmentalization". This is just a politician running amok and having real consequences.
Also there has been funding cuts to all agencies where Musk is currently under investigation. NHTSA is getting cut so they can't get in the way of Tesla.
No one analyzed it most likely. It’s possible on of the college students working for Doge doesn’t understand security because they are a child with no real world experience that Elon brought in to slash costs.
Your words don't make any sense in this environment. The idea that any person at an agency could stand up to or convince the DOGE team of anything is preposterous.
Anything that weakens the US or puts our cybersecurity in a place that Russia can exfiltrate data will happen. This is not about the US needing anything and it's silly to think otherwise. See also the NLRB whistleblower and the security backdoors that DOGE demanded to allow data exfiltration and the subsequent death threats to the whistle blower.
You mindset is behind the times and needs to adjust to a, frankly, insane current reality.
> Your words don't make any sense in this environment. The idea that any person at an agency could stand up to or convince the DOGE team of anything is preposterous.
Your comment embraces and spreads the powerlessness they want you to feel and spread.
Of course you can stop them - like any other negotiation in life, especially non-friendly ones, you need to make it in Trump's interest either by carrot or stick. Trump has interests; identify them and identify your power in those regards ('power and interest' is the term), and use it.
Also, stop helping them make DOGE the scapegoat. It's Trump.
it might also be deliberate: that they actually don't think the government should be involved in this sort of thing. after all, someone could be making a profit on this, and that seems to be their highest value. if gov is involved, that makes it a communal effort, and you know what else starts with "commun-"?
yes, those reasons are stupid and ignorant AND intentional.
but is there any evidence against that interpretation?
Yes, there are apparently various ways of profiting from vulnerabilities. The interesting question would be whether any of the regime insiders have a way to profit.
If you made this careful analysis, you'd hear "CRISSAKE WE NEED THIS DONT TOUCH IT" for almost everything (and it likely would be right for a significant portion but not everything).
That's why the current approach seems to be to axe everything, listen to how much screaming there is, then reinstate only the projects where the screaming is really loud.
You forget that their stated policy (and I don't doubt their commitment) is that whoever complains the loudest were probably scamming. That "honest people don't complain"
> A coalition of CVE Board members launched a new CVE Foundation "to ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program."
This kind of a consortium needs to explicitly avoid being captured by both the product vendors (who could be incentivised to manipulate the CVE issuance process to support their own remediation timescales), and by security companies (who could be incentivised to obtain a competitive advantage via preferential access to the CVE database).
It isn't impossible for a commercially-funded organisation to avoid this kind of capture, but it isn't easy either. My mind immediately jumps to the relationship between the Mozilla Foundation and Google.
The way their letter is worded it seems that they have a rainy day fund constituted to ride out the stormy next few week and I'm fairly certain they'll come back with more details as to how they'll be acquiring funding from now on in the next few days. Maybe paid access to an API, maybe donations from large companies that use the system, maybe something else ::shrug::
Hopefully a project as important as this doesn't just dissapear completely because of government pressure.
This smells like a quick attempt to enable phishing for vulnerabilities, and not a legit way to make progress. The comment is from a person that runs a security startup and the site is a google site that people can report to google as a scam. (Edit: downvote as you like it— perhaps my language was too harsh to help make the point clear. It is interesting how easy non-sec people fall for names and quotes and authority.. building trust does not come overnight, in fact it is never fully there, and infosec experts would not fall for such supply chain redirections with questionable future. Hopefully we will not have to test this idea soon, though some level of reliability and long-term automation would be welcome. We need technical, generally agreed upon systems, not a “foundation”).
The real irony here is that a lot of ycombinator founders and the people reading HN were exactly the ones making this possible and now start to wonder why the snake eats its own tail.
