> However, in an updated statement, the agency revealed it intends to maintain the database in a bid to prevent a lapse in CVE services.
> “The CVE Program is invaluable to the cyber community and a priority of CISA,” a spokesperson said.
> “Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.”
> "The CVE Program is invaluable to cyber community and a priority of CISA," the U.S. cybersecurity agency told BleepingComputer. "Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners' and stakeholders' patience."
> WASHINGTON, April 16 (Reuters) - U.S. officials have said at the last minute that they're extending support for a critical database of cyber weaknesses whose funding was due to run out on Wednesday.
> The planned lapse in payments for the MITRE Corp's Common Vulnerabilities and Exposures database spread alarm across the cybersecurity community. The database, which acts as a kind of catalog for cyber weaknesses, plays a key role in enabling IT administrators to quickly flag and triage the myriad different bugs and hacks discovered daily.
My {conspiracy | belief | suspicion} is that this was something that as part of the DoD they saw "Mitre Corporation" and that organization's relationship with MIT and were pulling funding for anything "elite liberal academia" (even distantly related) combined with the "we're pulling back from anything cybersecurity" ( https://news.ycombinator.com/item?id=43228029 ). (edit) I've run out of invocations of Hanlon's Razor and it needs a long rest before its recharged. (/edit)
I don't believe it was a mistake - they wanted to pull its funding (and still intend to do). Note the wording of the statement:
> Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services.
We are now in the option period.
At some point in the future, that option period will expire.
The option is common (its particulars of the award is at https://www.usaspending.gov/award/CONT_AWD_70RCSJ24FR0000019... ). The fact that the option needed to be done rather than DHS continuing to support CVE and related programs is an abandonment of the responsibilities of the organization to try to keep computer systems secure.
A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems.
Section 3553(b)(2) of title 44, U.S. Code, authorizes the Secretary of the Department of Homeland Security (DHS) to develop and oversee the implementation of binding operational directives.
Federal agencies are required to comply with DHS-developed directives.
...
Remediate each vulnerability according to the timelines set forth in the CISA-managed vulnerability catalog. The catalog will list exploited vulnerabilities that carry significant risk to the federal enterprise with the requirement to remediate within 6 months for vulnerabilities with a Common Vulnerabilities and Exposures (CVE) ID assigned prior to 2021 and within two weeks for all other vulnerabilities. These default timelines may be adjusted in the case of grave risk to the Federal Enterprise.
If there's no catalog that the government is maintaining for "these things need to be fixed to run on federal systems" ... then how do you ensure that the federal computers are secure?
I would feel a lot better about my skills knowing that bigballs also had difficulty figuring out what the correct syntax for this particular engine's version of \w and how many layers of backslash escapes are needed.
Assuming this is the correct contract, which it appears to be, it had an option period starting today through March of next year. DHS just needed to exercise the option.
He boosted a post that is 1:1 an announcement of the project.
How much more of a "clear confirmation" do you want? An announcement from their non-existent personal press secretaries that just says the exact same text as that post he boosted?
I think people here need to take a step back and realize that the people and board involved here are more like linux kernel maintainers that are not generally public figures and not C-level executives of a Fortune 500 company.
Yes, since it's cybersecurity a bit more caution than usual is probably warranted, but it's not like the CVE DB has gone offline and everyone is currently scrambling to find the new legitimate replacement. Let's let this situation breathe for a few hours/days instead of being overly cautious and spending all energy on skepticism.
I've pointed out that I think a more clear (in this case an explicit message) would be better. You extrapolated to the other end, assuming that I wanted a press release, which I do feel is a false dichotomy. There are more than one existing option here, and a middle ground would certainly be perfect in this context.
I think it's time the biggest players in the software industry step up, maybe through a formal consortium. This model would make sense because they benefit the most. Big tech companies rely on CVEs to secure their own products;
They have the means. With their massive revenue and dedicated security teams, these companies could easily fund CVE operations. A consortium approach spreads responsibility fairly;
Shared responsibility, shared benefits. Security is everyone's problem.
