CISA reverses course, extends MITRE CVE contract – CyberScoop
In a last-minute switch, the Cybersecurity and Infrastructure Security Agency said it will continue funding a contract for MITRE to manage the CVE program and other vulnerability databases.
In a statement sent to CyberScoop, a spokesperson said the agency executed an option to extend the contract and avoid a potential lapse in a program that has become essential to the broader cyber community’s vulnerability management.
“The CVE Program is invaluable to the cyber community and a priority of CISA,” the spokesperson said. On Tuesday night, “CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.”
The spokesperson did not immediately respond to follow-up questions about the length of the extension.
CISA’s decision comes after a MITRE executive sent a letter this week advising the CVE board of the contract’s imminent termination, warning of potentially catastrophic consequences to the cybersecurity ecosystem.
“If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations and all manner of critical infrastructure,” Yosry Barsoum, a vice president and director at MITRE, wrote Tuesday.
Virtually everyone, from government organizations to the private sector, relies on the CVE program to keep their technology safe.
The program acts as an international clearinghouse for the latest information on cybersecurity vulnerabilities in software and other products. CVE entries are often the starting place for vulnerability management or incident response, as defenders mine them for the latest updates on patching, affected products, indicators of compromise and other critical intelligence.
Ferhat Dikbiyik, chief research & intelligence officer at Black Kite, said that removing MITRE — the central authority managing the CVE database — would leave only “chaos” for the organizations that rely on the quality of that data.
“The CVE program isn’t just a database. It’s the backbone of how the cybersecurity world communicates about vulnerabilities,” Dikbiyik said.
Tim Peck, a senior threat researcher at Securonix, said shuttering the program without a replacement could result in the delay of vulnerability disclosures, affect coordinated disclosure timelines, inhibit notes on patching or remediation and allow attackers additional time to exploit vulnerabilities before the cyber community can respond.
Last year, the National Institute of Standards and Technology temporarily halted its work enriching vulnerabilities for the National Vulnerability Database, leading to a similar outcry from cybersecurity professionals.
The MITRE letter created a panic within the cyber community, causing different parties to plot out plans for replacing MITRE’s work with a new organization.
A new organization called the CVE Foundation was launched Wednesday as a potential successor. Kent Landfield, an officer for the organization, said the foundation was being started by “a coalition of longtime, active CVE Board members” who have “spent the past year developing a strategy to transition CVE to a dedicated, non-profit foundation.”
“CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself,” Landfield said in a statement. “Cybersecurity professionals around the globe rely on CVE identifiers and data as part of their daily work — from security tools and advisories to threat intelligence and response. Without CVE, defenders are at a massive disadvantage against global cyber threats.”
The Computer Incident Response Center of Luxembourg is also developing its own rival. The Global CVE Allocation System is an attempt to create a more decentralized system for managing vulnerabilities, one that doesn’t need to rely on a central authority for management. According to an FAQ section of the website, the new identifiers created by the organization would be crafted to be backwards-compatible with existing CVE entries.
The post CISA reverses course, extends MITRE CVE contract appeared first on CyberScoop.
–
Read More – CyberScoop