FRESH

Hacker News

Home

CVE program faces swift end after DHS fails to renew contract [updated]

1909 points by healsdata

by dang

0 subcomment

Related ongoing threads:
CVE Foundation - https://news.ycombinator.com/item?id=43704430
Replacing CVE - https://news.ycombinator.com/item?id=43708409

by jeff_carr

8 subcomments

The contract with MITRE has been extended.
https://www.forbes.com/sites/kateoflahertyuk/2025/04/16/cve-...
My guess indefinitely.
DOGE might be a bunch of idiots, but in the entire DOD, there are non-idiots.

by ggm

12 subcomments

I wish this hadn't happened.
I wonder what level of compartmentalisation inside DHS means they didn't see this as having sufficient downsides?
I ask this, because I don't think anyone in the subject matter specialist space would have made a strong case "kill it, we don't need this" and I am sure if asked would have made a strong case "CRISSAKE WE NEED THIS DONT TOUCH IT" -But I could believe senior finance would do their own research (tm) and mis-understand what they saw in how other people work with CVE, and who funds it.

by NilayK

3 subcomments

> A coalition of CVE Board members launched a new CVE Foundation "to ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program."
> https://www.thecvefoundation.org
https://mastodon.social/@serghei/114346660986059236

by hubabuba44

5 subcomments

The real irony here is that a lot of ycombinator founders and the people reading HN were exactly the ones making this possible and now start to wonder why the snake eats its own tail.

by hansvm

13 subcomments

Weren't there major problems with the current CVE implementation, especially with the waves of script kiddies and AI tools spamming the database and the fact that projects who take security seriously have little to no say in the "score" that gets assigned?

by transpute

4 subcomments

If you work on OSS software on CVE management, then you already know that NVD funding reductions have been ongoing for more than a year.
April 2024, https://nvd.nist.gov/general/news/nvd-program-transition-ann...
```
  NIST maintains the National Vulnerability Database (NVD).. This is a key piece of the nation’s cybersecurity infrastructure. There is a growing backlog of vulnerabilities.. based on.. an increase in software and, therefore, vulnerabilities, as well as a change in interagency support.. We are also looking into longer-term solutions to this challenge, including the establishment of a consortium of industry, government, and other stakeholder organizations that can collaborate on research to improve the NVD.
```
Sep 2024, Yocto Project, "An open letter to the CVE Project and CNAs", https://github.com/yoctoproject/cve-cna-open-letter/blob/mai...
> Security and vulnerability handling in software is of ever increasing importance. Recent events have adversely affected many project's ability to identify and ensure these issues are addressed in a timely manner. This is extremely worrying.. Until recently many of us were relying not on the CVE project's data but on the NVD data that added that information.
Five years ago (2019), I helped to organize a presentation by the CERT Director from Carnegie Mellon, who covered the CVE backlog and lack of resources, e.g. many reported vulnerabilities never even receive a CVE number. It has since averaged < 100 views per year, even as the queue increased and funding decreased, https://www.youtube.com/watch?v=WmC65VrnBPI

by InsideOutSanta

2 subcomments

This makes me wonder what other stuff most people don't know exists but is important to our society has quietly disappeared in the last few weeks. We know about this one because we know it's important. What are the things we don't know about?

by Rebelgecko

13 subcomments

I'm trying to steelman but I really can't think of a non- nefarious justification for this

by 1970-01-01

0 subcomment

Root cause: Layer 8 failure
https://www.computerhope.com/jargon/l/layer8.htm

by dhx

2 subcomments

The latest contract[1] (I hope this is the right one) for MITRE's involvement with CVE and CWE programs was USD$29.1m for the period 2024-04-17 to 2025-04-16 with optional extension of expenditure up to USD$57.8m and to an end date of 2026-04-16.
Seemingly MITRE hasn't been advised yet whether the option to extend the contract from 2025-04-16 to 2026-04-16 will be executed. And there doesn't appear to be any other publicly listed approach to market for a replacement contract.
[1] https://www.fpds.gov/ezsearch/jsp/viewLinkController.jsp?age...