Or they wanted this, because this could be part of the privatization of many government functions. They, or at least some of them, could see this as controlling this function for money. It's a regular stream too, the valuable subscription model and customers who really need the service (and if they don't, just add a new law in the name of IT security forcing firms to sign up).
exactly; I hope ycombinator and its proponents can enjoy living in the ancap fantasy land where you have to pay to be alerted for a climate change fueled mega hurricane (also caused by this exact same reckless, unregulated greed) because NOAA was disbanded. Billionaires shouldn't exist, but neither should millionaires.
Weren't there major problems with the current CVE implementation, especially with the waves of script kiddies and AI tools spamming the database and the fact that projects who take security seriously have little to no say in the "score" that gets assigned?
As an active consumer of CVEs: yea there are major problems. No there's nothing better and no I don't have any better ideas.
The scores are mostly useless, I would not care if they disappeared, I do not look at them. I don't really understand why people get so upset about garbage scores though. If a high CVSS score creates a bunch of work for you then your vuln mag process is broken IMO. (Or alternatively, you are in the business of compliance rather than security. If you don't like working in compliance, CVSS scores aren't the root cause of your misery).
Having a central list of "here's a bunch of things with stable IDs that you might or might not care about" is very valuable.
and then a random 9.8 critical comes that affects some software you have in a way that makes it a 0 in your environment but it doesn't matter cause the cve tanks your organizational Security Score (tm) by 10 arbitrary points and management is wondering when you'll secure the company again because the Security Score is their only tangible deliverable to measure success
Spot on. Vulnerability scanners that make up an organizational Security Score (TM) tend to operate at the wrong level of abstraction, flagging some library somewhere that never runs and has nothing to do with your production flow or architecture, or some test keys with zero security impact. Go explain that to management, because obviously the security tools are right and you are wrong. This sad state of affairs is unfortunately the best that the security industry has been able to deliver. Trying to wrangle complexity by adding more complexity is the craziest notion to me. Yes, no scoring scheme is perfect, but when the scheme introduces more noise, what have we gained (well, security vendors gain, but what have organizations gained).
Yeah like when we bundled in a .js library for client side date processing that has a CVE affecting node.js servers with high score. Our auditors don’t care they tag the whole app as high risk. It doesn’t even run on the server!
Solving this problem in a generalized way is really hard.
Maybe I have a dependency on Foo which has a critical vulnerability in a feature that I don't use. I suppress the warning and all is well. Then two weeks later someone on my team decides to use that feature, not knowing that there's a problem with it. Now we're fucked, and we'll never know because the vulnerability has been suppressed.
Don’t let the perfect be the enemy of good. It is(was?) a very useful and important system.
Trump must be receiving a lot of emails from companies wanting to fill the void, and I bet the Trumpiest of them all is going to be awarded a contract worth 10x the budget CVE had, and do a much worse job.
I feel that. So tired of management being completely uninterested in actual, actionable security holes but getting wildly spun up because they saw a notice with a big scary number that has absolutely no relevance in our architecture.
Most tracking tools have exception processes. But yeah, security as a product family instead of a simple score seems to be a foreign concept at most companies.
The scores were never going to be that accurate across people's environments (IDK how much other places relied on them, places I worked never did that much) and issues with the scores don't seem to be a good justification to torch the whole CVE system anyway.
This^ and to add to that, at the very least MITRE assigned IDs which is great. Plus they did an initial scoring, which, well… will never be perfect like you said and I’m sure these things evolve throughout time and get better (not talking necessarily CVSS vX).
What a shame on this current gov. administration, if you can even call it that.
I think the question everyone in this thread should ask is: why is it the government's job to do this, especially given the prior widespread view that they're doing a bad job? Is the software industry so immiserated by poverty that it cannot organize its own distribution of security bulletins? Clearly not: GitHub already runs its own vuln tracking scheme that's better integrated with the tooling we use for open source software. The industry routinely sets up collaborations like standards bodies, information sharing groups and more. And there is as whole ecosystem of security companies to help you understand vulns in your stack.
