I applaud the quick action and implementing a path forward. We all need to fend for ourselves, because the US government cannot be counted on anymore.
Which…is absolutely wild. The government should absolutely be funding vulnerability research. If anything so that they can exploit them.
But I suspect they are taking the corporate approach. The foundation is going to do the research anyway and publish it widely. Just take advantage while adding nothing of value in return.
God I hate this fucking timeline.
Even corporations understand the value of having a seat at the table. A significant reason for corporate sponsorship of standards groups and such is so that if it comes up, they have a person there who can argue for their interests.
Not even in an interesting or corrupt way.
“Our engineers think it would be better to do it this way, any objections?” And then everyone talks about it.Leaving means you only get to use what others put together. If your needs don’t fit you just have to cope.
Corporations love getting stuff for free, but if all it takes to solve a technical problem is cash, that’s great too. Cash is a better way to solve a technical problem than time and engineers.
Not even in an interesting or corrupt way. “Our engineers think it would be better to do it this way, any objections?” And then everyone talks about it.
And this was the mental roadblock I hit trying to imagine a world without lobbyists.
As if we could ignore every voice with some connection to a profit motive (ignoring thousands of experts), etc
Well said!
Yeah, the lobbying question is a complicated one.
In an ideal world it would be much closer to how the standards committees work. The issue isn’t people sharing their opinions and desires for how the system should work, it’s when they use inequitable means to bias the decision. My industry, security, has lobbied for official guidelines on security requirements for different situations. Makes it easier to tell hospitals they can’t have nurses sharing login credentials: government says that’s bad, and now your insurance says it’s a liability.
The problem is that lobbying too often comes with stuff like a “we’re always hiring like minded people at our lobbying firm, if you happen to find yourself in the position to do so, give us a call.”.
It’s too easy for people with a lot of money to make their voices more heard.It’s not that the wealthy and business interests should be barred from sharing opinions with legislators, it’s that “volume” shouldn’t be proportional to money. My voice as a person who lives near a river should be comparable to that of the guy who owns the car wash upstream when it comes to questions of how much we care about runoff going into the river.
Exactly. We need to get money and promises out of lobbying. You should merely be allowed to explain the problems or benefits of a bill/law, realistic consequences, and proposed solutions.
👏
Lobbyists aren’t inherently bad. The problem is lack of transparency and controls. Without effective controls of course a corporation with millions to spend will always have the upper hand over some NGO that lobbies for the common good.
If you listen closely, you can hear the heads of NSA people banging on their desks because of the funding stop
No one said they weren’t funding vulnerability research anymore. They just weren’t going to share the information.
Shame they’re still based in the US.
The “Contain, Verify, Explain Foundation”, dedicated to the study of and protection against cyber-anomalies
I came across this just now.
The CVE Program is invaluable to cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.
I’m honestly not totally sure what to think about this one, though I recognise that it’s a big shift/likely a negative overall result.
Reason I’m humming and hawing, is that there are lots of expensive cybersecurity type ‘things’ that rely on the CVE system, without explicitly paying in to that system / supporting it directly, from what I recall / have seen. Take someone like Tenable security, who sell vulnerability scanners that extensively use/integrate with the CVE/NVD databases… companies pay Tenable huge amounts of money for those products. Has Tenable been paying anything into the ‘shared’ public resource pool? How about all those ‘audit’ companies, who charge like 10-30k per audit for doing ‘vulnerability / penetration tests’.
IT Security has been an expensive/profitable area for a long time, while also relying on generally public/shared resources to facilitate a lot of the work. Maybe an ‘industry’ funded consortium is the more appropriate way to go.
What a nonsense.
CVE was used by thousands and thousands of security professionals and organizations, companies are just small part of it. Companies contributed a lot with their own research and vulnerabilities they found and reported into CVE. It was useful because it made it easier to categorize and catalogue vulnerabilities and it made everyone’s life easier. Not just companies’. It made it easier for Linux distros as well. And so on, and so on. Do Americana really think everything needs to be run as a company and for profit?
I guess we’ll now go back to the “good old days” of sharing bugs on Bugtraq.
I still can’t comprehend that Americans voted that idiot into White House. Again. Damage he is doing is out of this world and will only become apparent in years to come. Truly incredible.
Do Americana really think everything needs to be run as a company and for profit?
Unfortunately, many do. It’s fuck’n baffling as to why.
I still can’t comprehend that Americans voted that idiot into White House.
Well Russia, China, North Korea, and Iran (to name a few) with the assistance tech-bro billionaires like Elon Musk and Mark Zuckerberg have been waging an information war against the US for well over a decade. All that time, money and effort is finally paying off.
Yeah, but that’s sort of the point I was making… it was a data repository used by “thousands and thousands” of security professionals and organizations. So people who were generating revenue off of the service. I mean, they’re professionals, not hobbyists / home users.
