惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

月光博客
月光博客
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
人人都是产品经理
人人都是产品经理
IT之家
IT之家
Cyberwarzone
Cyberwarzone
T
Troy Hunt's Blog
有赞技术团队
有赞技术团队
阮一峰的网络日志
阮一峰的网络日志
T
Threat Research - Cisco Blogs
S
SegmentFault 最新的问题
Apple Machine Learning Research
Apple Machine Learning Research
G
GRAHAM CLULEY
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
博客园 - 叶小钗
Last Week in AI
Last Week in AI
C
CERT Recently Published Vulnerability Notes
The Hacker News
The Hacker News
Jina AI
Jina AI
T
Tor Project blog
V
Vulnerabilities – Threatpost
酷 壳 – CoolShell
酷 壳 – CoolShell
Spread Privacy
Spread Privacy
博客园_首页
C
Cybersecurity and Infrastructure Security Agency CISA
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Simon Willison's Weblog
Simon Willison's Weblog
Security Latest
Security Latest
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
博客园 - 司徒正美
V2EX - 技术
V2EX - 技术
I
Intezer
The Cloudflare Blog
Cisco Talos Blog
Cisco Talos Blog
SecWiki News
SecWiki News
博客园 - 【当耐特】
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
L
Lohrmann on Cybersecurity
Scott Helme
Scott Helme
Google Online Security Blog
Google Online Security Blog
量子位
The Last Watchdog
The Last Watchdog
AI
AI
Application and Cybersecurity Blog
Application and Cybersecurity Blog
S
Security Affairs
P
Palo Alto Networks Blog
S
Secure Thoughts
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Attack and Defense Labs
Attack and Defense Labs

