Federal funding has been restored for a crucial cybersecurity program used by Apple and other tech giants, in a last-minute U-turn. Security experts had described the original decision to remove funding as stupid, dangerous, and chaotic.
However, the future of the Common Vulnerabilities and Exposures (CVE) program remains uncertain, despite its role in helping tech giants identify and fix security holes found in their products …
The CVE security program
We yesterday summarised the role of the CVE program in providing an easy and efficient way for any individual or organization to report a security vulnerability they have found in any tech product.
Once reported, it is assigned a unique ID comprising CVE- followed by the year and a serial number. This allows others to see that the issue has been reported, and to carry out their own investigations to assist the tech company concerned in determining the severity of the problem.
Where a vulnerability requires multiple tech companies to act, the CVE system helps them to coordinate their efforts. Apple, Google, and Microsoft are among the many companies to rely on the system.
While the program falls under the auspices of the US Department of Homeland Security, its work is subcontracted to a private company, The MITRE Corporation.
Three developments in 24 hours
Things began when MITRE announced that federal funding had been removed, with just one day’s notice. Security professionals quickly expressed incredulity and dismay at the decision.
A short time later, a CVE board member said that they had been quietly working on a contingency plan for this eventuality, and announced that a CVE Foundation was being created. No information was provided on how this would be funded, though we speculated that Apple and other tech giants would likely contribute to it.
In the most recent development, Reuters reported a U-turn by the government, stating that funding would continue.
U.S. officials will extend support for 11 months for a database of cyber weaknesses that plays a critical role in fighting bugs and hacks, a spokesperson said on Wednesday, just as the funding was due to run out […]
The last-minute change of plan after the importance of the service was highlighted publicly is another instance of the confusion across government as U.S. President Donald Trump’s administration makes deep cuts to public spending.
The MITRE VP with responsibility for the program expressed appreciation to the security community.
“We appreciate the overwhelming support for these programs that have been expressed by the global cyber community, industry, and government over the last 24 hours,” Barsoum said.
Uncertainty remains
While the immediate pressure is off, the long-term future of the program remains unclear. There has been no indication whether the U-turn is temporary or permanent, and it’s uncertain whether the CVE board will pursue plans for an independent non-profit foundation to try to take over funding.
Highlighted accessories
Photo by Roman Synkevych on Unsplash
FTC: We use income earning auto affiliate links. More.
