US Department of Internal Security did not extend the contract with the organization Mitre, related to the funding of work as an appointment with the vulnerabilities of identifiers CVE (Common Vulnerabilities and Exposures), maintaining a centralized database of well-known vulnerabilities, as well as a list of vulnerabilities (CWE – Common Weakness Enumeration). In addition, marked a general reduction in financing Mitre which has already led to the dismissal of more than employees this month. It is assumed that if alternative ways to maintain the program are not found then today renew and assign new CVE can be stopped today.
At the time of writing, the contents of the database CVE is updated, and the site cve.mitre.org continues to work (in the United States, the shutdown can be made after the start of the working day). In case of termination of the MITRE services, historical data on the already issued CVE identifiers will be saved in a mirror on GitHub.
CVE identifiers are critical for the safety infrastructure since they allow you to track the correction of each specific vulnerability and guarantee that different products and services refer to the same vulnerability. All systems for tracking vulnerabilities and coordination of their elimination are somehow tied to CVE. Probably corporations will find a way to save the CVE project by providing independent joint financing or creating a separate consortium.
The purpose of CVE has already been partially decentralized – many projects and companies received the status CNA (CVE Numbering Authority), granting the right to independently assign CVEs in its field of responsibility, using separate ranges of CVE numbers issued by Mitre. At the same time, the main work on the issuance of individual CVE numbers on request was still carried out by Mitre.
CNA status have 453 projects and companies, including developers of Linux, Apache, Curl, Debian, Eclipse, Fedora, FreeBSD, GLIBC, GITEA, GO, Kubernetes, Node.js, LibreOffice, Mozilla, OpenSSL, PHP, Perl, PostgreSQL, Python, Xen, ISC, Red Hat, Canonical, SUSE, GitHub, and Google. The role of Mitre in interaction with CNA is reduced to coordinating the release of CVE bands and tracking possible intersections of CVE identifiers (only one CVE identifier should be associated with one vulnerability).
