snabelen.no er en av mange uavhengige Mastodon-servere du kan bruke for å delta i det desentraliserte sosiale nettet.
Ein norsk heimstad for den desentraliserte mikroblogge-plattformen.

Administrert av:

Serverstatistikk:

358
aktive brukere

Wow. CVE database is in serious trouble, tomorrow.

The cyber industry as a whole is in trouble also really, it’s the elephant in the room - the collapse of the White House’s support for cybersecurity is obvious and pronounced due to widespread cutbacks.

My take on the CVE contract issue for businesses: don’t overreact, wait and see what impacts are.

The NVD backlog was already pretty crazy.. the US gov has gotta put real funding into this area if it wants to retain control of cyber standards.

Just as an update to this - @briankrebs has confirmed with MITRE the letter is real, and as it stands the CVE database is likely to go offline tomorrow.

To widen it out - CVE is the globally recognised system orgs use for vulnerability management.

Every vulnerability management product uses CVEs. Vulnerability management is a core part of cybersecurity - often, the most important part.

Additionally, CVE is written into several US government standards that orgs have to follow.

So the US Government not funding it is a major and historic own goal.

There's an argument that MITRE should try to keep everything alive and run things without funding and contracts etc.. but, honestly? My take - stop doing everything that isn't in the contract. Force the issue.

If you want to know how stupid the CVE situation is - CISA are trying to source last minute funding or look at taking CVE management in house, but they themselves have had a massive budget cut where the staff trying to fix it are also at risk of being cut.

CISA have, at the last minute, extended the MITRE CVE contract. “The CVE Program is invaluable to cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.” HT @metacurity

It’s unclear how long it has been extended for.

Now all we need is for Breachforums to get back online and the threat intelligence industry is alive again!