Hahaha, CVE was created because industry refused to track and report on things in a consistent and transparent manner. When given the option, business will almost always choose the easy path, and things like vulnerability management programs will be set back years if not decades when the external accountability goes away.
In general, lawyers and CTOs would probably love to see CVE go away or be taken over by industry.
Because CVE means accountability. It’s very easy to shift accountability onto someone for an unpatched CVE. If given the chance to escape that accountability I’m sure every megacorp would jump at it.
Yup. I'd say around 15% of very severe incidents are ever announced publicly. In most cases, the default is cover-up and hope no one finds out.
To anyone who thinks a libertarian/anarcho-capitalist/Network States "utopia" of Retire All Gubberment Employees (RAGE) is a "good thing", thing about air, water, and soil pollution from sewage to arsenic to particulates to lead to radioactivity. Greedy sociopaths DGAF who they hurt, which is perhaps why James Madison observed: "If all men were angels, no government would be necessary." Obviously, this is not human nature and so some laws, enforcement, and regulators is required indefinitely. Anyone who tells you differently isn't a serious person.
> biggest players in the software industry step up
While they are at it maybe chuck $5 to the dev maintaining the open source package that your trillion dollar corporation relies on, that your 50,000 leetcoders can't figure out how to write or live without.
The last people I am ever going to trust about matters of security is
US BigTech. Consortium or not. This idea has no legs. We absolutely
need an international cyber threat intelligence network, with many
checks, balances and oversights. If we're going to ask "who funds it?"
then we need to ask "who really benefits from a technology industry?"
I haven't been actively monitoring for security vulnerabilities ever since I switched from system administration to software development a few decades back. These days, I just read news that talks about high profile vulnerabilities - I do see CVE a lot more than cert.
Curious what the MITRE budget was. CISA funding for the CVE program isn't specifically broken out but "tens of millions of dollars per year" is what I've seen, which seems excessive, despite the CVE program being important.
Hear me out, I wonder if the need for a decentralized database of data like this might be an actual good use for block chains?
Requires consensus
Immutable
Distributed
A user who needs the CVE database thus just needs to grab a copy of the ledger off of bit torrent or wherever and parse it for all data or updates, etc. It's not like CVEs get lots of updates, and you need to keep track of all of them forever anyways. Updates could be handled by just adding another entry to the chain, and bad actors couldn't really tamper with it.
It does not require consensus. It does not require to be immutable. It’s simply advisory data. There is no gain if one owner decides to censor or tamper with their stored CVE data, apart from annoyance for its users.
You’ll be quite fine with a centralised database and mirrors. We have been fine with that until now.
All that we need is data to be freely available, shared and possibly that other institutions offer to catalogue software vulnerabilities to have some kind of redundancy and duplication.
As somewhat of an aside, this development doesn't necessarily mean much in the way of changes to the way the program is currently run. The foundation can act as a conduit/collection point for funding from industry, with the program remaining run under a contract with MITRE.
Hopefully this is legit. There is no real info. They say both that they are responding to the announcement and that they have been planning it for a year. I doubt that the last part was intensely planned or they’d likely have announced something sooner.
I suspect some likely fracturing of efforts here. Would be great if everyone did get behind a single solution. I’m not sure if this is it. A US-based non-profit is not maybe the best solution.
Comments are understandably negative as the press release has very little information, but I clicked vouch because I have a reason to believe it is legitimate
The Chinese, and Russians who share data with the N Koreans are prowling around like an oversexed pack of boy scouts 24 hours a day, 7 days a week, and not a single one took Easter week off. Worried?
Cloudstrike turned into the worst peice of garbage since waferlocks...
The single most profitable source of forien funds for N Korea turns out to be stolen vit-xoins, while gov officials are forciblly removed from their desks...