So there seems nothing specific to CVEs that requires government involvement, but the existence of the tax funded scheme does discourage the creation of competitors that might function better.
But, to CVE or not to CVE ... that is not the question. US deficit spending is out of control. This sort of thing had to happen some day. It's what Europeans in the 2010s called "austerity" and it always makes some people scream but this graph:
... is not sustainable. Up to 1984 overall US debt was stable. Since then its growth rate became dangerous. Debt/GDP ratio is now worse than just after WW2. The federal government is currently spending more on interest than on defense or Medicare:
The US is currently getting its first taste of what parts of Europe started going through in 2008, and unfortunately there's bad news: the cuts you're seeing now are mostly cosmetic. They're what can be done within the current framework of laws, sort of, with lots of bending of the rules and creative interpretations of them and maybe some oversteps. But it's just the start of what's needed. Large scale reform of the laws themselves will be required regardless of whoever wins the next elections.
Getting a bit tired of posts like this (no offense), something dumb / nefarious happens like funding is cut for <useful thing>, then someone posts an off the cuff comment or question like, "wasn't this <useful thing> not that useful because <superficial reason>?".
Why do people do this, to down play all the destruction of the last few months? Seems to be some type of coping mechanism.
you like to say word 'bikeshedding', adoption of formal intellectualish sounding terminology even when inappropriate is orange-site affliction I advise against. I am saying this for your own sake... speak truths with POWER
NIST maintains the National Vulnerability Database (NVD).. This is a key piece of the nation’s cybersecurity infrastructure. There is a growing backlog of vulnerabilities.. based on.. an increase in software and, therefore, vulnerabilities, as well as a change in interagency support.. We are also looking into longer-term solutions to this challenge, including the establishment of a consortium of industry, government, and other stakeholder organizations that can collaborate on research to improve the NVD.
> Security and vulnerability handling in software is of ever increasing importance. Recent events have adversely affected many project's ability to identify and ensure these issues are addressed in a timely manner. This is extremely worrying.. Until recently many of us were relying not on the CVE project's data but on the NVD data that added that information.
Five years ago (2019), I helped to organize a presentation by the CERT Director from Carnegie Mellon, who covered the CVE backlog and lack of resources, e.g. many reported vulnerabilities never even receive a CVE number. It has since averaged < 100 views per year, even as the queue increased and funding decreased, https://www.youtube.com/watch?v=WmC65VrnBPI
I did find this post to be non-helpful and confusing. It would be helpful to edit it (or write differently in the future) to clarify that the sudden defunding event occurring today is separate and not related to the previous funding cuts. If that's the case.
Is there no connection between 2025 funding cuts and previous ones? e.g. If a year of work after the previous cuts resulted in an open-data collaboration between NVD and commercial vendors to share a subset of CC0 vulnerability metadata, could that industry collective now argue for government to share (with companies) the burden of funding an open, decentralized program for CVE tracking? Commercial vendors could still offer additional metadata and analytics, over and above the public baseline.
> A bipartisan bill that would establish a nonprofit foundation aimed at boosting private-sector partnerships at the National Institute of Standards and Technology was reintroduced in the House and the Senate.. the proposed foundation structure was described as replicating similar nonprofits that support public-private partnerships at other science agencies.. we encourage a strategy that leverages NIST’s leadership and expertise on standards development, voluntary frameworks, public-private sector collaboration, and international harmonization.. NIST’s funding has been in focus following a budget cut of roughly 12% to $1.46 billion in fiscal year 2024.
Edit_2: is there a shortage of database rows, or people to write a shell script? Why not pre-allocate N CVE IDs for every CNA, while a new plan is worked out? At least one random commercial vendor could foresee the shutdown early enough to reserve CVEs.
> Garrity posted on LinkedIn, “Given the current uncertainty surrounding which services at MITRE or within the CVE Program may be affected, VulnCheck has proactively reserved 1,000 CVEs for 2025,” adding that Vulncheck “will continue to provide CVE assignments to the community in the days and weeks ahead.”