by nkassis

2 subcomments

My tinfoil hat says they want to privatize this through one of the administrations friends. A disastrous decision here.

by donatj

0 subcomment

Practically speaking, how much could it cost to maintain the CVE database?
Given its enormous value, isn't this something that the community, especially FAANG (MAANA?) could step up and fund as a nonprofit?

by jnovacho

0 subcomment

It looks like the decision has been reverted, for now at least: https://www.forbes.com/sites/kateoflahertyuk/2025/04/16/cve-...

by jl6

6 subcomments

It’s a reckless move to cut funding so abruptly, but taking a step back from the short-term chaos, it probably is an anomaly that this was government funded. All of private tech relies on it, and private tech is big enough to pay for it. I hope that the trillion dollar babies consider this an opportunity to pool together to form a foundation that funds this, and a bunch of other open source projects run by one random person in Nebraska.

by atomicbeanie

0 subcomment

The white house prefers chaos. This will certainly be a step in that direction.

by bytematic

2 subcomments

What are the implications of this? No more centralized store of vulnerability information?

by joshuanapoli

2 subcomments

Is MITRE's CVE program redundant with NIST's National Vulnerability Database? I'm having a hard time telling how the two are related, or if NVD is simply performing the same service as MITRE.

by wichitawch

8 subcomments

I'm surprised that it was USA's responsibility to fund this in the first place. Why weren't other countries providing funds?

by karel-3d

0 subcomment

Phew, no new annoying CVE reports in my Docker images from today

by apexalpha

1 subcomments

Why is this sponsored by such an American gov entity?
I guess it's one of those things you never think about until it goes wrong.
The world would do well to move this kind of stuff out of the US quickly, just like ICANN and stuff.

by mmooss

1 subcomments

> In a stunning development
Who is still stunned by these things? They want you to be stunned; they want you to tell everyone else that you're stunned to spread feelings of terror and powerlessness. If you actually are stunned, you are stunningly ignorant. If you are not and still saying it, perhaps to emphasize your unhappiness, you are a 'useful idiot'. Either way, if you are saying it, you are a useful idiot.
You should have known decades ago: The GOP impeached a President for lying about sex; they fabricated intelligence to invade another country (killing thousands of Americans and 100,000+ Iraqis) - and that was all before 2004. They've voted almost unanimously, multiple times, to bankrupt the country (by refusing to authorize debt for existing obligations). Nobody (i.e., the Dems failed to) stopped them or made them pay a price, so why wouldn't they keep doing those things. (Edit: And if you object because the analysis criticizes one side and therefore you reject it as partisan, that's a big part of the reason nothing was done.)
This time they published Project 2025, telling you what they were going to do.

by mzhaase

1 subcomments

Long term its probably good to have a less US-centric world.

by m4r71n

0 subcomment

The title of this article is simply false. The CVE Program is a separate entity from MITRE and is most definitely not ending. The CVE Program has been acquiring assets from MITRE for years now. That is why the main site shifted from cve.mitre.org to cve.org. MITRE has always simply been the workhorse of the program, and now that is being shifted to others (CVE foundation, which has global representation).

by xyst

0 subcomment

Some companies are already clueless when it comes to CVE management. Probably won’t see the effects immediately but give it a few more years for new generation of vulns to be created/found and we will be back to early 2000s level security.
Open season on American corporations for domestic and foreign hackers.
If program isn’t brought back then CVE database likely to be fragmented amongst the “private” CVE databases.
Sec Corp A has 700 well documented CVEs but Sec Corp B has 702 CVEs in their database since NIST funding pulled. What do corps do? Maybe some of them with massive budgets setup contracts with both to get “full spectrum coverage”. Maybe other non-technical companies that think of IT as strictly a cost will go with the cheapest or forego it all together.
Who knows maybe we get ~~~free labor~~~ open source community to pick up the slack?
This country with the orange man administration is quickly going to shit. Not in a “I dislike {opposing party} way” either. In a “I dislike authoritarian regimes” way.