I’m not an American, but in terms of everything running like a company/for profit, I’d say that its best if things are sustainable / able to self-maintain. If the US cutting funding means this program can’t survive, that’s an issue. If it has value to a larger community, the larger community should be able to fund its operation. There’s clearly a cost to maintaining the program, and there are clearly people who haven’t contributed to paying that cost.
In terms of going back to whatever, the foundation involved is likely to sort out alternative funding, though potentially with decreased functionality (it sounds like they had agreements to pay for secondary vulnerability report reviews, which will likely need to get scaled back). Maybe they’ll need to add in a fee for frequent feed pulls, or something similar. I wouldn’t say it’s completely toast or anythin just yet.
If it has value to a larger community, the larger community should be able to fund its operation.
Up until very recently it seemed perfectly reasonable to fund this sort of thing with taxes, because it benefits everyone even if they’re not directly using the database. An open source developer probably isn’t going to pay to look up vulnerabilities in the open source dependencies they use, so the database being free makes software more secure on average.
What is wrong with having free public services? If someone is abusing it, block them, or charge fees like a library.
Sure, though that’s part of the problem that the States is whining about. US taxes paid for the service, which lots of other nations/foreign companies used.
Things like Libraries require taxes to operate. You’d likely be annoyed if you were struggling, and then found out your gov was using your taxes to pay for a bunch of foreign countries to have libraries. And then you find out that those foreigners are able to use those libraries to make good money, which they don’t use to support their libraries, cause the States is already covering it. So you’re paying taxes, and struggling to do so, so that EU companies can reap profits and live comfy.
And yes, charge a fee. That’s basically what I’ve said, no? That there’s a value add, and that there are ‘professionals’/companies using it who aren’t paying for that value add. So something like a fee for frequent pulls against the vuln feeds, to replace whatever funding the US gov was giving, would make sense to me. though I suppose this has now been kicked down the road till next year.
The US specifically does spend tax money on foreign aid (or at least they used to). I have no problem with that. If you’re struggling to get by, then you should be paying effectively no taxes. If that’s not the case, then we should be fixing that, not cutting funding to things that make the world better.
As for the fee suggestion, a library does not charge for entry or for every book. There is a “free tier” that everyone can use as long as you return the books on time. You only charge the people making too many requests to make sure the service stays available to everyone.
Idk about Tenable specifically, but a lot of the major security vendors have their own pool of security researchers who very frequently contribute to CVE. Mostly from finding vulns in their own product, but a lot of those vulns are due to upstream libraries.
The CVE system protects everyone that uses computers. It is a public service that forms the core of cybersecurity in the US and many other places. It does not cost the database any more money if people use it to provide services to clients.
Letting a private corporation take it over and put it behind a paywall now means that security, like so many other things, will only be available to people with money. It will make software and hardware more expensive by adding yet another license fee or subscription if you want software that gets security updates.
In addition, a closed database is just less useful. This system works because when one person notifies the system of an exploit then every other person now knows. That kind of system is much higher quality if you have more people that are able to access it.
An industry being created and earning money by providing cybersecurity services shows how useful such a system is for everyone. There are good paying jobs that depend on this data being freely available. New startups only need to provide service, they don’t need to raise the funds to buy into the security database because it is a public service. They also pay taxes (a significant amount if they’re charging $30,000 per audit), more than enough profit for the government to operate a database.
I’m glad they were thinking ahead.
they should partner with the eu and refuse to share data with the us.
That’s good, I guess, but decentralize it. It’s a tool used globally with global ramifications, so other countries should be able to run their own instance of it. That way, if an instance goes down, nobody else is left without it.
Over the coming days, the Foundation will release more information about its structure, transition planning, and opportunities for involvement from the broader community.
Hopefully that includes decentralization on the roadmap.
Decentralizing a foundation such as CVE would do more harm than good. For things like git or the fediverse it makes perfect sense, but the last thing I want something like the CVE to be is fragmented. We need a single source of truth for this.
Now setting up a non-profit foundation and cutting dependence with governments is a good thing, but it’s not the same as decentralized.
This, exactly.
The whole point of CVE is to make sure everyone is on the same page regarding exploits. That necessitates a single point of truth for the whole operation.
We need a single source of truth for this.
So distribute it, like DNS. Have the CVE Foundation be the final authority, but relying solely upon them makes me uneasy.
The CVE Foundation might currently be independent from the US government, but that doesn’t mean they’re not still subject to its whims. I think people underestimate just how awful things are or could get here, and “why is the government doing that stupid/heinous/bizarre thing” has become a daily mantra for many.
CVE needs better protection from hostile governments, and distributing the system seems like the only way to achieve that
That’s long since been the case, e.g. the Linux Kernel assigns its own CVE numbers, they’re a CNA. Which keeps the “root” CVS database completely out of the loop short of saying “this here is your namespace and scope”. Canonical is a CNA, Airbus is a CNA, both covering their own products. 453 in total.
Still important to have a fallback though because not all projects are big enough to do that kind of stuff, and you always want there to be some database you can report something against.