> Moving forward, cybersecurity companies will have to “fill the void” .. NVD said in April [2024] that it is “working to establish a consortium to address challenges in the NVD program and develop improved tools and methods.” .. CISA acknowledged the concerns and outrage of the security community and said it is starting an enrichment effort called “Vulnrichment," which will add much of the information described by Garrity to CVEs.
Vulnerability enrichment was mentioned in many talks. However, most organizations seem to handle it internally. There doesn’t appear to be momentum toward a shared or open source solution – at least not yet.
> Since February 2024, the National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD) has encountered delays in processing vulnerabilities.. caused by factors such as software proliferation, budget cuts and changes in support.. NIST, an agency within the United States Commerce Department, saw its budget cut by nearly 12% this year.
I've noticed that there's a post like this in most articles on HN that could be construed as negative for the current administration: some vague false statement followed by either a factually incorrect explanation or some quote that does not support the statement.
This makes me wonder what other stuff most people don't know exists but is important to our society has quietly disappeared in the last few weeks. We know about this one because we know it's important. What are the things we don't know about?
The cheerleaders don't care. Americans' relative certainty and quality of life is backstopped by institutions they either barely understand or have never heard of. Let them touch the stove, I guess.
https://www.project2025.observer/ lists a few. Of course, those are only the agencies the Trump people know about and explicitly want to destroy, but it's a start.
Readit News
CVE Foundation - https://news.ycombinator.com/item?id=43704430
Replacing CVE - https://news.ycombinator.com/item?id=43708409
https://www.forbes.com/sites/kateoflahertyuk/2025/04/16/cve-...
My guess indefinitely.
DOGE might be a bunch of idiots, but in the entire DOD, there are non-idiots.
It’s worth noting that MITRE is a DoD contractor (with minor contracts from other agencies like this one). Having the CVE program operated by a company funded by the U.S. military raises valid concerns about conflicts of interest—especially in an ecosystem that depends on neutrality and global trust.
Where do you get that from?
I've seen no sign of long-term goals, much less any mechanisms being put in place for follow-through on those goals.
It seems like people keep making the mistake of believing there's a detailed plan, while all evidence tells us there isn't. I guess it's the normal human tendency to see order in the chaos.
While MITRE does have contracts with DoD (and many other agencies across the federal government as part of the FFRDCs they operate), they are not the same as a stereotypical DoD contractor as their non-profit status motivates them to work in the public interest.
But now that CVEs form the basis of a very lucrative ~$16b/year industry[0], wouldn't it make sense to let those companies take over?
Privatizing the Internet enabled much more innovation than if it had stayed govt-funded.
0: https://www.grandviewresearch.com/industry-analysis/security...
It’s a stretch to describe it as an arm of the government.
There's flaws with every approach, but I much prefer the approach where this sort of thing is treated as a public good, rather than as yet another soon-to-be walled garden.
...Yep, we're done as a democracy. Pack it up, boys.
Edit: I know it is doom and gloom but the CVE program could easily delay information and leave holes on purpose.
I've been playing recently with putting [fixed] at the end of the original title to indicate this sort of state change to the reader. Not sure if that's the best way, nor if the situation has genuinely been fixed or not, but I guess it's better than nothing. Swapping out the article and title would probably be too much of a rug pull on the existing thread.
NIH.gov DNS servers down, making PubMed, BLAST, etc. unreachable [fixed] - https://news.ycombinator.com/item?id=43229201 - March 2025 (385 comments)
Mozilla site down due to "overdue hosting payments" [fixed] - https://news.ycombinator.com/item?id=43226089 - March 2025 (102 comments)
Ask HN: Stripe Atlas messed up my 83B election what do I do? [fixed] - https://news.ycombinator.com/item?id=40825802 - June 2024 (3 comments)
The contract expired today, but had an option period through March of 2026. DHS just needed to exercise the option.
