Trump defunded the CVE program, the global de facto standard for software vulnerability tracking

Toggle sidebar Toggle sidebar
mikeymikec

mikeymikec

Lifer
May 19, 2011
19,929
14,179
136
  • Like
  • Wow
Reactions: RnR_au and [DHT]Osiris
B

brycejones

Lifer
Oct 18, 2005
29,025
29,107
136
so was this waste, fraud, or abuse?

Right now while the orange monkey distracts everyone Voight and his minions are breaking as much shit as they can.
 
hal2kilo

hal2kilo

Lifer
Feb 24, 2009
25,373
11,777
136
mikeymikec said:
www.nextgov.com

MITRE-backed cyber vulnerability program to lose funding Wednesday

Organizations across industry, government, national security and critical infrastructure rely on the CVE Program, which serves as the de-facto global standard for vulnerability identification and management.
www.nextgov.com www.nextgov.com

arstechnica.com

CVE, global source of cybersecurity info, was hours from being cut by DHS

Board members have launched a nonprofit to take over the program from MITRE.
arstechnica.com arstechnica.com

The mind boggles.
Click to expand...
Let's throw away all of the locks, build a wall that has no real purpose, and make friends with our enemies. Traitor in the WH.
 
UNCjigga

UNCjigga

Lifer
Dec 12, 2000
25,251
9,724
136
Just playing devil’s advocate here—but this program is pretty well established and I assume ISVs (especially MS, Facebook, Google, Amazon, Apple etc.) are more than capable of funding the program as an ongoing concern. Will this really change anything?
 
mikeymikec

mikeymikec

Lifer
May 19, 2011
19,929
14,179
136
UNCjigga said:
Just playing devil’s advocate here—but this program is pretty well established and I assume ISVs (especially MS, Facebook, Google, Amazon, Apple etc.) are more than capable of funding the program as an ongoing concern. Will this really change anything?
Click to expand...
I would want tech vulnerability tracking managed by an impartial body, rather than a company deciding to move the goalposts, play revisionism games, or deprioritize requests from competitors in a way that it considers to be personally beneficial, which is almost never beneficial to anyone else. Furthermore, most software companies believe that information transparency and security are mutually exclusive elements, which goes against the very core of an open vulnerability reporting system.

Government backing (normally, GQP bizarroverse aside) adds stability, the body doesn't have to worry about funding.
 
  • Like
Reactions: KompuKare, dank69, [DHT]Osiris and 1 other person
Mr.IncrediblyBored

Mr.IncrediblyBored

Lifer
Jun 18, 2000
11,191
765
126
UNCjigga said:
Just playing devil’s advocate here—but this program is pretty well established and I assume ISVs (especially MS, Facebook, Google, Amazon, Apple etc.) are more than capable of funding the program as an ongoing concern. Will this really change anything?
Click to expand...

Does it make sense to have software companies control the purse strings of an organization tasked with finding and reporting CVEs in those company's software?
 
  • Like
Reactions: KompuKare
UNCjigga

UNCjigga

Lifer
Dec 12, 2000
25,251
9,724
136
Mr.IncrediblyBored said:
Does it make sense to have software companies control the purse strings of an organization tasked with finding and reporting CVEs in those company's software?
Click to expand...
An individual company, no—but as a collective, there are tons of industry consortia that set standards for everything and are not truly regulated. I just thought this would be one instance where government funding/control isn’t necessary.

Sounds like that’s what’s happening in this case—https://www.thecvefoundation.org/home

I agree this was a ham-handed way to abruptly cancel funding without adequate warning, a public comment period, or contingency plans to properly transition to an independent foundation.
 
M

manly

Lifer
Jan 25, 2000
12,858
3,631
136
UNCjigga said:
An individual company, no—but as a collective, there are tons of industry consortia that set standards for everything and are not truly regulated. I just thought this would be one instance where government funding/control isn’t necessary.

Sounds like that’s what’s happening in this case—https://www.thecvefoundation.org/home

I agree this was a ham-handed way to abruptly cancel funding without adequate warning, a public comment period, or contingency plans to properly transition to an independent foundation.
Click to expand...
You're right that they could easily pivot away from the status quo (didn't the feds already reverse this inane decision?). Even so, they won't drop the announced plans for a CVE Foundation. Trump admin is totally untrustworthy and incompetent. In the scope of the federal budget, this program doesn't even amount to bread crumbs. It's probably equivalent to the money they'll spend on a powder room for Pete Hegseth.

In semi-related news, didn't an important DoD cybersecurity group resign en masse?

Daddy Vladdy must be so proud of his lapdog Trump and we're not even 100 days in yet.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom