US government funding for nonprofit research organisation MITRE to maintain and develop its critical CVE database of cyber vulnerabilities expires today.
A critical vulnerability database run by non-profit MITRE, and used by IT administrators and cybersecurity professionals worldwide, runs out of US funding today (16 April).
The MITRE database is used by security researchers and cybersecurity defenders worldwide. In a letter which did the rounds among cyber experts on social media last night – which has been confirmed as authentic by Nextgov/FCW and Reuters – the Cybersecurity and Infrastructure Security Agency (CISA), whose parent agency funds the contract, confirmed that the contract was ending.
MITRE maintains and develops the Common Vulnerabilities and Exposures (CVE) database which aims to identify, define and catalogue publicly disclosed cyber weaknesses, and is widely used by IT administrators to quickly identify various bugs and hacks that are being uncovered every day.
“We are urgently working to mitigate impact and to maintain CVE services on which global stakeholders rely,” wrote MITRE VP and director Yosry Barsoum in the letter that had been circulated to its board on Tuesday.
“Just when we thought cybersecurity wasn’t difficult enough,” commented Brian Honan, cybersecurity authority, and former special adviser on cybersecurity to Europol, last night on Bluesky on seeing the letter.
While Reuters was unable to establish the reason behind the contract lapse, it pointed to the fact that like much of the US federal government, CISA is currently undergoing a major downsizing under Elon Musk’s DOGE Service.
“Put simply, MITRE is a critical, widely-used resource for centralizing and standardising information on software vulnerabilities,” said cybersecurity expert Brian Krebs on his blog. “That means the pipeline of information it supplies is plugged into an array of cybersecurity tools and services that help organizations identify and patch security holes — ideally before malware or malcontents can wriggle through them.”
On Mastadon’s Infosec.exchange last night Krebs said he had reached out to MITRE, who confirmed to him the the annual contract was normally renewed annually on April 16 or 17, something which had not happened this year. Krebs linked to an archive of the CVE project on GitHub, as his sources at MITRE feared the database could go offline as soon as today.
It remains to be seen if this is simply another ‘error’ that will be reversed by the US administration when they realise its critical nature, but cybersecurity professionals worldwide will have eyes on progress this week.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.
