[HN Gopher] CVE Foundation
___________________________________________________________________
CVE Foundation
Author : layer8
Score : 436 points
Date : 2025-04-16 12:16 UTC (1 days ago)
(HTM) web link (www.thecvefoundation.org)
(TXT) w3m dump (www.thecvefoundation.org)
| melodyogonna wrote:
| Very nice!
| ta1243 wrote:
| Yeah, in the USA, where organisations and officers are
| continually threatened by an adversarial government.
|
| No thanks.
|
| Harvard for example doesn't kow-tow to the reigime, and look what
| happens. Non-profits in the USA are not independent.
| ape4 wrote:
| Its not hard to imagine the current regime complaining about a
| CVE issued about a product made by a favored company - eg x.com
| throwawaymaths wrote:
| A non profit is independent if they don't take federal money?
| Like EFF, for example.
|
| Maybe CVEs _should_ be tracked by a nongovernmental agency,
| like how UL works.
| mschuster91 wrote:
| > A non profit is independent if they don't take federal
| money? Like EFF, for example.
|
| The problem is the seat of the non-profit, as long as it is
| in the US it remains vulnerable to stuff like gag orders (and
| the UK is similar, see the recent issues with Apple and E2E
| encryption), or just the administration plainly ignoring the
| law and just forcing it to shut down or whatnot.
|
| > Maybe CVEs should be tracked by a nongovernmental agency,
| like how UL works.
|
| The current administration has attacked multiple
| nongovernmental agencies already, or trampled over federal
| law.
|
| The only thing I'd trust _for now_ to be a safe haven would
| be an international organization like the WHO that 's backed
| by diplomatic treaties - but even these aren't safe either,
| just look at the ICC vs Israel debate, or the constant
| attacks and conspiracy theories on the WHO.
| dmix wrote:
| > as long as it is in the US it remains vulnerable to stuff
| like gag orders
|
| Only under FISA warrants where you can't reveal the
| investigation to the public or during a regular trial if
| the judge determines leaking details of the case will
| impact justice AFAIK.
| mschuster91 wrote:
| Do you trust this administration to respect the rule of
| law to that degree? _That_ is the core issue IMHO.
| throwawaymaths wrote:
| Probably less than most (but not all) administrations.
| Almost every administration has trammelled on the rule of
| law. FDR and Wilson come to mind as among the worsr. At
| least this administration has many vocal eyes on it.
| throwawaymaths wrote:
| > WHO conspiracy theory
|
| OK well we know where you stand on that issue. Too bad
| pretty much every working molecular biologist agrees that
| the WHO is covering up COVID origins.
| odo1242 wrote:
| Harvard takes a lot of federal money. On the order of millions
| to billions of dollars.
| brazzy wrote:
| However, they just refused demands to compromise their
| principles in order to keep receiving those billions, while
| many other organizations caved in to the threats.
| relistan wrote:
| Hopefully this is legit. There is no real info. They say both
| that they are responding to the announcement and that they have
| been planning it for a year. I doubt that the last part was
| intensely planned or they'd likely have announced something
| sooner.
|
| I suspect some likely fracturing of efforts here. Would be great
| if everyone did get behind a single solution. I'm not sure if
| this is it. A US-based non-profit is not maybe the best solution.
| excalibur wrote:
| The letter was dated yesterday, and in response they spent the
| past year working on this?
| HelloNurse wrote:
| "While we had hoped this day would not come, we have been
| preparing for this possibility.
|
| In response, a coalition ..."
|
| This sounds like secret, unofficial contingency planning; "this
| day" has apparently come very suddenly.
| excalibur wrote:
| On its face this sounds like a scheme quickly devised by a
| malicious actor to gain a trusted role. We're starting to see
| some external corrobboration, so maybe it will turn out to be
| legitimate after all, but the smart money is always on
| skepticism.
| HelloNurse wrote:
| Definitely. Not showing an immediate threat, such as a copy
| of the CVE database or a request for money, can be assumed
| to be the typical approach of a long con rather than a sign
| of goodwill.
| odo1242 wrote:
| I doubt it's meant to be "secret" contingency planning, but
| definitely unofficial contingency planning
| LiamPowell wrote:
| Edit: See other comments. Some CVE board members have posted this
| on their social media accounts however there's still nothing on
| any official CVE channels. It's a little concerning that this was
| upvoted to the top of the front page before those comments had
| been posted given that this is a newly registered domain running
| on Google sites for something that it says has been in the works
| for a year.
|
| Original comment:
|
| Why is this being upvoted? There's no reference to it on the CVE
| website and the domain was only registered after the letter
| leaked despite the website claiming this was in the works for a
| year.
