{"id":53707,"date":"2025-04-16T16:52:52","date_gmt":"2025-04-16T14:52:52","guid":{"rendered":"https:\/\/www.apfelpatient.de\/?p=53707"},"modified":"2025-04-16T16:53:36","modified_gmt":"2025-04-16T14:53:36","slug":"cve-database-without-funding-whats-at-stake-now","status":"publish","type":"post","link":"https:\/\/www.apfelpatient.de\/en\/news\/cve-datenbank-ohne-finanzierung-was-jetzt-auf-dem-spiel-steht","title":{"rendered":"CVE database without funding \u2013 what is at stake now"},"content":{"rendered":"

The security situation on the Internet is likely to worsen in the near future. This is due to a decision by the US government to cut funding for a central pillar of global IT security: the CVE database. If you rely on security updates from Apple, Microsoft, or other manufacturers, this directly affects you. Without up-to-date information about known vulnerabilities, it will be more difficult to detect and defend against new threats in a timely manner.<\/strong><\/p>\n\n\n\n

CVE stands for "Common Vulnerabilities and Exposures." It is a publicly accessible database that documents known security vulnerabilities in operating systems, applications, and devices. Each discovered vulnerability is assigned a unique CVE identifier so that developers, security teams, and even manufacturers speak the same language when it comes to patches and risks. The database helps problems be identified, shared, and fixed more quickly. CVE has now become a global standard. Almost every Apple security update references one or more CVE numbers. Google, Microsoft, and many Linux projects also work based on these entries. The database prevents duplication of work, helps security researchers collaborate, and is the most important source of reliable information about known vulnerabilities.<\/p>\n\n\n\n

Financing expires \u2013 without clear explanation<\/h4>\n\n\n\n

On Tuesday, the non-profit organization MITRE Corporation announced that funding for the operation of the CVE database would expire \u2013 as early as the following Wednesday. MITRE has previously been responsible for maintaining the database. The funds came from the U.S. government, specifically from the Department of Homeland Security, which is responsible through the CISA (Cybersecurity and Infrastructure Security Agency). The so-called CWE (Common Weakness Enumeration) program, which catalogs vulnerability categories, is also affected by the cuts. CISA confirmed to Reuters that the contract is indeed expiring (via Reuters<\/a>).<\/p>\n\n\n\n

Unclear reasons and open questions about financing<\/h4>\n\n\n\n

However, it also stated that efforts are being made to minimize the impact. Whether the agency will take over the CVE database itself or finance it in the future remains open. No one has said specifically why the contract was canceled. However, it is suspected that cost-cutting measures as part of larger government measures may play a role. Some even suspect a connection to the so-called DOGE service, in which Elon Musk is involved and which is attempting to break new ground in public IT infrastructure through aggressive cost reductions.<\/p>\n\n\n\n

Impact on software vendors and security teams<\/h4>\n\n\n\n

The consequences of the decision are immediately noticeable. Apple, for example, regularly uses the CVE database to check which security vulnerabilities have been discovered in iOS and macOS. Official update notes often include CVE IDs, allowing users and developers to track exactly which problems have been fixed. Without this basis, precise information about current risks is missing. This makes both the remediation and communication of security vulnerabilities more difficult. Security teams in companies and organizations around the world also rely on CVE. They base their vulnerability management on this database to test systems and respond quickly to new threats. Computer Emergency Response Teams (CERTs), i.e. national crisis response teams for IT security, lose their most important source of vulnerability information with the CVE database.<\/p>\n\n\n\n

Reactions from the security industry<\/h4>\n\n\n\n

The news sparked widespread criticism in the security community. Jean Easterly, the former head of CISA, wrote on LinkedIn that the discontinuation of the CVE database could have serious consequences for national security and business risk. She compared the database to the Dewey Decimal System of cybersecurity: Without it, professionals like librarians would be working in a chaotic library, not knowing where to look. Easterly also warned of an increased risk of ransomware attacks, data breaches, rising security costs, and a potential loss of trust among consumers and regulators. Brian Martin, a computer vulnerability historian, spoke of an immediate cascading effect. Without CVE, global vulnerability management would be weakened, and companies would face significant disruptions to their security processes.<\/p>\n\n\n\n

What you need to know as a user now<\/h4>\n\n\n\n

Even though the CVE database is a technical infrastructure, the cuts ultimately affect everyone who uses software\u2014including you. Updates could be delayed, vulnerabilities remain undiscovered longer, and the likelihood of becoming a victim of a cyberattack increases. While you can't stop the development, you can adapt your behavior:<\/p>\n\n\n\n