CVE Foundation pulls cybersecurity programme back from the brink
Cette publication existe aussi en Français
A key cybersecurity programme is on the brink of failure as a non-profit foundation aims to take over.
The CVE (Common Vulnerability and Exposures) database, currently run by cybersecurity firm MITRE, has detailed potential vulnerabilities in hardware and software for systems around the world over the last 25 years.
This is increasingly important for making sure that automotive and embedded systems stay secure, but MITRE flagged on Wednesday that its funding for the CVE programme will not be renewed by the US government.
In response, the CVE Foundation has been formally established today to ensure the long-term viability, stability, and independence of the CVE Program. Members of the CVE Board have increasingly raised concerns about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor.
“While we had hoped this day would not come, we have been preparing for this possibility,” said the foundation, which has spent the last year developing a strategy to transition CVE to a dedicated, non-profit foundation. “The promise of temporary funding, while greatly appreciated, does not eliminate the need for business continuity planning to prevent single point of failures in the CVE program.”
The foundation will focus solely on continuing the mission of delivering high-quality vulnerability identification and maintaining the integrity and availability of data for developers worldwide.
“CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself,” said Kent Landfield, an officer of the Foundation. “Cybersecurity professionals around the globe rely on CVE identifiers and data as part of their daily work—from security tools and advisories to threat intelligence and response. Without CVE, defenders are at a massive disadvantage against global cyber threats.”
The key question now is how to raise the necessary funding, and what that means for the governance of the foundation. Western governments would be prepared to support the database, as industrial and automotive security is a key strategy. Similarly large global enterprises such as Microsoft and Google could well be backers.
“The formation of the CVE Foundation marks a major step toward eliminating a single point of failure in the vulnerability management ecosystem and ensuring the CVE Program remains a globally trusted, community-driven initiative. For the international cybersecurity community, this move represents an opportunity to establish governance that reflects the global nature of today’s threat landscape,” it said.
Over the coming days, the Foundation says will release more information about its structure, transition planning, and opportunities for involvement from the broader community.
If you enjoyed this article, you will like the following ones: don't miss them by subscribing to :