This is a Google Workspace site thrown up 11hrs ago, and doesn't appear to be linked to from any official source.
I don't think it's credible that CVE as an organisation would produce this website and not link to it from their official site or social media accounts.
Funny people keep saying the government should 'move fast and break things' like Facebook, and leave out that Facebook has committed to $60 billion to $65 billion in expenses to do that process this year. But somehow when it's government moving fast and breaking things that also somehow includes 'having minimal expense'. Something something "Fast, Cheap, or Good, pick two." something something.
As I suspected in other thread, the gutting of the CVE program will lead to a fractured db of CVEs. Wonder how many more will pop up out of the wood works.
On its face this sounds like a scheme quickly devised by a malicious actor to gain a trusted role. We're starting to see some external corrobboration, so maybe it will turn out to be legitimate after all, but the smart money is always on skepticism.
Definitely. Not showing an immediate threat, such as a copy of the CVE database or a request for money, can be assumed to be the typical approach of a long con rather than a sign of goodwill.
Edit: See other comments. Some CVE board members have posted this on their social media accounts however there's still nothing on any official CVE channels. It's a little concerning that this was upvoted to the top of the front page before those comments had been posted given that this is a newly registered domain running on Google sites for something that it says has been in the works for a year.
Original comment:
Why is this being upvoted? There's no reference to it on the CVE website and the domain was only registered after the letter leaked despite the website claiming this was in the works for a year.
Additionally the WHOIS claims that the registrant is "CVE Foundation" which can not be found using the IRS search tool for tax-exempt organisations (note that MITRE does show up here): https://apps.irs.gov/app/eos/
Seconding this. A program like CVE still has to be built on (to some extent, and at least in the initial stages) traditional, non-cryptographic trust.
Who runs this thing? Who's funding it? Who's reviewing, testing, and approving the reports? Assigning them IDs?
I'm hoping for the best, and I'm willing to give the benefit of the doubt because of the frankly crap timing around this whole mess, but on its face, in its current state, I wouldn't trust this org at all.
Extremely. We are all extremely happy to see it. No data Sharimg with the Whitehouse, keep the tsunami at bay.
Not, "All your updates are belong to us."
And...
A personal thanks to every security researcher who has contributed. In.The last year. I see a CVE, and specifically look for the out-or-band update and patch everything that powers up.
One breach on an old ladies laptop, who had the sence to bring it right to me. Keep those covers on the cameras folks.
> A non profit is independent if they don't take federal money? Like EFF, for example.
The problem is the seat of the non-profit, as long as it is in the US it remains vulnerable to stuff like gag orders (and the UK is similar, see the recent issues with Apple and E2E encryption), or just the administration plainly ignoring the law and just forcing it to shut down or whatnot.
> Maybe CVEs should be tracked by a nongovernmental agency, like how UL works.
The current administration has attacked multiple nongovernmental agencies already, or trampled over federal law.
The only thing I'd trust for now to be a safe haven would be an international organization like the WHO that's backed by diplomatic treaties - but even these aren't safe either, just look at the ICC vs Israel debate, or the constant attacks and conspiracy theories on the WHO.
> as long as it is in the US it remains vulnerable to stuff like gag orders
Only under FISA warrants where you can't reveal the investigation to the public or during a regular trial if the judge determines leaking details of the case will impact justice AFAIK.
Probably less than most (but not all) administrations. Almost every administration has trammelled on the rule of law. FDR and Wilson come to mind as among the worsr. At least this administration has many vocal eyes on it.
However, they just refused demands to compromise their principles in order to keep receiving those billions, while many other organizations caved in to the threats.
There's nothing official about CVE moving.. Why should I trust anything on thecvefoundation.org? If you're going to do it, be serious about all of it. Setup something like "CVE.arpa" which immediately displays very serious credibility. Write an official handoff letter. Put out an official statement for its new home. What has been done here is another half-baked half-measure attempt at solving a very political problem.
