New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
CVE foundation being defunded
Surprising nobody else has posted about CVE being defunded yet as it was in the news yesterday, but anyway they've made an announcement now, and best of all, it starts with "FOR IMMEDIATE RELEASE"...
https://www.thecvefoundation.org/home
Hopefully we'll be able to collectively dodge the bullet that shutting down CVE might have been.
Comments
Well, ain’t no one cares, except those who exploit those cve’s.
I believe that cve being defunded will lead to new organization development, which are not dependant from one country donations.
No worries.
in a previous role, we developed a strategy to patch things no matter what. While CVEs are helpful to some extent, they become impractical at scale.
Cve’s is needed for users, not those who develop software. I have subscription for 27 software units. After cve is gone I have to track all different vendors and rely on their information about crit vulns.
maybe I misunderstood what you mean, but saying that CVEs aren't necessary for software developers is simply incorrect and, frankly, irresponsible. This is about supply chain security - a single vulnerable dependency can compromise an entire system or platform.
FOR IMMEDIATE RELEASE: Any statement starting with "FOR IMMEDIATE RELEASE" automatically is serious, important, and official.
I approve
Side note: If CVEs are so important and useful - which they may well be for many - I wonder why there seems to be no fundraising quickly reaching >= $ 1 mio.
No more vulnerabilities found = no more spending time fixing holes = saving money. Sorry, I don't see where this is a bad thing. /s
Outdated news. The US cybersecurity authority CISA exercised an existing option right, allowing the contract with MITRE to be extended, at least for the time being, by eleven months until March 15, 2026.
The European cyber security authority ENISA took the opportunity to spontaneously publish the European Vulnerability Database (EUVD), which has been announced since 2024.
It's been a solid day. We'll likely see an industry response in the coming weeks and months.
"Patching always" is not practical at scale at all -- updating versions breaks compatibility a lot of the time, especially in large and complex software. In addition, software often has multiple supported major/minor release lines as well, so "always upgrade" is not a good one size fits all solution.
The CVE database has been wildly misunderstood by quite a few people: it's just a catalog of all the vulnerabilities we've found in software so that people can easily refer to a vulnerability without having to describe it every time. It's also very useful if you're doing research into new classes of bugs and where, historically, bugs have been found.
I think the best way to understand the CVE database is kinda like an RSS feed aggregator: it basically combines every single feed of known vulnerabilities into a single unified one. Makes the work of researching vulnerabilities so much easier since you can always just Google the CVE number if you want more information. Imagine trying to research a vulnerability you've heard about using only keywords. You could probably find some useful results but you'll also likely miss a lot of valuable research because another security researcher used different keywords from you.
The CVE database is not perfect (I have a rant about that, trust me) but it at least does the one job it has relatively well.
In last-minute reversal, US agency extends support for cyber vulnerability database
https://www.reuters.com/world/us/us-agency-extends-support-last-minute-cyber-vulnerability-database-2025-04-16/
who did this?
iron trump or iron man?