Edit: Note the contract ended today April 16 - so performance would stop midnight tonight if the option wasn't exercised. Government contracts routinely go down to the wire like this, and often are late getting exercised. Why the uproar over this one? Did CISA signal to MITRE that they weren't going to exercise the option?
An internal letter sent to CVE board members was making the rounds yesterday warning the current contract ("contracting pathway") would expire. The letter was authenticated by Brian Krebs[0]. Once Krebs authenticated the letter, people more or less assumed CISA was pulling funding, at least based on the infosec social media posts I saw.
CISA officials responded to multiple media inquiries (including the OP) with a statement that more directly said the contract would expire:
0 - https://krebsonsecurity.com/2025/04/funding-expires-for-key-...1 - https://www.csoonline.com/article/3963190/cve-program-faces-...
> It’s unclear what led to DHS’s decision to end the contract after 25 years
and then suddenly it gets extended. What does it have to do with DOGE?
0 - https://virginiabusiness.com/nova-govcon-firm-mitre-to-lay-o...
1 - https://techcrunch.com/2025/03/11/doge-axes-cisa-red-team-st...
Dead Comment
Deleted Comment
Dead Comment
Dead Comment
Dead Comment
I wonder what level of compartmentalisation inside DHS means they didn't see this as having sufficient downsides?
I ask this, because I don't think anyone in the subject matter specialist space would have made a strong case "kill it, we don't need this" and I am sure if asked would have made a strong case "CRISSAKE WE NEED THIS DONT TOUCH IT" -But I could believe senior finance would do their own research (tm) and mis-understand what they saw in how other people work with CVE, and who funds it.
This was not a carefully-weighed decision based on a cost-benefit analysis. This was a political order, consistent with the administration's policy of "cut everything, recklessly, indiscriminately."
Mostly discriminately, tbh.
Most of vulns will go unaddressed because company like palantir will most likely want only really good vulns like 0-click RCE.
Dead Comment
"We are paying MITRE how much? Bigballs and co will write a better ststem in 1 week and have it integrated with xAI. How hard could it be? Send out a first draft of an xAI contract to our DHS contact"
The National Vulnerability Database has been unable to keep up with the flow of CVEs for over a year now:
- https://anchore.com/blog/national-vulnerability-database-opa...
- https://www.cyberreport.io/news/cve-backlog-update-the-nvd-s...
- https://www.ibm.com/think/insights/cve-backlog-update-nvd-st...
- and many, many, many others
It has been a complete disaster for months. At this point, perhaps the thinking is to radically change approaches?
If there had been a replacement or reform plan for even one single iota of the things this admin has cut, I might give them the benefit of the doubt. But there's not. It's just kill, kill, kill.
All of this is criminal behavior on the the current regime.
There is no rhyme or reason to what gets cut, other than someone under pressure to hit KPIs (dollars cut) was desperately searching for things that looked easy to cancel.
This is happening everywhere the federal government touches. Most people aren't aware of it until they come around and pull the rug on something that intersects with your own life.
Even my die-hard Republican distant relatives are suddenly shocked because programs they benefited from are being cut. They thought they voted for something different.
Like what exactly? I mean the guy ran on cutting the budget by 2 trillion. In his last term he gave tax breaks yo the rich. Where did they think the cuts were coming from?
He ran very hard on raising tarrifs. Which demonstrably raise prices (thats literally their goal.) But now people claim "I didn't vote for this."
In truth they voted for him because he was the Republican on offer and they're die-hard Republican. The Republican party has made no secret of its agenda for decades.
I get it, people are good at cognitive dissonance. But this is the place for blunt truth. They voted for this. I'm not letting Republicans got off the hook here. They voted for this.
Just like to my Republican friends who are upset that CVE is cut. You voted for this. The general public benefit from CVE even though they dont know it exists. Just like you benefitted from dozens of other programs you didn't know existed, but have also been cut.