The Register - Security: CSO

Anthropic's Mythos has The Kettle crew curious, skeptical 'People's Panel' to check if UK wants controversial Digital ID will cost £630K Top npm package backdoored to drop dirty RAT on dev machines Lightning-fast exploits mean patch fast, says Cisco Talos Lightning-fast exploits mean patch fast, says Cisco Talos Smooth criminals talking their way into cloud environments, Google says Cybercrime up 245% since the start of the Iran war Scattered Lapsus$ Hunters seeks women to defraud helpdesks Every day in every way, passwords are getting worse CISA quietly updated ransomware flags on 59 flaws last year Deepfake job seeker applied to work for an AI security firm Deepfake job seeker applied to work for an AI security firm AI-powered cyberattack kits are 'just a matter of time' AI-powered cyberattack kits are 'just a matter of time' FortiGate SSO bug still exploitable despite December patch FortiGate SSO bug still exploitable despite December patch Judge tosses CrowdStrike shareholder suit over 2024 outage DRAM shortage may drive firewall prices higher: analysts Ransomware attacks kept climbing in 2025 as gangs refused to stay dead Around 1,000 systems compromised in ransomware attack on Romanian water agency 1,000 systems pwned in Romanian Waters ransomware attack Half of exposed React servers remain unpatched amid attacks CISA warns spyware crews are breaking into Signal and WhatsApp accounts FCC guts Salt Typhoon telco rules despite espionage risk CISA orders feds to patch Oracle Identity Manager zero-day SEC drops SolarWinds lawsuit that painted a target on CISOs everywhere SEC bails on SolarWinds lawsuit Palo Alto kit sees massive surge in malicious activity amid mystery traffic flood Palo Alto kit sees massive surge in malicious activity Countries use cyber targeting to plan strikes: Amazon CSO Overconfidence is the new zero-day as teams stumble through cyber simulations UK's Cyber Security and Resilience Bill makes Parliamentary debut Cyber insurers paid out over twice as much for UK ransomware attacks last year Cyberpunks mess with Canada's water, energy, and farm systems Trump's workforce cuts blamed as America's cyber edge dulls Feds flag active exploitation of patched Windows SMB vuln How malware vaccines could stop ransomware's rampage Salesforce refuses to pay ransomware crims' extortion demand Germany slams brakes on EU's Chat Control snoopfest Germany slams brakes on EU's Chat Control snoopfest Employees regularly paste company secrets into ChatGPT Oracle tells Clop-targeted EBS users to apply July patch Red Hat repos raided, claims cybercrew, files stolen Suspected Chinese spies broke into 'numerous' enterprises UK gov acknowledges 'strong case' for JLR financial support JLR extends shutdown – again – as toll on workers laid bare UK chancellor blames cyberattacks on Russia despite evidence Fortra discloses 10/10 severity bug in GoAnywhere MFT Entra ID bug could have granted access to every tenant UEFI Secure Boot for Linux Arm64 – where do we stand? JLR says cyber cleanup to take additional week Insider blamed for FinWise data breach affecting nearly 700K Nork snoops whip up fake military ID with help from ChatGPT UK government dragged for incomplete security reforms Church of England abuse victims exposed by lawyer's email US spy chief claims UK backdown on Apple backdoor demand Workday confirms CRM breach via social engineering Black Hat/DEF CON: AI more useful for defense than hacking Ex-White House cyber guru talks Microsoft security fails CISA releases malware analysis for Sharepoint Server attack China: US spies used Microsoft Exchange 0-day to steal info Security pros drowning in threat-intel data Identity attacks surge 156% as phishermen get craftier Organizations can’t keep up with supply chain security musts Amazon CISO: Iranian hacking crews ‘on high alert’ UK data watchdog fines 23andMe £2.3M over 2023 breach Employers are demanding too much from junior cyber recruits FCA warned four staffers who pocketed regulator data Ransomware just wrecked your network – now what? Ivanti RCE attacks 'ongoing,' exploitation hits clouds Ex-NSA listened to Scattered Spider's calls: 'They're good' Snowflake CISO talks lessons learned from breaches, improv Why CVSS is failing us and what we can do about it Infosec pros still aren't nailing the basics of AI security Ransomware crims targeting systems between IT and operations Why aggregating asset inventory leads to better security NCSC and industry at odds over how to tackle shoddy software Powerschool extortionists may not have deleted stolen data CrowdStrike trims workforce by 5 percent, aims to rely on AI NSO Group must pay Meta $168M in WhatsApp spy case Ghost in the shell script: Boffins seek code correctness How Intruder finds what others miss in cloud security Linux malware can avoid syscall-based endpoint protection Infosec pro blabs about alleged malware mishap on LinkedIn The future of AI in cybersecurity in a word – optimistic Security snafus caused by third parties up from 15% to 30% Blue Shield shared 4.7M people's health info with Google Ads Who needs phishing when your login's already in the wild? US cyber defenses are being dismantled from the inside Bug hunter obtains an SSL cert for Alibaba Cloud in 5 steps
CVE board 'kept in the dark' on funding, members say
Jessica Lyons Jessica Lyons · 2025-04-26 · via The Register - Security: CSO

Kent Landfield, a founding member of the Common Vulnerabilities and Exposures (CVE) program and member of the board, learned through social media that the system he helped create was just hours away from losing funding.

"Another board member gave me a call and said: 'What the heck?'" Landfield recalled in an interview with The Register, although "heck" wasn't exactly the term used, he added.

"But I went, and looked at the letter and said: 'Wait a minute, that should be in my inbox, because it is addressed to the board,'" Landfield said.

He's referring to the April 15 letter seen around the world after being shared on Bluesky. It opened with, "Dear CVE Board Member," and was signed by Yosry Barsoum, MITRE's vice president and director at the Center for Securing the Homeland.

Not-for-profit outfit MITRE, based in Massachusetts and Virginia, has had a contract with the US government to operate the CVE program since its inception in 1999. The program has become the de facto standard for uniquely identifying and tracking security holes in products and projects, and is used by experts, organizations, and government bodies around the world to ensure that they're all talking about the same specific bugs.

Quite honestly, we were mushrooms. Kept in the dark

In last week's letter, Barsoum told the board that funding from Uncle Sam for MITRE to run the program had not been renewed.

For Landfield and other board members, along with the general public, this was a complete surprise. The CVE board is made up of representatives from governments, academia, antivirus makers, the infosec world, and more, who steer and advise the program while MITRE handles the day-to-day operations.

"Through open and collaborative discussions, the board provides critical input regarding the data sources, product coverage, coverage goals, operating structure, and the strategic direction of CVE," its charter states.