Edit suggests the contract has been renewed last minute.
https://www.forbes.com/sites/kateoflahertyuk/2025/04/16/cve-...
Are there any non-Forbes sources that confirm this?
https://www.itpro.com/security/confusion-and-frustration-mit...
> However, in an updated statement, the agency revealed it intends to maintain the database in a bid to prevent a lapse in CVE services.
> “The CVE Program is invaluable to the cyber community and a priority of CISA,” a spokesperson said.
> “Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.”
Searching for that last passage:
https://www.bleepingcomputer.com/news/security/cisa-extends-...
> "The CVE Program is invaluable to cyber community and a priority of CISA," the U.S. cybersecurity agency told BleepingComputer. "Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners' and stakeholders' patience."
And https://www.reuters.com/world/us/us-agency-extends-support-l...
> WASHINGTON, April 16 (Reuters) - U.S. officials have said at the last minute that they're extending support for a critical database of cyber weaknesses whose funding was due to run out on Wednesday.
> The planned lapse in payments for the MITRE Corp's Common Vulnerabilities and Exposures database spread alarm across the cybersecurity community. The database, which acts as a kind of catalog for cyber weaknesses, plays a key role in enabling IT administrators to quickly flag and triage the myriad different bugs and hacks discovered daily.
Let me guess, Elon's DOGE crew were part of this and screwed up yet another thing that is essential for U.S. security?
My {conspiracy | belief | suspicion} is that this was something that as part of the DoD they saw "Mitre Corporation" and that organization's relationship with MIT and were pulling funding for anything "elite liberal academia" (even distantly related) combined with the "we're pulling back from anything cybersecurity" ( https://news.ycombinator.com/item?id=43228029 ). (edit) I've run out of invocations of Hanlon's Razor and it needs a long rest before its recharged. (/edit)
I don't believe it was a mistake - they wanted to pull its funding (and still intend to do). Note the wording of the statement:
> Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services.
We are now in the option period.
At some point in the future, that option period will expire.
This type of option exercise is extremely common in government contracts. I don’t think there’s much to read into on that front.
The option is common (its particulars of the award is at https://www.usaspending.gov/award/CONT_AWD_70RCSJ24FR0000019... ). The fact that the option needed to be done rather than DHS continuing to support CVE and related programs is an abandonment of the responsibilities of the organization to try to keep computer systems secure.
https://www.cisa.gov/news-events/directives/bod-22-01-reduci...
If there's no catalog that the government is maintaining for "these things need to be fixed to run on federal systems" ... then how do you ensure that the federal computers are secure?I would feel a lot better about my skills knowing that bigballs also had difficulty figuring out what the correct syntax for this particular engine's version of \w and how many layers of backslash escapes are needed.
Main page news on https://www.cisa.gov/
It hasn't posted to FPDS yet:https://www.fpds.gov/ezsearch/fpdsportal?q=PIID%3A%2270RCSJ2...
Assuming this is the correct contract, which it appears to be, it had an option period starting today through March of next year. DHS just needed to exercise the option.
Just social media posts, with claims they received the info from CISA https://infosec.exchange/@metacurity/114347467581760027
Supposedly, MITRE will make a statement today. Time will tell.
Edit - it is MITRE, not CISA, which the poster expects to make a statement.
This was 0 minutes ago. Glad to see how important CVE is to security personel.
?
Metacurity’s post was like 90 minutes ago.
Why would that be important???
[dead]
To all the comments doubting the legitimacy:
Here is a LinkedIn post by one of the CVE board members (literally the first one on the list here[0]): https://www.linkedin.com/posts/peterallor_cve-foundation-act...
I'm sure if you look at some of the contact information of other CVE board members and their broadcasting platforms you will also find something.
[0]: https://www.cve.org/programorganization/board
Tod Beardsley seems to confirm it as well: https://infosec.exchange/@todb
Ngl, I would love a more “clear confirmation” he just boosted and posted a meme.
