No. of Recommendations: 9
I didn't expect to post again today, and if I had I wouldn't have suspected it would have been a second post on information security.
But astonishingly it just broke that the US government is ending funding of the Common Vulnerabilities and Exposures program, or CVE as most people in the field refer to it.
https://www.theregister.com/2025/04/16/homeland_se... has details. To excerpt
"While the whole world's vulnerability management efforts aren't going to descend into chaos overnight, there is a concern that in a month or two they may. The lack of US government funding means that, unless someone else steps in to fill the gap, this standardized system for naming and tracking vulnerabilities may falter or shut down, new CVEs may no longer be published, and the program's website may go offline.
Not-for-profit outfit MITRE has a contract with the US Department of Homeland Security to operate the CVE program, and on Tuesday the group confirmed this arrangement has not been renewed. This comes as the Trump administration scours around the federal government for costs to trim."If anyone remembers the Heartbleed exploit, it was also technically referred to as CVE-2014-0160, which was the id in the programs database. This is a cornerstone of the security community. Everyone will be less secure for this if funding cannot be found.
Maybe private industry will step up and collectively fund this, but it benefited the US and is another shocking example of the shortsightedness - at best - of this administration.
I thought I'd planned around some bad outcomes and I was nowhere near pessimistic enough.
