new | ask | show | jobs
shagie 3 days ago  [ - ]

https://www.itpro.com/security/confusion-and-frustration-mit...

> However, in an updated statement, the agency revealed it intends to maintain the database in a bid to prevent a lapse in CVE services.

> “The CVE Program is invaluable to the cyber community and a priority of CISA,” a spokesperson said.

> “Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.”

Searching for that last passage:

https://www.bleepingcomputer.com/news/security/cisa-extends-...

> "The CVE Program is invaluable to cyber community and a priority of CISA," the U.S. cybersecurity agency told BleepingComputer. "Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners' and stakeholders' patience."

And https://www.reuters.com/world/us/us-agency-extends-support-l...

> WASHINGTON, April 16 (Reuters) - U.S. officials have said at the last minute that they're extending support for a critical database of cyber weaknesses whose funding was due to run out on Wednesday.

> The planned lapse in payments for the MITRE Corp's Common Vulnerabilities and Exposures database spread alarm across the cybersecurity community. The database, which acts as a kind of catalog for cyber weaknesses, plays a key role in enabling IT administrators to quickly flag and triage the myriad different bugs and hacks discovered daily.

chris_wot 3 days ago  [ - ]

Let me guess, Elon's DOGE crew were part of this and screwed up yet another thing that is essential for U.S. security?

shagie 3 days ago  [ - ]

My {conspiracy | belief | suspicion} is that this was something that as part of the DoD they saw "Mitre Corporation" and that organization's relationship with MIT and were pulling funding for anything "elite liberal academia" (even distantly related) combined with the "we're pulling back from anything cybersecurity" ( https://news.ycombinator.com/item?id=43228029 ). (edit) I've run out of invocations of Hanlon's Razor and it needs a long rest before its recharged. (/edit)

I don't believe it was a mistake - they wanted to pull its funding (and still intend to do). Note the wording of the statement:

> Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services.

We are now in the option period.

At some point in the future, that option period will expire.

neodymiumphish 3 days ago  [ - ]

This type of option exercise is extremely common in government contracts. I don’t think there’s much to read into on that front.

shagie 3 days ago  [ - ]

The option is common (its particulars of the award is at https://www.usaspending.gov/award/CONT_AWD_70RCSJ24FR0000019... ). The fact that the option needed to be done rather than DHS continuing to support CVE and related programs is an abandonment of the responsibilities of the organization to try to keep computer systems secure.

https://www.cisa.gov/news-events/directives/bod-22-01-reduci...

   A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems.

   Section 3553(b)(2) of title 44, U.S. Code, authorizes the Secretary of the Department of Homeland Security (DHS) to develop and oversee the implementation of binding operational directives.

   Federal agencies are required to comply with DHS-developed directives.

   ...

   Remediate each vulnerability according to the timelines set forth in the CISA-managed vulnerability catalog. The catalog will list exploited vulnerabilities that carry significant risk to the federal enterprise with the requirement to remediate within 6 months for vulnerabilities with a Common Vulnerabilities and Exposures (CVE) ID assigned prior to 2021 and within two weeks for all other vulnerabilities. These default timelines may be adjusted in the case of grave risk to the Federal Enterprise.
If there's no catalog that the government is maintaining for "these things need to be fixed to run on federal systems" ... then how do you ensure that the federal computers are secure?
snickerbockers 3 days ago  [ - ]

I would feel a lot better about my skills knowing that bigballs also had difficulty figuring out what the correct syntax for this particular engine's version of \w and how many layers of backslash escapes are needed.