US funding running out for critical cyber-vulnerability database: manager

The defence and research-focused nonprofit MITRE Corporation says funding from the US government runs out on Wednesday for it to maintain a critical database of cyber-vulnerabilities used by security researchers and digital defenders the world over.

MITRE manages the Common Vulnerabilities and Exposures (CVE) database which aims to identify, define and catalog publicly disclosed cyber-weaknesses, enabling IT administrators to quickly flag and triage the myriad different bugs and hacks discovered daily.

The common numbering scheme, severity scale and detailed descriptions allow quick communication of highly technical information across organisations and around the world.

MITRE said in an e-mail that the funding "will expire" on Wednesday.

The Cybersecurity and Infrastructure Security Agency (CISA), whose parent agency funds the contract, confirmed the contract was ending and said: "We are urgently working to mitigate impact and to maintain CVE services on which global stakeholders rely."

Reuters couldn't establish the reason for the contract's lapse, but CISA is, like the rest of the federal government, undergoing a radical downsizing driven in part by tech tycoon Elon Musk's US DOGE Service. A spokesperson for DOGE didn't immediately reply to an e-mail.

Cyberdefenders said they were aghast at the news of the programme's lapse. One compared it to suddenly deleting all dictionaries.

"We'd lose the language and lingo we use to address problems in cybersecurity," said John Hammond, the principal security researcher at managed security company Huntress. He said he swore out loud when he heard the news.

"I really can't help but think this is just going to hurt."

Organisations around the world lean on the CVE database to triage which vulnerabilities in their digital products need immediate attention versus which ones can be put off, allowing them to manage when and how to update software or patch security holes.

Pulling the plug on the database would cause "an immediate cascading affect that will impact vulnerability management on a global scale", said Brian Martin, a historian of computer vulnerabilities.

He said computer emergency response teams — the digital first responders known as CERTs — would "no longer have that source of free vulnerability intelligence" and that "every company in the world" that relied on the database for vulnerability intelligence "is going to experience swift and sharp pains to their vulnerability management programme".