> A coalition of CVE Board members launched a new CVE Foundation "to ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program."
This kind of a consortium needs to explicitly avoid being captured by both the product vendors (who could be incentivised to manipulate the CVE issuance process to support their own remediation timescales), and by security companies (who could be incentivised to obtain a competitive advantage via preferential access to the CVE database).
It isn't impossible for a commercially-funded organisation to avoid this kind of capture, but it isn't easy either. My mind immediately jumps to the relationship between the Mozilla Foundation and Google.
CNAs [1] are assigned blocks of CVEs and then assign from within that block, but the system only works if there is overall administration of the CVE Program [2].
My concern is that a capture of the administration would become a capture of the entire programme. Looking at the structure, it seems possible that CISA are in a position to prevent any such capture but, given some of the recent positions taken by the US government, we'll need to wait and see how that plays out.
yes, but it's a hierarchy. If you disagreed with their judgement you could always go up the chain, and MITRE can take the privilege away again if they think a vendor is misusing it.
The way their letter is worded it seems that they have a rainy day fund constituted to ride out the stormy next few week and I'm fairly certain they'll come back with more details as to how they'll be acquiring funding from now on in the next few days. Maybe paid access to an API, maybe donations from large companies that use the system, maybe something else ::shrug::
Hopefully a project as important as this doesn't just dissapear completely because of government pressure.
This smells like a quick attempt to enable phishing for vulnerabilities, and not a legit way to make progress. The comment is from a person that runs a security startup and the site is a google site that people can report to google as a scam. (Edit: downvote as you like it— perhaps my language was too harsh to help make the point clear. It is interesting how easy non-sec people fall for names and quotes and authority.. building trust does not come overnight, in fact it is never fully there, and infosec experts would not fall for such supply chain redirections with questionable future. Hopefully we will not have to test this idea soon, though some level of reliability and long-term automation would be welcome. We need technical, generally agreed upon systems, not a “foundation”).
> https://www.thecvefoundation.org
https://mastodon.social/@serghei/114346660986059236