CVE program faces swift end after DHS fails to renew contract [updated]

Original Article ↗ Hacker News Discussion ↗

What happened and current status

  • DHS/CISA’s contract with MITRE to operate the CVE program reached its end date; internal communications and official statements initially indicated it would “lapse” and no new CVEs would be added after the cutoff, putting the program in limbo.
  • After a backlash, reports say the contract has now been extended, at least short‑term, and a new independent CVE Foundation has been announced as a longer‑term home.
  • Commenters note this is part of a broader pattern of abrupt DOGE‑driven federal cuts with minimal notice, then partial walk‑backs.

Role of CVE/NVD and likely technical impact

  • CVE is the global ID system; NIST’s NVD imports CVEs and enriches them with metadata and scoring. NVD has already had a large backlog since 2023–24 due to funding and workload strain.
  • Without a stable CVE program, vulnerability tracking fragments: vendors and scanners must chase multiple sources; products built on many libraries are more likely to miss critical issues.
  • People expect more zero‑day hoarding, flourishing black markets, and weaker baseline security for “the West,” including US government systems that themselves rely on CVEs.

Funding, governance, and potential replacements

  • Debate over costs: cited numbers for NVD/CVE range from a few million per year to implausibly high estimates; historical funding levels remain unclear.
  • Some argue it’s a classic public good that should be state‑funded to remain neutral and open; others say the trillion‑dollar tech sector should pool funds, via a foundation or consortium, to run it outside government.
  • Concerns about industry capture: a vendor‑funded registry might downplay or delay severe bugs in its own products.
  • EU and others already run or plan their own databases (ENISA/EUVD, national CERTs, CIRCL, OSV). Several commenters propose an EU‑ or multi‑country‑led replacement, or community‑run OSS efforts, but note coordination and long‑term funding are hard.

Politics, motives, and austerity narrative

  • One camp sees the near‑shutdown as consistent with a broader ideological project (Project 2025, DOGE, “starve the beast,” privatize then overpay cronies, or even deliberate weakening in favor of foreign adversaries).
  • Another frames it as blunt austerity amid a large US deficit: cutting “non‑essential” programs first, even if penny‑wise, pound‑foolish.
  • There is no consensus on whether this was malice, ideology, incompetence, or a crude bargaining tactic to push others to fund the program.

CVE quality vs necessity

  • Practitioners criticize CVSS scores as noisy and easily misused by auditors and compliance tools (e.g., high scores for irrelevant environments).
  • Still, most agree an authoritative, global ID system for vulnerabilities is vastly better than nothing, and flaws in scoring or process are an argument for reform, not abolition.