|
| Additionally the WHOIS claims that the registrant is "CVE
| Foundation" which can not be found using the IRS search tool for
| tax-exempt organisations (note that MITRE does show up here):
| https://apps.irs.gov/app/eos/
| stavros wrote:
| We're all just happy to see it.
| ForOldHack wrote:
| Extremely. We are all extremely happy to see it. No data
| Sharimg with the Whitehouse, keep the tsunami at bay.
|
| Not, "All your updates are belong to us."
|
| And...
|
| A personal thanks to every security researcher who has
| contributed. In.The last year. I see a CVE, and specifically
| look for the out-or-band update and patch everything that
| powers up.
|
| One breach on an old ladies laptop, who had the sence to
| bring it right to me. Keep those covers on the cameras folks.
| _verandaguy wrote:
| Seconding this. A program like CVE still has to be built on (to
| some extent, and at least in the initial stages) traditional,
| non-cryptographic trust.
|
| Who runs this thing? Who's funding it? Who's reviewing,
| testing, and approving the reports? Assigning them IDs?
|
| I'm hoping for the best, and I'm willing to give the benefit of
| the doubt because of the frankly crap timing around this whole
| mess, but on its face, in its current state, I wouldn't trust
| this org at all.
| ForOldHack wrote:
| It's a sad day when the CVE has to issue a CVE for the U.S.
| government. The meta... The meta ...
| OtherShrezzing wrote:
| This is a Google Workspace site thrown up 11hrs ago, and doesn't
| appear to be linked to from any official source.
|
| I don't think it's credible that CVE as an organisation would
| produce this website and not link to it from their official site
| or social media accounts.
| pama wrote:
| There is hope people will report this site and google will take
| it down quickly.
| xyst wrote:
| As I suspected in other thread, the gutting of the CVE program
| will lead to a fractured db of CVEs. Wonder how many more will
| pop up out of the wood works.
| inktype wrote:
| Comments are understandably negative as the press release has
| very little information, but I clicked vouch because I have a
| reason to believe it is legitimate
| edent wrote:
| Care to share your reason with the rest of the class?
| ForOldHack wrote:
| The Chinese, and Russians who share data with the N Koreans
| are prowling around like an oversexed pack of boy scouts 24
| hours a day, 7 days a week, and not a single one took Easter
| week off. Worried?
|
| Cloudstrike turned into the worst peice of garbage since
| waferlocks...
|
| The single most profitable source of forien funds for N Korea
| turns out to be stolen vit-xoins, while gov officials are
| forciblly removed from their desks...
|
| What. Me. Worry?
| __MatrixMan__ wrote:
| Packs are for cub scouts. It would be an oversexed troop.
| hobofan wrote:
| To all the comments doubting the legitimacy:
|
| Here is a LinkedIn post by one of the CVE board members
| (literally the first one on the list here[0]):
| https://www.linkedin.com/posts/peterallor_cve-foundation-act...
|
| I'm sure if you look at some of the contact information of other
| CVE board members and their broadcasting platforms you will also
| find something.
|
| [0]: https://www.cve.org/programorganization/board
| layer8 wrote:
| Tod Beardsley seems to confirm it as well:
| https://infosec.exchange/@todb
| Xunjin wrote:
| Ngl, I would love a more "clear confirmation" he just boosted
| and posted a meme.
| hobofan wrote:
| He boosted a post that is 1:1 an announcement of the
| project.
|
| How much more of a "clear confirmation" do you want? An
| announcement from their non-existent personal press
| secretaries that just says the exact same text as that post
| he boosted?
|
| I think people here need to take a step back and realize
| that the people and board involved here are more like linux
| kernel maintainers that are not generally public figures
| and not C-level executives of a Fortune 500 company.
|
| Yes, since it's cybersecurity a bit more caution than usual
| is probably warranted, but it's not like the CVE DB has
| gone offline and everyone is currently scrambling to find
| the new legitimate replacement. Let's let this situation
| breathe for a few hours/days instead of being overly
| cautious and spending all energy on skepticism.
| Xunjin wrote:
| I've pointed out that I think a more clear (in this case
| an explicit message) would be better. You extrapolated to
| the other end, assuming that I wanted a press release,
| which I do feel is a false dichotomy. There are more than
| one existing option here, and a middle ground would
| certainly be perfect in this context.
| heresie-dabord wrote:
| > instead of being overly cautious and spending all
| energy on skepticism.
|
| Given the state of trustworthy information in news and
| public discourse, it's understandable that people request
| a credible source.
|
| The thing called "social media" ain't it.
| HelloNurse wrote:
| As this is security, assume the worst: it isn't legit unless
| MITRE confirms a handover, and even in that case there's ample
| room for questioning.