He boosted a post that is 1:1 an announcement of the project.
How much more of a "clear confirmation" do you want? An announcement from their non-existent personal press secretaries that just says the exact same text as that post he boosted?
I think people here need to take a step back and realize that the people and board involved here are more like linux kernel maintainers that are not generally public figures and not C-level executives of a Fortune 500 company.
Yes, since it's cybersecurity a bit more caution than usual is probably warranted, but it's not like the CVE DB has gone offline and everyone is currently scrambling to find the new legitimate replacement. Let's let this situation breathe for a few hours/days instead of being overly cautious and spending all energy on skepticism.
> instead of being overly cautious and spending all energy on skepticism.
Given the state of trustworthy information in news and public discourse, it's understandable that people request a credible source.
The thing called "social media" ain't it.
I've pointed out that I think a more clear (in this case an explicit message) would be better. You extrapolated to the other end, assuming that I wanted a press release, which I do feel is a false dichotomy. There are more than one existing option here, and a middle ground would certainly be perfect in this context.
Related ongoing threads:
CVE program faces swift end after DHS fails to renew contract [fixed] - https://news.ycombinator.com/item?id=43700607
Replacing CVE - https://news.ycombinator.com/item?id=43708409
I think it's time the biggest players in the software industry step up, maybe through a formal consortium. This model would make sense because they benefit the most. Big tech companies rely on CVEs to secure their own products;
They have the means. With their massive revenue and dedicated security teams, these companies could easily fund CVE operations. A consortium approach spreads responsibility fairly;
Shared responsibility, shared benefits. Security is everyone's problem.
Hahaha, CVE was created because industry refused to track and report on things in a consistent and transparent manner. When given the option, business will almost always choose the easy path, and things like vulnerability management programs will be set back years if not decades when the external accountability goes away.
In general, lawyers and CTOs would probably love to see CVE go away or be taken over by industry.
Source: been working in security for 20+ years.
Because CVE means accountability. It’s very easy to shift accountability onto someone for an unpatched CVE. If given the chance to escape that accountability I’m sure every megacorp would jump at it.
Yup. I'd say around 15% of very severe incidents are ever announced publicly. In most cases, the default is cover-up and hope no one finds out.
To anyone who thinks a libertarian/anarcho-capitalist/Network States "utopia" of Retire All Gubberment Employees (RAGE) is a "good thing", thing about air, water, and soil pollution from sewage to arsenic to particulates to lead to radioactivity. Greedy sociopaths DGAF who they hurt, which is perhaps why James Madison observed: "If all men were angels, no government would be necessary." Obviously, this is not human nature and so some laws, enforcement, and regulators is required indefinitely. Anyone who tells you differently isn't a serious person.
> biggest players in the software industry step up
While they are at it maybe chuck $5 to the dev maintaining the open source package that your trillion dollar corporation relies on, that your 50,000 leetcoders can't figure out how to write or live without.
The last people I am ever going to trust about matters of security is US BigTech. Consortium or not. This idea has no legs. We absolutely need an international cyber threat intelligence network, with many checks, balances and oversights. If we're going to ask "who funds it?" then we need to ask "who really benefits from a technology industry?"
As this is security, assume the worst: it isn't legit unless MITRE confirms a handover, and even in that case there's ample room for questioning.
I haven't been actively monitoring for security vulnerabilities ever since I switched from system administration to software development a few decades back. These days, I just read news that talks about high profile vulnerabilities - I do see CVE a lot more than cert.
We used to look at cert: https://www.kb.cert.org/vuls/ I just did a quick search to confirm that it is still there.
What's the difference/relationship between the two?
The primary difference is that CVE was unexpectedly killed by the US Government yesterday and the program terminates today.
How is the failure to renew a contract "unexpected"?
Contracts have end dates. All parties on the contract know them.