That's the problem with cuts. They ultimately end up hurting everyone.
Now clearly there's some fat that could be trimmed. Companies do it all the time. Done well its good. Swinging a hatchet in a crowded elevator does not seem like "Done well".
They voted for the leopards to eat other people’s faces, not their’s.
You'd think that lessons would incite learning but that has never seemed to be the case throughout history.
This isn't speculation or hyperbole, it's specifically laid out in their published plans: By hobbling or outright eliminating federal agencies responsible for executing the laws passed by Congress, the administration can circumvent the democratic process and impose their extreme vision of limited government on the country, regardless of popular support.
The U.S. system of government relies on established norms as much as it does law. Conservatives realized that they can ignore precedent with impunity if they had an executive willing to do so. They then spelled out exactly how, and are now enacting that plan.
Then SCOTUS's decisions last summer turbo boosted their agenda. The ruling that only Congress can hold the President legally accountable essentially means executive power is unchecked if the legislature is unwilling or unable to Impeach and convict. The President can now confidently ignore the law and judicial orders with a veneer of legality. And this is what he's doing.
(The fact that all this just so happens to benefit Russia after their decade long campaign to destabilize their opponents in the West is a topic for speculation.)
DOGE is about permanently altering how our country works modeled on the right wing worldview, plain and simple. Since that's their overall goal, they're not concerned where they swing the wrecking ball - it's all going to get destroyed eventually.
You make it sound like poor DOGE employees are being forced to do this on this kind of schedule, which definitely isn't the impression I got. They're all a bunch of incompetent overconfident weirdos who think they know better and what to do. Is there any pressure to do anything quickly?
And the US federal budget is quite easy to trim. E.g. remove an aircraft carrier from the planned construction pipeline and you've saved $15 billion with no actual ramifications.
> The NSC [National Security Council] staff will need to consolidate the functions of both the NSC and the Homeland Security Council (HSC), incorporate the recently established Office of the National Cyber Director, and evaluate the required regional and functional directorates.
> Given the aforementioned prerequisites, the NSC should be properly resourced with sufficient policy professionals, and the NSA should prioritize staffing the vast majority of NSC directorates with aligned political appointees and trusted career officials. - Project 2025, pg 52.
> ... History shows that an unsupervised NSC staff can stray from its statutory role and adversely affect a President and his policies. Moreover, while the NSC should be fully incorporated into the White House, it should also be allowed to do its job without the impediment of dually hatted staff that report to other offices. - Project 2025, pg 53.
The goal is to build up a political organisation to use as a weapon, and to scrap the rest - as a legal excuse to say that the political appointments will be necessary.
[0] https://www.project2025.observer/
Out of curiosity, which programs? And is this enough to change their opinion about Trump, or do they still think it'll be worth it?
Dead Comment
Come on, are you living under a rock right now? There are massive indiscriminate funding cuts to anything that Elon/Doge deems to be "fraud", and they explicitly do not care about the collateral damage.
This is not about the DHS or "compartmentalization". This is just a politician running amok and having real consequences.
Anything that weakens the US or puts our cybersecurity in a place that Russia can exfiltrate data will happen. This is not about the US needing anything and it's silly to think otherwise. See also the NLRB whistleblower and the security backdoors that DOGE demanded to allow data exfiltration and the subsequent death threats to the whistle blower.
You mindset is behind the times and needs to adjust to a, frankly, insane current reality.
Your comment embraces and spreads the powerlessness they want you to feel and spread.
Of course you can stop them - like any other negotiation in life, especially non-friendly ones, you need to make it in Trump's interest either by carrot or stick. Trump has interests; identify them and identify your power in those regards ('power and interest' is the term), and use it.
