Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Government Takes Steps to Bolster CVE Program (bleepingcomputer.com)

Posted by msmash on from the about-time dept.

The US government is taking steps to fix the Common Vulnerabilities and Exposures (CVE) system that's been plagued by various problems in recent years. From a report: The CVE was created in 1999 by the MITRE Corporation using US government funding. It is a database that contains identifiers (tracking numbers) for security vulnerabilities. Since its creation, the CVE system has been adopted by the public and private sectors. Most modern cyber-security software use CVE numbers to identify and track cyber-attacks exploiting particular software bugs. Despite being a US creation, the system has been widely adopted in countries all over the globe, which use and recognize the CVE identifiers issued by MITRE's staff and industry partners. [...] On Monday, following a year-long investigation into the CVE program, the Energy and Commerce Committee sent letters to the Department of Homeland Security (DHS) and MITRE Corporation. In these letters, the Committee outlined the investigation's findings and proposed courses of action to fix the issues found with the CVE system. According to the two letters, the Committee says it identified that inconsistent and largely diminishing DHS funding as one of the reasons the program has gone downhill and accumulated its huge backlogs.

11 of 22 comments (clear)

  1. Where it all started by Anonymous Coward · · Score: 3, Informative

    Where it all started: http://seclists.org/oss-sec/20... and http://seclists.org/oss-sec/20... and http://seclists.org/fulldisclo...

  2. US government? by Anonymous Coward · · Score: 1

    Or the Trump Administration.

    You can't have it both ways.

    1. Re: US government? by Anonymous Coward · · Score: 1

      The Energy and Commerce Committee is part of Congress, not part of the Trump administration.

    2. Re: US government? by Anonymous Coward · · Score: 1

      The letters were sent by the House Energy and Commerce Committee, which is part of the legislative branch of the government. It would be appropriate to describe political appointees of President Trump as part of the Trump Administration. I wouldn't consider civil service employees in the executive branch to be part of an administration because they aren't political appointees. Certainly the legislative and judicial branches aren't part of any administration and are supposed to be separate. See the separation of powers in the Constitution for more information.

      It is absolutely incorrect to credit this to the Trump Administration. If Homeland Security Secretary Nielsen acts on the letter, that would be an act of the Trump Administration. This is not.

    3. Re:US government? by EndlessNameless · · Score: 1

      Sure you can. Last time I checked, 2/3 branches of the federal government are not a part of the president's administration.

      --

      ---
      According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
    4. Re:US government? by Darinbob · · Score: 1

      "I want the people to know that they still have 2 out of 3 branches of the government working for them, and that ain't bad. " -- Mars Attacks

  3. Re:What's the CVE by EndlessNameless · · Score: 1

    Zero-days announced via Twitter don't have CVEs. Someone has to submit it first.

    I'd expect MITRE to add it themselves now, but CVEs are usually disclosed confidentially to MITRE and the developer before a POC is released.

    --

    ---
    According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
  4. The Short Version by EndlessNameless · · Score: 5, Insightful

    MITRE went from $6.7m funding with 7,370 CVEs in 2012 down to $4.0m with 14,472 CVEs in 2015. So, roughly 60% of the funding for twice the output. And that's not accounting for year-to-year fluctuations, which make budgeting nearly impossible.

    Their solution is sensible:

    To solve this issue, the Committee proposes that DHS officials move CVE's funding from a contract-based funding scheme into the DHS budget itself, as a PPA (Program, Project, or Activity) funding line.

    A formal Program makes a great deal of sense in this case, as its work: has an important impact, will be fairly consistent over time, and has no foreseeable end date.

    --

    ---
    According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
    1. Re:The Short Version by guruevi · · Score: 1

      You seem to forget that CVE is not the only program and DHS is not the only sponsor. They have more than $4M worth of salaries on their board alone. Since they're a non-profit, the information is quite readily available, they have a total revenue of ~$1.3B.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    2. Re:The Short Version by grep+-v+'.*'+* · · Score: 1

      has no foreseeable end date.

      So, just like most government entities.

      I think it's great, doing a good job and they need to fund it. It needs an expiration date though, just like John McCain and everyone else has. If it's still doing a good job and nothing else has appeared to replace it, then extending it for another X years seems easily sensible. If SkyNet earlier appeared and always fixes all bugs everywhere, the maybe it's time to disband it.

      Once Elon and Jeff have become the Borg, THEN we'll see about never-ending committee entities. (Like the ones we already have.)

      Or does eventual existence renewal make things become political? Actually asking here. Also, Japan

      --
      If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
  5. Why bring back escort carriers? by myth24601 · · Score: 1

    NT

    --
    No matter where you go, there you are.