US Government Takes Steps to Bolster CVE Program

The US government is taking steps to fix the Common Vulnerabilities and Exposures (CVE) system that's been plagued by various problems in recent years. From a report: The CVE was created in 1999 by the MITRE Corporation using US government funding. It is a database that contains identifiers (tracking numbers) for security vulnerabilities. Since its creation, the CVE system has been adopted by the public and private sectors. Most modern cyber-security software use CVE numbers to identify and track cyber-attacks exploiting particular software bugs. Despite being a US creation, the system has been widely adopted in countries all over the globe, which use and recognize the CVE identifiers issued by MITRE's staff and industry partners. [...] On Monday, following a year-long investigation into the CVE program, the Energy and Commerce Committee sent letters to the Department of Homeland Security (DHS) and MITRE Corporation. In these letters, the Committee outlined the investigation's findings and proposed courses of action to fix the issues found with the CVE system. According to the two letters, the Committee says it identified that inconsistent and largely diminishing DHS funding as one of the reasons the program has gone downhill and accumulated its huge backlogs.

What's the CVE

for the latest Windows zero day?

Re:What's the CVE

[EndlessNameless]

Zero-days announced via Twitter don't have CVEs. Someone has to submit it first.

I'd expect MITRE to add it themselves now, but CVEs are usually disclosed confidentially to MITRE and the developer before a POC is released.

Where it all started

Where it all started: http://seclists.org/oss-sec/20... and http://seclists.org/oss-sec/20... and http://seclists.org/fulldisclo...

US government?

Or the Trump Administration.

You can't have it both ways.

Re: US government?

The Energy and Commerce Committee is part of Congress, not part of the Trump administration.

Re: US government?

The letters were sent by the House Energy and Commerce Committee, which is part of the legislative branch of the government. It would be appropriate to describe political appointees of President Trump as part of the Trump Administration. I wouldn't consider civil service employees in the executive branch to be part of an administration because they aren't political appointees. Certainly the legislative and judicial branches aren't part of any administration and are supposed to be separate. See the separation of powers in the Constitution for more information.

It is absolutely incorrect to credit this to the Trump Administration. If Homeland Security Secretary Nielsen acts on the letter, that would be an act of the Trump Administration. This is not.

Re:US government?

[EndlessNameless]

Sure you can. Last time I checked, 2/3 branches of the federal government are not a part of the president's administration.

Re:US government?

Sure you can. Last time I checked, 2/3 branches of the federal government are not a part of the president's administration.

Someone needs to explain that to Trump, then, because he seems to have no concept of what the Constitutional scope of his powers actually are.

The reality is, the DOJ etc are independent of the Executive branch, no matter what Trump the Idiot thinks.

Unfortunately, Trump seems to think he's been given unlimited powers over all aspects of government.

Re:US government?

[Darinbob]

"I want the people to know that they still have 2 out of 3 branches of the government working for them, and that ain't bad. " -- Mars Attacks

Re:US government?

Sure you can. Last time I checked, 2/3 branches of the federal government are not a part of the president's administration.

Uh-huh. In reality, behind-the-scenes, it's one big toga party.

Re:US government?

Actually the DOJ is part of the Executive Branch and the leaders of the DOJ are appointed and fired by the President.

As the article stated the DOJ is not as responsive to the President's whims (for good reason) as other executive branch agencies but it is most definitely part of the Executive Branch of the US Government.

President Trump tweeted:

"Let's make american CVE great again!"

Re:President Trump tweeted:

The problem is that there is not enough staff to confirm exploits.

The Short Version

[EndlessNameless]

MITRE went from $6.7m funding with 7,370 CVEs in 2012 down to $4.0m with 14,472 CVEs in 2015. So, roughly 60% of the funding for twice the output. And that's not accounting for year-to-year fluctuations, which make budgeting nearly impossible.

Their solution is sensible:

To solve this issue, the Committee proposes that DHS officials move CVE's funding from a contract-based funding scheme into the DHS budget itself, as a PPA (Program, Project, or Activity) funding line.

A formal Program makes a great deal of sense in this case, as its work: has an important impact, will be fairly consistent over time, and has no foreseeable end date.

Re:The Short Version

And before anyone tries to argue that $4 million is a lot of money, it's actually barely enough to keep the lights on. Factoring in overhead, that's at most a dozen full-time staff. Factor in management and part-time consults and it's more like half that. And if you've got people cycling in and out, you're losing a chunk of that to training and even more part-time consults, so it's probably four people running the whole thing. Knowing how team projects go, that means one person actually knows how things work and the others do their best just to keep up. Or they don't and someone new gets brought in, rinse, repeat. Make the funding uncertain (and/or the workoad overwhelming) and that one person will move to a more stable project. So now you've got a bunch of starry-eyed new hires tasked with managing a critical industry resource. Good luck with that.

Re:The Short Version

[guruevi]

You seem to forget that CVE is not the only program and DHS is not the only sponsor. They have more than $4M worth of salaries on their board alone. Since they're a non-profit, the information is quite readily available, they have a total revenue of ~$1.3B.

Re:The Short Version

All of which is completely irrelevant. Unless a different sponsor agrees to pay for CVE, the funds have to come from DHS and only funds allocated for CVE can be used. Paying for CVE with funds from other projects or other sponsors would put them on a path toward having zero programs and zero sponsors. These things must be very carefully tracked and are routinely audited; it's not like they can just grab a few people off of a DoD project and have them work CVE for a few months on the DoD's dime when there's a backlog.

Re:The Short Version

[grep+-v+'.*'+*]

has no foreseeable end date.

So, just like most government entities.

I think it's great, doing a good job and they need to fund it. It needs an expiration date though, just like John McCain and everyone else has. If it's still doing a good job and nothing else has appeared to replace it, then extending it for another X years seems easily sensible. If SkyNet earlier appeared and always fixes all bugs everywhere, the maybe it's time to disband it.

Once Elon and Jeff have become the Borg, THEN we'll see about never-ending committee entities. (Like the ones we already have.)

Or does eventual existence renewal make things become political? Actually asking here. Also, Japan

Finally, a President who cares.

Unlike Obama who ignored the CVE gap and let the US Navy not operate any form of CVE since the 1960s, after not building any since the 1940s, the current glorious Trump administration will bridge the existing CVE gap and defeat the Soviets with American ships.

Why bring back escort carriers?

[myth24601]

NT