If you are reading our blog, chances are that you follow what’s going on in the cybersecurity world. Hence, you probably already know what recently happened regarding the CVE program.
Nevertheless, allow us to briefly set the ground for those who may have gotten stuck in a space-time anomaly or simply enjoyed a few days off. Feel free to scroll down a bit if you’d like - no hard feelings.
The CVE program is a crucial resource for identifying, defining, and recording publicly disclosed cybersecurity vulnerabilities in a standardised way across the industry. MITRE, the organisation managing the CVE database, relies on a network of organisations (CNA - CVE Numbering Authorities) to allocate CVE identifiers for newly discovered vulnerabilities.
The recent news surrounding the CVE program sparked concern among the cybersecurity community, with initial reports suggesting that funding issues threatened its continuity.
However, on 23 April, the Cybersecurity and Infrastructure Security Agency (CISA) issued a press release clarifying that the issue was administrative in nature, not related to funding as previously believed. The clarification came after speculation about the program's future due to a reported deadline for the US Department of Homeland Security's contract with MITRE.
Nevertheless, the episode has raised valid questions about the long-term management and stability of the CVE program within the cybersecurity community.
Wait! What now?!
Don’t panic! While there are valid concerns about the future management of CVEs, the current situation remains stable. The CVE program has been supported by the US government for 25 years, and a solid international community is involved in the matter.
Our current assessment is that the CVE program does not seem to be at risk at the moment. Nevertheless, these recent events have provided an opportunity to reflect on existing issues, such as decentralisation, CVE block allocation, and disputes between CNAs, among others. These issues are on the community’s radar, and a number of initiatives are already in motion to tackle these challenges and implement possible improvements.
Shortly after the CVE program's issues gained media attention, several new initiatives emerged, while existing ones gained renewed momentum and visibility, together demonstrating the community's vibrancy and responsiveness.
For instance, a significant subset of the Official CVE Board, as per their claim, set up a non-profit foundation to keep supporting and contributing to the CVE program in the future: https://www.thecvefoundation.org.
Our colleagues at the European Union Agency for Cybersecurity (ENISA) unveiled a new European vulnerability database: the EUVD. This project comes from the NIS2 Directive, entered into force in January 2023, which requires the creation of coordinated vulnerability disclosure frameworks and the European vulnerability database. The project started well before the current CVE debate, but recent events have underscored just how timely and valuable this initiative really is. You can learn more about the EUVD on ENISA's website: https://euvd.enisa.europa.eu/about.
Moreover, the Single Reporting Platform (SRP), as defined by the Cyber Resilience Act (CRA), will establish a notification process for actively exploited vulnerabilities impacting hardware and software products with digital elements placed on the European single market.
Furthermore, the Computer Incident Response Center Luxembourg (CIRCL) suggested a decentralised approach called GCVE (Global CVE Allocation System). This solution aims to increase flexibility, scalability, and autonomy for organisations involved in vulnerability management, while remaining compatible with the traditional CVE system. More information about GCVE is available at: https://gcve.eu. This proposal is a notable example of the efforts being made to address some of the current issues affecting the CVE program, by rethinking the current approach and exploring alternatives that can potentially enhance the overall vulnerability management ecosystem.
At CERT-EU, we'll continue to monitor the situation and provide updates as necessary. We're committed to supporting the Union entities in navigating these challenges and finding solutions that benefit the entire cybersecurity community.
Thanks for reading and stay tuned for more updates on this topic!