I expect they didn’t see it not being renewed coming because the contract was renewed every time for the past 25 years.
Curious what the MITRE budget was. CISA funding for the CVE program isn't specifically broken out but "tens of millions of dollars per year" is what I've seen, which seems excessive, despite the CVE program being important.
$40 million per year.
For the whole CVE database? That's a steal! One breach of a Capital One or similar destroys orders of magnitude more value.
Hear me out, I wonder if the need for a decentralized database of data like this might be an actual good use for block chains?
Requires consensus
Immutable
Distributed
A user who needs the CVE database thus just needs to grab a copy of the ledger off of bit torrent or wherever and parse it for all data or updates, etc. It's not like CVEs get lots of updates, and you need to keep track of all of them forever anyways. Updates could be handled by just adding another entry to the chain, and bad actors couldn't really tamper with it.
It does not require consensus. It does not require to be immutable. It’s simply advisory data. There is no gain if one owner decides to censor or tamper with their stored CVE data, apart from annoyance for its users.
You’ll be quite fine with a centralised database and mirrors. We have been fine with that until now.
All that we need is data to be freely available, shared and possibly that other institutions offer to catalogue software vulnerabilities to have some kind of redundancy and duplication.
Almost none of what you've said is correct regarding the use and purpose of the CVE database.
As somewhat of an aside, this development doesn't necessarily mean much in the way of changes to the way the program is currently run. The foundation can act as a conduit/collection point for funding from industry, with the program remaining run under a contract with MITRE.
Hopefully this is legit. There is no real info. They say both that they are responding to the announcement and that they have been planning it for a year. I doubt that the last part was intensely planned or they’d likely have announced something sooner.
I suspect some likely fracturing of efforts here. Would be great if everyone did get behind a single solution. I’m not sure if this is it. A US-based non-profit is not maybe the best solution.
Comments are understandably negative as the press release has very little information, but I clicked vouch because I have a reason to believe it is legitimate
Care to share your reason with the rest of the class?
The Chinese, and Russians who share data with the N Koreans are prowling around like an oversexed pack of boy scouts 24 hours a day, 7 days a week, and not a single one took Easter week off. Worried?
Cloudstrike turned into the worst peice of garbage since waferlocks...
The single most profitable source of forien funds for N Korea turns out to be stolen vit-xoins, while gov officials are forciblly removed from their desks...
What. Me. Worry?
Packs are for cub scouts. It would be an oversexed troop.
This is a Google Workspace site thrown up 11hrs ago, and doesn't appear to be linked to from any official source.
I don't think it's credible that CVE as an organisation would produce this website and not link to it from their official site or social media accounts.
There is hope people will report this site and google will take it down quickly.
If this holds up, this seems like a good outcome, a better place to end up than where we were before the US killed Mitre's contract.
Funny people keep saying the government should 'move fast and break things' like Facebook, and leave out that Facebook has committed to $60 billion to $65 billion in expenses to do that process this year. But somehow when it's government moving fast and breaking things that also somehow includes 'having minimal expense'. Something something "Fast, Cheap, or Good, pick two." something something.
As I suspected in other thread, the gutting of the CVE program will lead to a fractured db of CVEs. Wonder how many more will pop up out of the wood works.
The letter was dated yesterday, and in response they spent the past year working on this?
"While we had hoped this day would not come, we have been preparing for this possibility.
In response, a coalition ..."
This sounds like secret, unofficial contingency planning; "this day" has apparently come very suddenly.
I doubt it’s meant to be “secret” contingency planning, but definitely unofficial contingency planning
On its face this sounds like a scheme quickly devised by a malicious actor to gain a trusted role. We're starting to see some external corrobboration, so maybe it will turn out to be legitimate after all, but the smart money is always on skepticism.
Definitely. Not showing an immediate threat, such as a copy of the CVE database or a request for money, can be assumed to be the typical approach of a long con rather than a sign of goodwill.