"Quite honestly, we were mushrooms," CVE board member Peter Allor told The Register. "Kept in the dark."

While this wasn't the first time government funding issues had come up during the program's over 25-year history, "we weren't really told about them," Landfield said. 

"It was a contract negotiation between the federal government and MITRE, and we were not in a position of governing as a board, we were mainly there as a high-level guidance and advisor to instruct the program on how things needed to work," he explained.

By now, everyone knows how this story ends — or at least continues for 11 months.

The US govt's Cybersecurity and Infrastructure Security Agency, aka CISA, on Wednesday said it had "executed the option period on the contract to ensure there will be no lapse in critical CVE services." The CVE board only found this out by reading the statement online.

The contract, however, only runs through March 2026, calling into question its long-term sustainability — and exposing the inherent weakness of a global resource being funded by a single government sponsor. A single sponsor rapidly alienating allies around the globe, to boot.

"The US government needs to move this out from their sole funding and control for this global and collective problem regarding vulnerabilities and the enumeration of records," Allor said in a LinkedIn post. 

Meet the CVE Foundation

Behind the scenes, some members of the CVE board had been discussing these issues for almost a year: How do they ensure long-term funding and neutrality for the program? And how do they increase the resources necessary to ensure vulnerability information reaches network defenders in time to protect all of us?

All of these discussions took place in private up until last Wednesday. Enter a new initiative: The CVE Foundation. Its goal is to ensure that CVE remains a neutral, publicly available vulnerability resource with long-term funding from multiple groups. Most, but not all, of its members come from the CVE board.

"Confusion resulting from the April 15, 2025 letter addressed to the CVE board has compelled us to plan for contingency with a sense of urgency to prevent disruptions to global cybersecurity defensive operations," the new group said in an April 16 statement. 

That's a lot sooner than they had hoped.

"We did not have this set up to pull the trigger at this point in time," Allor said.

But so far, the response has been surprisingly swift and positive. In less than a week's time since announcing the foundation, "the interesting part is the amount of people, organizations, governments, reaching out, [saying] 'We want to help. Can we donate?' It actually took our breath away," he added.

Allor declined to name the governments or the organizations that pledged funding, but added the governments are "not in North America." 

There's a place for everyone at this new CVE Foundation table, according to Allor: MITRE, CISA, private industry folks, and governments. "This should be global," he said. "We have to stop looking at it like a pond. Look at it like an ocean."

We have to stop looking at it like a pond. Look at it like an ocean

CISA declined to answer questions for this story, including if the agency would be willing to let the foundation be the new "long-term home" for the CVE program. A CISA spokesperson directed The Register to an April 23 statement from Matt Hartman, CISA acting executive assistant director for cybersecurity, that says, in part:

And continues:

The CVE Foundation, in a subsequent statement, noted that its members "stand in alignment with CISA and this commitment to working together to ensure a resilient, trusted, and innovative CVE Program."

There has been no interruption to the CVE program and CISA is fully committed to sustaining and improving this critical cyber infrastructure.

Other initiatives have successfully moved from the US government to a publicly managed service, according to the foundation: "DARPA turning the ARPANET into the internet, IANA managing protocol assignments, and ICANN managing internet names and addresses, which all started with the government being the single source of funding."

The CVE program can and should follow these examples, the foundation believes, and move "from a single-funding stream to a diversified funding model, which we believe will only strengthen the program and enable a stable, durable, internationally trusted program that works for the good of global consumers and organizations," the statement continues.

We have historically been and remain very open to reevaluating the strategy to support the continued efficacy and value of the program.  

We also recognize that significant work lies ahead. CISA, in coordination with MITRE and the CVE board, is committed to actively seeking and incorporating community feedback into our stewardship of the CVE Program. 

"This is not a coup," said Landfield, who is also a member of the CVE Foundation. "These are people who have been in this program for 26 years, in some cases, and so we want to work to make this better. These are passionate individuals that really do want this to succeed more than anything else on the planet."

Some members of the CVE Foundation met CISA on Thursday. "The talks were positive and encouraging," the foundation said in a statement. "All parties wish to keep the conversation and progress moving forward." ®