| LunaSea wrote:
| The Foundation should refuse to procure data to US governmental
| services and affiliated companies providing services to it.
| bildiba wrote:
| I haven't been actively monitoring for security vulnerabilities
| ever since I switched from system administration to software
| development a few decades back. These days, I just read news that
| talks about high profile vulnerabilities - I do see CVE a lot
| more than cert.
|
| We used to look at cert: https://www.kb.cert.org/vuls/ I just did
| a quick search to confirm that it is still there.
|
| What's the difference/relationship between the two?
| iterance wrote:
| The primary difference is that CVE was unexpectedly killed by
| the US Government yesterday and the program terminates today.
| alexmorley wrote:
| Edit suggests the contract has been renewed last minute.
|
| https://www.forbes.com/sites/kateoflahertyuk/2025/04/16/cve-...
| Shank wrote:
| Are there any non-Forbes sources that confirm this?
| marcusb wrote:
| Just social media posts, with claims they received the info
| from CISA
| https://infosec.exchange/@metacurity/114347467581760027
|
| Supposedly, MITRE will make a statement today. Time will
| tell.
|
| _Edit - it is MITRE, not CISA, which the poster expects to
| make a statement._
| ForOldHack wrote:
| This was 0 minutes ago. Glad to see how important CVE is to
| security personel.
| marcusb wrote:
| ?
|
| Metacurity's post was like 90 minutes ago.
| shagie wrote:
| https://www.itpro.com/security/confusion-and-frustration-
| mit...
|
| > However, in an updated statement, the agency revealed it
| intends to maintain the database in a bid to prevent a lapse
| in CVE services.
|
| > "The CVE Program is invaluable to the cyber community and a
| priority of CISA," a spokesperson said.
|
| > "Last night, CISA executed the option period on the
| contract to ensure there will be no lapse in critical CVE
| services. We appreciate our partners' and stakeholders'
| patience."
|
| Searching for that last passage:
|
| https://www.bleepingcomputer.com/news/security/cisa-
| extends-...
|
| > "The CVE Program is invaluable to cyber community and a
| priority of CISA," the U.S. cybersecurity agency told
| BleepingComputer. "Last night, CISA executed the option
| period on the contract to ensure there will be no lapse in
| critical CVE services. We appreciate our partners' and
| stakeholders' patience."
|
| And https://www.reuters.com/world/us/us-agency-extends-
| support-l...
|
| > WASHINGTON, April 16 (Reuters) - U.S. officials have said
| at the last minute that they're extending support for a
| critical database of cyber weaknesses whose funding was due
| to run out on Wednesday.
|
| > The planned lapse in payments for the MITRE Corp's Common
| Vulnerabilities and Exposures database spread alarm across
| the cybersecurity community. The database, which acts as a
| kind of catalog for cyber weaknesses, plays a key role in
| enabling IT administrators to quickly flag and triage the
| myriad different bugs and hacks discovered daily.
| chris_wot wrote:
| Let me guess, Elon's DOGE crew were part of this and
| screwed up yet another thing that is essential for U.S.
| security?
| shagie wrote:
| My {conspiracy | belief | suspicion} is that this was
| something that as part of the DoD they saw "Mitre
| Corporation" and that organization's relationship with
| MIT and were pulling funding for anything "elite liberal
| academia" (even distantly related) combined with the
| "we're pulling back from anything cybersecurity" (
| https://news.ycombinator.com/item?id=43228029 ). (edit)
| I've run out of invocations of Hanlon's Razor and it
| needs a long rest before its recharged. (/edit)
|
| I don't believe it was a mistake - they _wanted_ to pull
| its funding (and still intend to do). Note the wording of
| the statement:
|
| > Last night, CISA executed the option period on the
| contract to ensure there will be no lapse in critical CVE
| services.
|
| We are now in the option period.
|
| At some point in the future, that option period will
| expire.
| neodymiumphish wrote:
| This type of option exercise is extremely common in
| government contracts. I don't think there's much to read
| into on that front.
| shagie wrote:
| The option is common (its particulars of the award is at
| https://www.usaspending.gov/award/CONT_AWD_70RCSJ24FR0000
| 019... ). The fact that the option needed to be done
| rather than DHS continuing to support CVE and related
| programs is an abandonment of the responsibilities of the
| organization to try to keep computer systems secure.
|
| https://www.cisa.gov/news-
| events/directives/bod-22-01-reduci... A
| binding operational directive is a compulsory direction
| to federal, executive branch, departments and agencies
| for purposes of safeguarding federal information and
| information systems. Section 3553(b)(2) of
| title 44, U.S. Code, authorizes the Secretary of the
| Department of Homeland Security (DHS) to develop and
| oversee the implementation of binding operational
| directives. Federal agencies are required to
| comply with DHS-developed directives. ...
