The US budget cuts could potentially bring the CVE list to a standstill

  • emlix News

The MITRE Corporation's Common Vulnerabilities and Exposures (CVEs) may be suspended due to budget cuts. As a result, no new CVE numbers might be assigned in the short-term. We will continue to monitor the situation and inform you if necessary.

How does this affect our CVE Security Monitoring service?

The inventory data are publicly available. They are mirrored at various locations, including emlix. If the MITRE Corporation's servers are not shut down, most probably only existing CNAs (CVE Numbering Authorities) will continue to assign new CVE numbers. These organizations typically have a number range and can request additional blocks. In extreme cases, the traditional CVE numbering system may be abandoned, and new schemas would emerge to identify security vulnerabilities. 

The content work, including identifying and fixing security vulnerabilities and writing corresponding advisories, is not done by the MITRE Cooperation but rather by manufacturers, projects, and other active players in this field. 

CNAs are only responsible for assigning unique CVE numbers and maintaining related data, such as affected versions. One significant CNA is, for example, the Linux Kernel Community. Large Linux distributions like RedHat, big tech companies (e.g., Google), CPU manufacturers, or industry associations like VDE also act as CNAs. 

While CNAs can operate independently of the MITRE Cooperation, losing this central authority may lead to disorganization in CVE processing. Instead, multiple sources would need to be scanned. 

The emlix CVE Security Monitoring service relies on data from various sources for more than 15 years. The MITRE Corporation's database is only one of those. If funding for CVEs cannot be secured, our diversification of sources will become even more evident. In this case we are well-prepared structurally and with our tools and processes. 

It's unclear whether a centralized assessment of CVEs by the National Vulnerability Database (NVD) at the National Institute of Standards and Technology (NIST) would still take place. In such cases, the assessment of CVEs would gain even greater importance. 

We will continue to monitor the situation and inform you if necessary. 

We may experience some delays in reporting or need to highlight temporary gaps in individual areas. You can expect us to keep you updated on this. 
If you have any questions, please do not hesitate to contact us.

Back