by gorbachev

1 subcomments

I wonder what would happen to CVE program funding if Tesla and SpaceX would be zero-dayed to hell and back.

by rurban

2 subcomments

So who will maintain it then? Either the EU or China I suppose. They can easily fund it.
Maybe the Dutch should go ahead.

by RKFADU_UOFCCLEL

0 subcomment

Including this as a prime example, the overall trend seems to be that we're going back to the bad old days where a kid gets to code the entire security infrastructure because the CEO thinks he's smart and then the bugs are covered up with legal threats (because they were able to mislead the courts), obfuscation, while being easily discoverable by 3rd parties. Another example is the way the bug bounty gimmick is run and most researchers never disclose their findings nor are they patched in any consistent manner, plus the companies threaten to sue you for disclosing even if it's 100 years later.

by p0w3n3d

1 subcomments

One man appears at one position and so many things stop working in so little time

by wengo314

2 subcomments

vibe coding could not have come at a worse moment.

by jl6

0 subcomment

So is this going to instantly break a bunch of tools like Trivy?

by 9283409232

3 subcomments

Reminds me of Trump's first term where he said if we stopped testing for Covid, we'd stop catching new cases and case numbers would go down. If you stop testing for vulnerabilities then vulnerabilities go down. Easy stuff.

by gm3dmo

0 subcomment

Anyone feel confident that the companies who benefit massively from MITRE are even now planning to step in and provide significant funding?

by jovial_cavalier

0 subcomment

I didn't realize that CVE was funded by the DHS. Isn't it better for it to be independent and not funded by an intelligence agency?
It's enough of a public good to have a common advisory for vulnerabilities that FAANG should just kick it a few million a year. How much can it possibly cost to run this anyway?

by WillAdams

2 subcomments

FWIW, I've never understood why this sort of thing wasn't just directly handled by the NSA --- aren't they the group which should be tasked with cybersecurity?
I always suspected that "Department of Homeland Security" would lead to Banana-republic-like shenanigans --- could we defund them?

by gabesullice

1 subcomments

As a newly minted cynic, this seems like a cynical play to save someone's budget.
Step 1: Post discreetly to a forum with minimal information and an absurdly short deadline
Step 2: Phone your friend, the former board member, to make your case on LinkedIn
Step 3: Ring up a friendly journalist and give them a tip
Step 4: Reference the insuing chaos as justification for keeping your project funded
Note that the article carefully avoids pinning the blame on DOGE or the Whitehouse while heavily implying it. MITRE is technically a private entity, albeit a non-profit. And the very last paragraph of the article states:
> A CISA spokesperson told CSO, “CISA is the primary sponsor for the Common Vulnerabilities and Exposure (CVE) program… Although CISA’s contract with the MITRE Corporation will lapse after April 16, we are urgently working to mitigate impact and to maintain CVE services on which global stakeholders rely.”
To be clear, the point isn't to say that the CVE program isn't valuable, nor is it to say that it's good for a shenanigan like this to be necessary.
The point is that, unless you're directly involved in this subject (not impacted—involved), it's probably best to maintain a "wait and see" attitude rather than succumb to catastrophizing this news.

by hulitu

0 subcomment

> CVE program faces swift end after DHS fails to renew contract
So CVE is a child of US 3 letter agencies ? Good to know.

0 subcomment

by blindriver

2 subcomments

How much does CVE cost to maintain and why must the US fund the entire thing?

