Martin added, “Third, every company that maintains ‘their own vulnerability database’ that is essentially lipstick on the CVE pig will have to find alternate sources of intelligence. Fourth, national vulnerability databases like China’s and Russia’s, among others, will largely dry up (Russia more than China). Fourth [sic], hundreds, if not thousands, of National / Regional CERTs around the world, no longer have that source of free vulnerability intelligence. Fifth [sic], every company in the world that relied on CVE/NVD for vulnerability intelligence is going to experience swift and sharp pains to their vulnerability management program.”
Why is the contract ending?
It’s unclear what led to DHS’s decision to end the contract after 25 years of funding the highly regarded program. The Trump administration, primarily through Elon Musk’s Department of Government Efficiency initiative, has been slashing government spending across the board, particularly at the Cybersecurity and Infrastructure Security Agency (CISA), through which DHS funds the MITRE CVE program.
Although CISA has already been through two funding cuts, press reports suggest that nearly 40% of the agency’s staff, or around 1,300 employees, are still slated for termination. However, sources say that compared to the budget cuts made elsewhere in the federal government, the expense of running the CVE program are minor and “won’t break the bank.”