| Remediate each vulnerability according to the timelines
| set forth in the CISA-managed vulnerability catalog. The
| catalog will list exploited vulnerabilities that carry
| significant risk to the federal enterprise with the
| requirement to remediate within 6 months for
| vulnerabilities with a Common Vulnerabilities and
| Exposures (CVE) ID assigned prior to 2021 and within two
| weeks for all other vulnerabilities. These default
| timelines may be adjusted in the case of grave risk to
| the Federal Enterprise.
|
| If there's no catalog that the government is maintaining
| for "these things need to be fixed to run on federal
| systems" ... then how do you ensure that the federal
| computers are secure?
| snickerbockers wrote:
| I would feel a lot better about my skills knowing that
| bigballs also had difficulty figuring out what the
| correct syntax for this particular engine's version of \w
| and how many layers of backslash escapes are needed.
| plasma_beam wrote:
| It hasn't posted to FPDS yet:https://www.fpds.gov/ezsearch/fp
| dsportal?q=PIID%3A%2270RCSJ2...
|
| Assuming this is the correct contract, which it appears to
| be, it had an option period starting today through March of
| next year. DHS just needed to exercise the option.
| DeepYogurt wrote:
| Main page news on https://www.cisa.gov/
| numpad0 wrote:
| Why would that be important???
| dang wrote:
| Related ongoing threads:
|
| _CVE program faces swift end after DHS fails to renew contract
| [fixed]_ - https://news.ycombinator.com/item?id=43700607
|
| _Replacing CVE_ - https://news.ycombinator.com/item?id=43708409
| Vox_Leone wrote:
| I think it's time the biggest players in the software industry
| step up, maybe through a formal consortium. This model would make
| sense because they benefit the most. Big tech companies rely on
| CVEs to secure their own products;
|
| They have the means. With their massive revenue and dedicated
| security teams, these companies could easily fund CVE operations.
| A consortium approach spreads responsibility fairly;
|
| Shared responsibility, shared benefits. Security is everyone's
| problem.
| jpleger wrote:
| Hahaha, CVE was created because industry refused to track and
| report on things in a consistent and transparent manner. When
| given the option, business will almost always choose the easy
| path, and things like vulnerability management programs will be
| set back years if not decades when the external accountability
| goes away.
|
| In general, lawyers and CTOs would probably love to see CVE go
| away or be taken over by industry.
|
| Source: been working in security for 20+ years.
| SOLAR_FIELDS wrote:
| Because CVE means accountability. It's very easy to shift
| accountability onto someone for an unpatched CVE. If given
| the chance to escape that accountability I'm sure every
| megacorp would jump at it.
| anon6362 wrote:
| Yup. I'd say around 15% of very severe incidents are ever
| announced publicly. In most cases, the default is cover-up
| and hope no one finds out.
|
| To anyone who thinks a libertarian/anarcho-capitalist/Network
| States "utopia" of Retire All Gubberment Employees (RAGE) is
| a "good thing", thing about air, water, and soil pollution
| from sewage to arsenic to particulates to lead to
| radioactivity. Greedy sociopaths DGAF who they hurt, which is
| perhaps why James Madison observed: "If all men were angels,
| no government would be necessary." Obviously, this is not
| human nature and so some laws, enforcement, and regulators is
| required indefinitely. Anyone who tells you differently isn't
| a serious person.
| nonrandomstring wrote:
| The last people I am ever going to trust about matters of
| security is US BigTech. Consortium or not. This idea has no
| legs. We absolutely need an international cyber threat
| intelligence network, with many checks, balances and
| oversights. If we're going to ask "who funds it?" then we need
| to ask "who really benefits from a technology industry?"
| blitzar wrote:
| > biggest players in the software industry step up
|
| While they are at it maybe chuck $5 to the dev maintaining the
| open source package that your trillion dollar corporation
| relies on, that your 50,000 leetcoders can't figure out how to
| write or live without.
| 1970-01-01 wrote:
| There's nothing official about CVE moving.. Why should I trust
| anything on thecvefoundation.org? If you're going to do it, be
| serious about all of it. Setup something like "CVE.arpa" which
| immediately displays very serious credibility. Write an official
| handoff letter. Put out an official statement for its new home.
| What has been done here is another half-baked half-measure
| attempt at solving a very political problem.
| FateOfNations wrote:
| As somewhat of an aside, this development doesn't necessarily
| mean much in the way of changes to the way the program is
| currently run. The foundation can act as a conduit/collection
| point for funding from industry, with the program remaining run
| under a contract with MITRE.
___________________________________________________________________
(page generated 2025-04-17 23:02 UTC)