0 subcomment

by i_love_retros

1 subcomments

At this point it's not crazy to believe Russia is running the country

by yawnxyz

1 subcomments

I guess their new business model is to sell zero days to the highest bidder

by rbolla

0 subcomment

Important update April 16, 2025: Since this story was first published, CISA signed a contract extension that averts a shutdown of the MITRE CVE program.

by froggertoaster

1 subcomments

Believe me when I say that DOGE is filled with smart people (I know a few of them).
Just because they're scattershot cutting doesn't mean they're stupid.

by thih9

0 subcomment

I can’t see any long term benefits for the US. It looks like the current administration is fine with chaos and disruption on an unprecedented scale.

by trothamel

1 subcomments

Does anyone know what the CVE program was costing per year? I searched around a bit, but wasn't able to find the number.

by moomin

0 subcomment

I’m sure a much better private sector alternative will appear any day, in line with conservative dogma.

by JackYoustra

1 subcomments

There are quite a few threads on hackernews that were cautiously optimistic about doge with, frankly, pretty naive libertarian takes about how the government works.
The government is not particular (in the sense of particularism) and cannot be easily tuned to fix particular problems; rather, its best solutions come through institutional procedure and design, such as the tension between the FAA and the NTSB that, at a first glance, would seem like obviously needless duplication and waste.
It is a broad, blunt, wasteful instrument to solve broad, blunt problems in a way that may not be the best but that work far, far better than alternatives that have been tried.
That the effort to treat government like a personal budget has ended up destroying important things is a sad inevitability of such efforts. I hope it goes remembered.

by hatly22

0 subcomment

Maybe Europe should charge the US for access to their CVE databases.

by rvba

0 subcomment

Why cant wikipedia foundation step in? They have millions of dollars.

by nodesocket

0 subcomment

I’m betting CVE will get sponsored by a security company or Cloudflare.

by cbondurant

2 subcomments

Am I missing something or was this literally announced with less than 24 hours of warning that one of the critical components to the cyber security landscape was disappearing.
What the fuck are you supposed to do about this. This is something that should have had multiple MONTHS of warning in order to allow those who depend on the CVE infrastructure to plan what to do next with their security posture.

by jibal

0 subcomment

Bad guys helping out bad guys--it's what mobsters do.

by bradac56

1 subcomments

dupe of a dupe https://news.ycombinator.com/item?id=43700258

by uptownfunk

0 subcomment

Seems like a big miss on the part of DOGE?

by londons_explore

3 subcomments

How much was this contract worth?
If it was $5000/yr it's very different to if it's $5M/year for what amounts to little more than an instance of mediawiki.

by porridgeraisin

1 subcomments

Good. CVEs were the poster boy of goodharts law for the longest time. Most security vulnerabilities behind CVEs are utterly meaningless.

by andrehacker

0 subcomment

Maybe change the headline now ? As-is the headline is click-baity. (spoiler alert: the contract has been extended)

by Brosper

0 subcomment

Europe needs to save the world!

by basemi

0 subcomment

For now, historical CVE records will be available at GitHub:
https://github.com/CVEProject

by nelox

0 subcomment

Just what is needed with an adversary during and asymmetrical trade war.

by outside1234

3 subcomments

These four years are going to be the death of all of us.

0 subcomment

by arghandugh

1 subcomments

This industry relentlessly lionized Trump and Musk, elevating them to positions of power and handing them the power to destroy at will.
This is your moment! Enjoy it!

by paulmendoza

0 subcomment

Anyone who voted for Trump voted for this type of dumb action. This is a major loss for society and safety.

by cookiengineer

23 subcomments

If there are any Europeans here, I'd love to make my vulnerability database that's accumulated from all linux security trackers and the CVE/NVD open source if I can manage to find some folks who'd help with maintenance.
Currently hosting costs are unclear, but it should be doable if we offer API access for like 5 bucks / month for private and 100 / month for corporate or similar.
Already did a backup of the NVD in the last couple hours, currently backing up the security trackers and OVAL feeds.
Gonna need some sleep now, it's morning again.
My project criteria:
- hosting within the EU
- must have a copyleft license (AGPL)
- must have open source backend and frontend
- dataset size is around 90-148 GB (compressed vs uncompressed)
- ideally an e.V. for managing funds and costs, so it can survive me
- already built my vulnerability scraper in Go, would contribute it under AGPL
- already built all schema parsers, would contribute them also under AGPL
- backend and frontend needs to be built
- would make it prerendered, so that cves can be static HTML files that can be hosted on a CDN
- needs submission/PoC/advisory web forms and database/workflow for it
- data is accumulated into a JSON format (sources are mixed non standard formats for each security tracker. Enterprise distros use odata or oval for the most parts)
If you are interested, write me on linkedin.com/in/cookiengineer or here.

