The U.S. government has cut its funding of the CVE database, used to track security vulnerabilities in operating systems and software. It's a change that will make it harder for Apple to monitor and fix software issues.
The Common Vulnerabilities and Exposures (CVE) database is an important part of modern cyber security. It's a central database of vulnerabilities found in operating systems and applications, which can be abused by hackers and malware to attack targets in various ways.
On Tuesday, the defense non-profit MITRE Corporation said its funding to maintain the CVE database will expire on Wednesday. At the same time, the Common Weakness Enumeration (CWE) program will also lose its funding.
The Cybersecurity and Infrastructure Security Agency (CISA) confirmed to Reuters that the contract was ending. The U.S. Department of Homeland Security, parent organization of CISA, funded the contract.
CISA added that it is working to mitigate its impact, and to maintain the CVE services as far as possible. It didn't say whether it was going to formally take over the database.
There was also no explanation for why the contract has lapsed. However, it is thought that CVE may have been caught up in the ongoing effort of the Elon Musk-led DOGE Service to cut costs.
Critical system's big impact
CVE is a critical part of the security ecosystem, and something Apple frequently looks at for issues. Many security updates for iOS and macOS have referenced listings in CVE, allowing researchers to know what issues have been fixed and what vulnerabilities have been stopped.
As a central database that developers and researchers check out, it minimizes duplication of listings and work, so researchers can more easily work together on issues. It's also become the standard way for vulnerabilities to be referred by throughout the security industry.
The loss of funding was immediately responded to by security researchers and other members of the field with a universal outcry that this is a bad thing for security in general.
Former CISA chief Jean Easterley wrote on LinkedIn that the potential shutdown of the CVE database has serious implications for business risk and national security. Likening it to a Dewey Decimal System for cybersecurity, the loss would be profound for researchers.
"Just like librarians trying to find a book in a disorganized library, cybersecurity professionals would be trying to defend your systems without knowing exactly what the threats are or where to find them," writes Easterly.
The ex-agency head adds that the loss of CVE would mean an increased risk of breaches and ransomware, higher costs for security, and a loss of trust of consumers and regulators.
Brian Martin, computer vulnerabilities historian, said there would be "an immediate cascading effect" that will harm vulnerability management globally. Computer Emergency Response Teams (CERTs) would not have the major source of vulnerability intelligence at its disposal, Martin adds, while companies will experience "swift and sharp pains" to their security management programs.