There is some distribution of effort/expertise at least:
When an individual researcher or an organization discovers a new bug in some product, a CVE program partner — there are currently a few hundred across 40 countries — is asked to assess the vulnerability report and assign a unique CVE identifier for the flaw if and as necessary.
https://www.theregister.com/2025/04/16/homeland_security_funding_for_cve/
I think you might be overestimating how complex the system is. This isn’t collaborative, and it’s barely even dynamic. It’s essentially bookkeeping around a list of numbers and a zip file of text documents.
https://github.com/CVEProject/cvelistV5/archive/refs/heads/main.zip
The reporting of the issues is already done by other people, they just rely on a central group to keep the numbers from colliding.
https://www.cve.org/CVERecord?id=CVE-2025-3576
Not a whole lot there.
Significantly more worrying is the nvd.
https://nvd.nist.gov/vuln/detail/CVE-2025-31161
There’s additional data attached relating to not just the vulnerability, but exploitation and the system configuration that’s known to be exploitable.
Up until now it was benign, as well as entirely unavoidable, for so much of the infrastructure of the Internet to be closely tied to the US government.
Distribution, decentralization… those ideas only serve to add unnecessary complexity to a sensitive and critical infrastructure. Instead of tweeting the baby with the bathwater, let’s work toward making these institutions not rely on or be beholden to governments. Anything else is a poor man’s Band-Aid to the problem.
FWIW, I agree with your concerns, but not the proposed solutions. Regardless, these are the types of discussions we all should be having for our critical infrastructure.
let’s work toward making these institutions not rely on or be beholden to governments.
I don’t see how that’s possible unless you use a system that’s resistant to governments (or moneyed interests). And the only systems like that are effectively outside their government’s power or jurisdiction. Otherwise, the right mix of ambitious or greedy people could eventually cause it to crumble.
Did you have some other kind of system or plan in mind?
Good. Despite the fact that my Government is currently being run by baboons the US Government shouldn’t have been the sole carrier of such a globally important program. The CVE program is central to how security companies, Qualys being an example, make absolute shedloads of money. These companies shouldn’t be getting a free ride; it’s only right that they contribute to maintaining the resource.
There’s also the argument that no single Government should have control over something like this.
In fact, I can think of a few reasons the US gov shouldn’t even be trusted to fund this. Namely the CIA/NSA possibly saying “bitch we fund you, don’t report these things we exploit or no more money.” Did it happen? Don’t know. Does “US gov funded” immediately make me suspicious of it happening? Yes.
Does “US gov funded” immediately make me suspicious of it happening? Yes.
As it should. Frankly NO Government should have sway over the CVE program, they are all shady AF and every one them would absolutely do what you are describing if they felt it was in their interest.
That’s actually surprising, I would think that Musk & Donnie would have been all over the idea of having front row seat visibility into new CVE. Info like that could be worth a few bucks.
Turns out they’re actually dumb as snot.
Do they have a mastodon to stay up to date with?
As it should have been.
deleted by creator
Not that I disagree, but putting it in the hands of a foundation that’s beholden to corporate money isn’t exactly going to be the solution to “eventually messing up stuff”.
deleted by creator
people will always mess stuff up. Government is just the group of people you have a say in.
When the public good gets messed up, I’d rather it be by the people I can vote out than by the people who only answer to shareholders.
I just don’t understand the persistent belief that a profit motive will magically make something more aligned with the public good.
deleted by creator
So you want it to be run like it is today, but with less money? Do you think they’re going to spread whatever incompetence you see them having via funding?
Usually when people celebrate the removal of government from a public service it’s because they think it should be arranged to turn a profit.
You didn’t list your stance on every issue in your comment so I can only assume that you have the rest of the beliefs that I’ve always seen go with that opinion.
deleted by creator
Cool. You wrote an opinion that perfectly matched the opinion of a particular demographic that’s common on the site, and are now very offended that no one knew you were someone less common.
Which also entirely draws the conversation away from you saying it’s good that the government pulled funding from an organization that’s doing something good because government messes everything up.They’re already a non-profit. Why are you upset that they got money from the government? Wouldn’t the ideal to you be an NGO that got money without being under government control, and was therefore free from business influence as well?
Linux is a great example. It’s backed by a non-profit foundation, under the direction of mostly corporate advocates. That’s what people talk about when they talk about a non-profit being beholden to corporate money.
The shape of Linux has steadily been pushed towards being more and more focused on server and data center operations, since that’s what the people in charge of funding allocation care about, and that’s what they’ll direct their parent organizations to contribute developers to working on.Your government sucks. I get that. It doesn’t mean I don’t expect more from mine, and it doesn’t mean that I reject the notion that I should have say in the management of the things around me.
The NGO that you envision will do a better job managing the drainage where I live doesn’t answer to me, and I have no recourse if they mess up and flood my house.I’d like something like the NGO you envision, but with public accountability. This is often called a “government”.
deleted by creator
deleted by creator