by insane_dreamer

1 subcomments

CVE was anti-American woke.
No, more seriously, just like with shutting down NOAA services, it seems the goal is to:
1. cut services (we saved taxpayer money!!)
2. at some point later: oh, we actually need those services
3. pay <insert your favorite vendor here, preferably one connected to Musk> to provide the service (see! we don't need to pay gov employees!!) (fine print: the vendor costs 2-3x the original cost). But by then no one is looking at the spending numbers anymore.
Slick moves.

by rcarmo

0 subcomment

Now would be a great time for a major tech company to support them (or, even better, a consortium).

by delusional

0 subcomment

Meh. It's not like I was going to ask the facist autocracy about my software vulnerabilities.

by bathtub365

1 subcomments

Now the NSA can hoard more 0days and the general public suffers. Win win for this administration

by anilakar

0 subcomment

Let me guess: Trump is going to make China pay for it.

by dools

0 subcomment

Uh oh did someone CVE grok or twitter?

by mjevans

2 subcomments

Mr. President, Do you want China to get the reports instead, or do you want the NSA to have a lead time where the vuln's are useful tools?

by drdrek

0 subcomment

LOL this is Amazing... Holy shit

by 4ndrewl

22 subcomments

To the "I wish HN would stay out of politics" crew.
You can stay out of politics, but politics will always come and find you.

by gcollard-

2 subcomments

Forget everything you know and consider that it might be a misguided and risky negotiation tactic.
Disclaimer: This is not business advice and should be read using Cartman’s voice.
Step 1: Announce publicly that you are not renewing your contract.
Step 2: If the market has viable alternatives or the service you are negotiating isn’t that hard to replicate, other actors will manifest to fill in the gaps, especially if your business is attractive. (E.g., The top comment is building an alternative; other comments point to alternative services.)
Step 3: Congratulations, you now have leverage for a significant discount with your previous provider because they face the real prospect of losing your business entirely to a competitor. If the competitor is private, you can even double dip by investing in their company before attributing them the contract.

by doodlecricket

0 subcomment

[dead]

by curtisszmania

0 subcomment

[dead]

by stego-tech

2 subcomments

Man, I just can’t even muster the snark I usually have for these sorts of boneheaded decisions.
This sucks, plain and simple.

by wnevets

0 subcomment

[flagged]

by delfinom

0 subcomment

[flagged]

by nurettin

0 subcomment

[flagged]

by bslanej

1 subcomments

[flagged]

by thepaulmcbride

0 subcomment

[flagged]

by Galanwe

0 subcomment

[flagged]

by yieldcrv

0 subcomment

if only there were 188 other countries and an entire private sector in each one that could fund this thing they are also affected by

by markhahn

1 subcomments

Trump stupidity hurts the country and world.
But maybe this is an opportunity to do CVE better.

by skirge

2 subcomments

only one country pays but all benefit from it. It should be funded by all who benefit like UN.

by kesor

0 subcomment

Good, less government involvement is better for everyone.

by the_doctah

4 subcomments

Why is the government responsible for CVEs again?

by ThinkBeat

0 subcomment

There seems to be little reason for the US government to pay for this since it is vital information that a lot of companies rely upon.
Some form of a foundation or NGO could be given a reasonable endowment from the industry to operate the CVE program.
O am quite hesitant to trust the DOD to keep track of software vulnerabilities. Some parts are developing and exploiting vulnerabilities. And given a fresh feed of what people find, and usually a delay from notification until publication, which may sometimes just be a bit longer of a delay, would allow the DOD to weaponize the vulnerability for their own use as well.

by Ferret7446

7 subcomments

I don't see why this should be publicly funded, so I don't really see an issue with this. The industry benefits from having a CVE database, so the industry should fund it.