For a few hours this week, the future of the Common Vulnerabilities and Exposures (CVE) Program — a database used by companies and governments to learn about new security holes in the software they use — looked uncertain.
This uncertainty, caused by a pending lapse in funding, raised the specter that critical infrastructure operators that depend on the database would experience deterioration to the essential service, leaving banks, governments, electrical grid operators, internet service providers and others unsure of the security of their systems.
MITRE, the company that operates CVE, told CVE board members in a letter on Tuesday that the funding was in question. That funding comes from the Cybersecurity and Infrastructure Security Agency (CISA), a bureau of the Department of Homeland Security.
"[On Wednesday,] the current contracting pathway for MITRE to develop, operate, and modernize CVE and several other related programs [...] will expire," according to a copy of the letter from MITRE that American Banker reviewed. "The government continues to make considerable efforts to continue MITRE'S role in support of the program."
MITRE went on to tell board members that, if the funding were to expire, it would lead to "deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure."
Ultimately, CISA opted to extend CVE funding by 11 months. The decision came the night before the funding was set to expire.
"The CVE Program is invaluable to the cyber community and a priority of CISA," a CISA spokesperson told American Banker. "[Tuesday] night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners' and stakeholders' patience."
The spokesperson did not explain why the funding for CVE had been in question to start with nor how much funding CISA, currently CVE's sole sponsor, provides to the program.
Only a few experts saw the funding crisis coming
The crisis was not entirely surprising. In fact, some members of the CVE Board had already come together months prior to start an effort to shift funding needs for CVE away from the U.S. government.
On Wednesday, a group of "longtime, active CVE Board members," who have "spent the past year developing a strategy to transition CVE to a dedicated, non-profit foundation," announced the formation of the CVE Foundation, according to a press release from the group.
"Since its inception, the CVE Program has operated as a U.S. government-funded initiative, with oversight and management provided under contract," reads a statement from the CVE Foundation. "While this structure has supported the program's growth, it has also raised longstanding concerns among members of the CVE Board about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor."
The group framed the announcement as a "major step toward eliminating a single point of failure in the vulnerability management ecosystem and ensuring the CVE Program remains a globally trusted, community-driven initiative," according to the foundation's press release.
Banks back CVE's continuation
The continued operation of CVE is backed by more than just CVE board members.
The Financial Services Information Sharing and Analysis Center (FS-ISAC), a nonprofit organization that shares cybersecurity intel among financial institutions globally, said it was "committed to working across its member and partner community" to ensure the continued operation of CVE, an FS-ISAC spokesperson told American Banker.
The FS-ISAC spokesperson said CVE "is critical to our mission of advancing the cybersecurity and resilience of the global financial system," and the program "ensures that organizations across public and private sectors understand emerging vulnerabilities and are able to prioritize mitigation according to their individual needs."
How important is CVE?
CVE is a major repository of vulnerabilities in commonly used software. For the most part, if a piece of software has a security vulnerability, and that vulnerability is public information, it appears in CVE.
Software creators and security researchers can list vulnerabilities in CVE regardless of the popularity of the software associated with it. For example, Google and Apple self-report vulnerabilities in their products; contributors to small open source projects also report vulnerabilities to CVE; and hobbyist cybersecurity researchers investigating proprietary products from now-defunct companies can put their work in CVE, as well.
Companies and governments around the world integrate CVE into their patch management programs. These programs ensure that organizations update their software when vulnerabilities are discovered, to ensure they are not exposed to publicly known weaknesses.
CVE is critical to compliance
Banks must maintain patch management programs that ensure they vigilantly adopt security patches to the commercial software on which they rely. These programs almost universally rely on CVE. Last year, the Federal Deposit Insurance Corporation
While the FDIC guidance does not specifically instruct banks to use CVE to learn about new patches, it does refer to third-party sources for learning about new security patches, specifically naming as potential sources MITRE and the
