Last Minute Save for the CVE Program

I am very glad that the Common Vulnerabilities and Exposures (CVE) program was re-funded by the US Government, specifically CISA (Cybersecurity and Infrastructure Security Agency), but this last-minute catch has raised serious concerns with the recent government cuts to cybersecurity programs that benefit US Critical Infrastructures, businesses, and individuals.

The CVE program is foundational as it tracks and disseminates information about digital vulnerabilities to the cybersecurity industry! This critical function is a lynchpin for the entire vulnerability management industry that strives to remedy discovered or exploited vulnerabilities in our global digital ecosystem.

I am even more excited in the announcement that the CVE board members are forming a nonprofit foundation as insurance from future actions by the US government, which may undermine the CVE program. This foundation will make sure the CVE program remains intact and openly available to all.

"Trust is earned in drips and lost in buckets!"

Unfortunately, many recent decisions to cut critical programs or expose sensitive data is undermining the trust that businesses have with government agencies. The public/private partnerships, which have been fostered for decades, are being questioned. Many businesses are wondering if they should still share information with government entities or work with them directly.

There is a growing disturbance across the cybersecurity community and the near abandonment of the CVE program is simply the latest issue. Security professionals are still hopeful that the value of protecting critical infrastructure sectors and the broader economy will play a more significant role in government decisions moving forward.

​