Also, stop helping them make DOGE the scapegoat. It's Trump.
it might also be deliberate: that they actually don't think the government should be involved in this sort of thing. after all, someone could be making a profit on this, and that seems to be their highest value. if gov is involved, that makes it a communal effort, and you know what else starts with "commun-"?
yes, those reasons are stupid and ignorant AND intentional.
but is there any evidence against that interpretation?
Yes, there are apparently various ways of profiting from vulnerabilities. The interesting question would be whether any of the regime insiders have a way to profit.
Dead Comment
That's why the current approach seems to be to axe everything, listen to how much screaming there is, then reinstate only the projects where the screaming is really loud.
> https://www.thecvefoundation.org
https://mastodon.social/@serghei/114346660986059236
It isn't impossible for a commercially-funded organisation to avoid this kind of capture, but it isn't easy either. My mind immediately jumps to the relationship between the Mozilla Foundation and Google.
Plus the proposed "Foundation for Standards and Metrology (FSM)" to build on NIST, https://democrats-science.house.gov/bills/the-expanding-part...
Shouldn't the most powerful country has something like this? Being even in the forefront of it?
The USA was doing cyberprotection against Russia and cyberattacks across the world.
Now suddenly it doesn't need it anymore?
Like just did Russia go away (or has russia won and sits now in the white house)?
For-profit private journaling is working really well for academia!
Deleted Comment
The scores are mostly useless, I would not care if they disappeared, I do not look at them. I don't really understand why people get so upset about garbage scores though. If a high CVSS score creates a bunch of work for you then your vuln mag process is broken IMO. (Or alternatively, you are in the business of compliance rather than security. If you don't like working in compliance, CVSS scores aren't the root cause of your misery).
Having a central list of "here's a bunch of things with stable IDs that you might or might not care about" is very valuable.
So, most businesses. They all need their ISO/NIST/HIPAA/etc certs.
There are far too many bad actors for us to operate as an industry with no yardstick.
Maybe I have a dependency on Foo which has a critical vulnerability in a feature that I don't use. I suppress the warning and all is well. Then two weeks later someone on my team decides to use that feature, not knowing that there's a problem with it. Now we're fucked, and we'll never know because the vulnerability has been suppressed.
Trump must be receiving a lot of emails from companies wanting to fill the void, and I bet the Trumpiest of them all is going to be awarded a contract worth 10x the budget CVE had, and do a much worse job.
Deleted Comment
Deleted Comment
What a shame on this current gov. administration, if you can even call it that.
I think the question everyone in this thread should ask is: why is it the government's job to do this, especially given the prior widespread view that they're doing a bad job? Is the software industry so immiserated by poverty that it cannot organize its own distribution of security bulletins? Clearly not: GitHub already runs its own vuln tracking scheme that's better integrated with the tooling we use for open source software. The industry routinely sets up collaborations like standards bodies, information sharing groups and more. And there is as whole ecosystem of security companies to help you understand vulns in your stack.
So there seems nothing specific to CVEs that requires government involvement, but the existence of the tax funded scheme does discourage the creation of competitors that might function better.
But, to CVE or not to CVE ... that is not the question. US deficit spending is out of control. This sort of thing had to happen some day. It's what Europeans in the 2010s called "austerity" and it always makes some people scream but this graph:
https://fiscaldata.treasury.gov/americas-finance-guide/natio...
... is not sustainable. Up to 1984 overall US debt was stable. Since then its growth rate became dangerous. Debt/GDP ratio is now worse than just after WW2. The federal government is currently spending more on interest than on defense or Medicare:
https://www.crfb.org/blogs/interest-costs-have-nearly-triple...
The US is currently getting its first taste of what parts of Europe started going through in 2008, and unfortunately there's bad news: the cuts you're seeing now are mostly cosmetic. They're what can be done within the current framework of laws, sort of, with lots of bending of the rules and creative interpretations of them and maybe some oversteps. But it's just the start of what's needed. Large scale reform of the laws themselves will be required regardless of whoever wins the next elections.