Edit: See other comments. Some CVE board members have posted this on their social media accounts however there's still nothing on any official CVE channels. It's a little concerning that this was upvoted to the top of the front page before those comments had been posted given that this is a newly registered domain running on Google sites for something that it says has been in the works for a year.
Original comment:
Why is this being upvoted? There's no reference to it on the CVE website and the domain was only registered after the letter leaked despite the website claiming this was in the works for a year.
Additionally the WHOIS claims that the registrant is "CVE Foundation" which can not be found using the IRS search tool for tax-exempt organisations (note that MITRE does show up here): https://apps.irs.gov/app/eos/
Seconding this. A program like CVE still has to be built on (to some extent, and at least in the initial stages) traditional, non-cryptographic trust.
Who runs this thing? Who's funding it? Who's reviewing, testing, and approving the reports? Assigning them IDs?
I'm hoping for the best, and I'm willing to give the benefit of the doubt because of the frankly crap timing around this whole mess, but on its face, in its current state, I wouldn't trust this org at all.
It's a sad day when the CVE has to issue a CVE for the U.S. government. The meta... The meta ...
We're all just happy to see it.
Extremely. We are all extremely happy to see it. No data Sharimg with the Whitehouse, keep the tsunami at bay.
Not, "All your updates are belong to us."
And...
A personal thanks to every security researcher who has contributed. In.The last year. I see a CVE, and specifically look for the out-or-band update and patch everything that powers up.
One breach on an old ladies laptop, who had the sence to bring it right to me. Keep those covers on the cameras folks.
[dead]
Very nice!
The Foundation should refuse to procure data to US governmental services and affiliated companies providing services to it.
Yeah, in the USA, where organisations and officers are continually threatened by an adversarial government.
No thanks.
Harvard for example doesn't kow-tow to the reigime, and look what happens. Non-profits in the USA are not independent.
A non profit is independent if they don't take federal money? Like EFF, for example.
Maybe CVEs should be tracked by a nongovernmental agency, like how UL works.
> A non profit is independent if they don't take federal money? Like EFF, for example.
The problem is the seat of the non-profit, as long as it is in the US it remains vulnerable to stuff like gag orders (and the UK is similar, see the recent issues with Apple and E2E encryption), or just the administration plainly ignoring the law and just forcing it to shut down or whatnot.
> Maybe CVEs should be tracked by a nongovernmental agency, like how UL works.
The current administration has attacked multiple nongovernmental agencies already, or trampled over federal law.
The only thing I'd trust for now to be a safe haven would be an international organization like the WHO that's backed by diplomatic treaties - but even these aren't safe either, just look at the ICC vs Israel debate, or the constant attacks and conspiracy theories on the WHO.
> as long as it is in the US it remains vulnerable to stuff like gag orders
Only under FISA warrants where you can't reveal the investigation to the public or during a regular trial if the judge determines leaking details of the case will impact justice AFAIK.
Do you trust this administration to respect the rule of law to that degree? That is the core issue IMHO.
Probably less than most (but not all) administrations. Almost every administration has trammelled on the rule of law. FDR and Wilson come to mind as among the worsr. At least this administration has many vocal eyes on it.
> WHO conspiracy theory
OK well we know where you stand on that issue. Too bad pretty much every working molecular biologist agrees that the WHO is covering up COVID origins.
Its not hard to imagine the current regime complaining about a CVE issued about a product made by a favored company - eg x.com
Harvard takes a lot of federal money. On the order of millions to billions of dollars.
However, they just refused demands to compromise their principles in order to keep receiving those billions, while many other organizations caved in to the threats.
There's nothing official about CVE moving.. Why should I trust anything on thecvefoundation.org? If you're going to do it, be serious about all of it. Setup something like "CVE.arpa" which immediately displays very serious credibility. Write an official handoff letter. Put out an official statement for its new home. What has been done here is another half-baked half-measure attempt at solving a very political problem.