Absolutely. And if the headline was "DHS proposes improvements and streamlining to the CVE program" we'd all probably be cheering.
Leaping from "This is Flawed" to "Let's kill This" is a logical fallacy. A flawed security registry is clearly better than no security registry.
In honesty to say "logical fallacy" is spoddy, I advise against for aesthetic reason.
CVE is simply identification of a flaw, not a scoring system.
It's the way it is because there isn't a good alternative. They cannot possibly know every environment that we operate in.
To this day we still have large corporations down playing their issues, and it was way worse 20 years ago.
Why do people do this, to down play all the destruction of the last few months? Seems to be some type of coping mechanism.
All this does is help Putin and other rich grifters.
April 2024, https://nvd.nist.gov/general/news/nvd-program-transition-ann...
Sep 2024, Yocto Project, "An open letter to the CVE Project and CNAs", https://github.com/yoctoproject/cve-cna-open-letter/blob/mai...> Security and vulnerability handling in software is of ever increasing importance. Recent events have adversely affected many project's ability to identify and ensure these issues are addressed in a timely manner. This is extremely worrying.. Until recently many of us were relying not on the CVE project's data but on the NVD data that added that information.
Five years ago (2019), I helped to organize a presentation by the CERT Director from Carnegie Mellon, who covered the CVE backlog and lack of resources, e.g. many reported vulnerabilities never even receive a CVE number. It has since averaged < 100 views per year, even as the queue increased and funding decreased, https://www.youtube.com/watch?v=WmC65VrnBPI
Edit_1: found a proposed bill, April 2025, https://fedscoop.com/public-private-partnerships-bill-nist-h...
> A bipartisan bill that would establish a nonprofit foundation aimed at boosting private-sector partnerships at the National Institute of Standards and Technology was reintroduced in the House and the Senate.. the proposed foundation structure was described as replicating similar nonprofits that support public-private partnerships at other science agencies.. we encourage a strategy that leverages NIST’s leadership and expertise on standards development, voluntary frameworks, public-private sector collaboration, and international harmonization.. NIST’s funding has been in focus following a budget cut of roughly 12% to $1.46 billion in fiscal year 2024.
Edit_2: is there a shortage of database rows, or people to write a shell script? Why not pre-allocate N CVE IDs for every CNA, while a new plan is worked out? At least one random commercial vendor could foresee the shutdown early enough to reserve CVEs.
> Garrity posted on LinkedIn, “Given the current uncertainty surrounding which services at MITRE or within the CVE Program may be affected, VulnCheck has proactively reserved 1,000 CVEs for 2025,” adding that Vulncheck “will continue to provide CVE assignments to the community in the days and weeks ahead.”
The funding appears to have been cut off today, and both of these comments seem to talk about continuing work and how important it is.
Do you mean to say that some form of threat to the NVD has been around for over a year now? Just want to be sure I'm parsing correctly!
May 2024, https://therecord.media/nist-database-backlog-growing-vulnch...
> Moving forward, cybersecurity companies will have to “fill the void” .. NVD said in April [2024] that it is “working to establish a consortium to address challenges in the NVD program and develop improved tools and methods.” .. CISA acknowledged the concerns and outrage of the security community and said it is starting an enrichment effort called “Vulnrichment," which will add much of the information described by Garrity to CVEs.
The second VulnCon event took place last week and no silver bullet has appeared, https://ygreky.com/2025/04/vulncon-2025-impressions/
That article is about how the volume of software vulnerabilities are increasing, resulting in difficulty keeping up by the CVE and NVD projects.
Please stop spamming this thread with political spin.
> Since February 2024, the National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD) has encountered delays in processing vulnerabilities.. caused by factors such as software proliferation, budget cuts and changes in support.. NIST, an agency within the United States Commerce Department, saw its budget cut by nearly 12% this year.
Deleted Comment
Deleted Comment
People who actually work with CVEs have been posting about this problem on HN for 18 months.