Note from Tom: As of August 11, my new posts will only be available to paid subscribers on Substack. Subscriptions cost $30 per year (or $5 per month); anyone who can’t afford to pay that should email me, since I want everyone to be able to read the posts. To have uninterrupted access to my new posts, please open a paid Substack subscription or upgrade your free Substack subscription to a paid one.
Last Thursday, at the Black Hat conference in Las Vegas, two
CISA officials committed
to “supporting the MITRE-backed Common Vulnerabilities and Exposures Program,
just months after it faced a near complete lapse in funding” (quoting from Nextgov/FCW).
Given that someone at CISA almost cut off funding for the program in April
(although others tried – very
unconvincingly - to deny this was anything more than an administrative
glitch), it was good to hear this.
A MITRE[i]
official set off this firestorm with his letter to the CVE Board members on
April 15. The letter stated that the contract wasn’t going to be renewed and
the program would be cancelled. However, this was followed shortly afterwards by
an announcement that a group of CVE Board members (and others) were already putting
together the framework (and funding) for a privately-run nonprofit organization
called the CVE Foundation. Over
the next few weeks, the group proceeded to fill in many of the details of their
story (this effort had been ongoing for a few months, but it hadn’t been announced
previously. Of course, this was because at the timer there didn’t seem to be
any need to rush the announcement.
The Foundation is an international effort, which already –
from what I hear – has more than enough funding promised for them to take over
the MITRE contract when it comes up for renewal next March (the funding will
come from both private and government sources, although I’m guessing that the
US government isn’t currently supporting it). However, they intend to be much
more than an “In case of emergency, break glass” option if CISA doesn’t renew
the contract (which I still think is very likely, no matter what the two
gentlemen – neither of whom has been at CISA very long – said at Black Hat).
The CVE Foundation was founded (and is led) by a few CVE
Board members who have been involved with the CVE Program since its early days.
Since then, they have been part of the numerous discussions about how the
program can be improved (the Foundation is now led by Pete Allor, former
Director of Product Security for Red Hat. Pete has been very involved with the
CVE Program since 1999. He is an active Board member).
While the CVE Program, in my opinion, has done an
exceptional job and continues to do so, the fact is that government-run
programs almost without exception are hampered by the constraints imposed by
the same bureaucracy that often makes government agencies a stable,
not-terribly-challenging place to work. That is, they don’t exactly welcome
new, innovative ideas and they make it hard to get anything done in what most
of us consider a reasonable amount of time.
This week, one well-regarded person who has worked with the CVE
Program for 10-15 years and is a longtime Board member, wrote on an email thread
for one of the CVE working groups that he was happy to be part of the CVE
Foundation from now on. He wrote that, while he enjoyed working with the CVE program,
“…we measure progress in months and years instead of weeks.” Like others, he
has many ideas for improvements that can be made to the program, but hasn’t
seen it make much progress in
implementing them so far. I’m sure he’s quite happy to have the chance to have
a serious discussion about these and other changes, assuming the CVE Foundation
is placed in charge of the CVE Program.
However, if CISA somehow remains in control of the CVE
Program (i.e., the contract remains with them), it will be a very different picture.
I don’t think CISA ever had a big role in the operation of the program (beyond
having one or two people on the CVE Board and of course paying MITRE under
their contract). Moreover, CISA is unlikely to take a big role if it remains as
the funder of the program.
If CISA retains control of the contract, MITRE will remain in
day-to-day charge of the program. As I said, I think MITRE has done a good job
so far, but like any government contractor, they must adhere strictly to the terms
of their contract. If someone comes up with a great new idea that requires more
money, or even just re-deploying people from what they’re doing now, the only thing
that can be done is put it on the to-do list for the next contract negotiation.
My guess is that, when MITRE’s contract comes up for negotiation
next year, the CVE Foundation will take it over from CISA; it’s hard to imagine
that, given the huge personnel cuts that are being executed now in the agency, there
will be a big effort to retain control of a contract that costs CISA around $47
million a year.
There’s also no question that the CVE Foundation will write their
own contract with MITRE. It will require MITRE staff members to do the
day-to-day work of the CVE Program, but it will give the Foundation a big role
in determining its priorities. Frankly, I think the MITRE people – who are all
quite smart, at least the ones I’ve worked with – will be just as happy as anyone
else to see the program achieve more of its potential than it does now.
I also think the CVE Foundation will try to resolve some serious
problems with the current CVE Program. Doing that has been put off so far, because
the problems are very difficult to fix. For example, up until about ten years
ago, MITRE created all new CVE records. That meant that CVE Records were fairly
consistent, but as the number of new records increased every year, MITRE simply
couldn’t keep up with the new workload.
At that point, the CVE Program moved to a “federated” approach,
in which CVE Numbering Authorities (CNAs) were appointed. These included some
of the largest software developers, who reported vulnerabilities in their own
software as well as vulnerabilities in the products of other developers (in
their “scope”. Today, there are 463 CNAs of many types (including GitHub, ENISA,
JP-CERT and the Linux Foundation).
Of course, it’s good that so many organizations have volunteered
to become CNAs; the problem is that this has led to huge inconsistencies in CVE
records. For example, a lot of CNAs don’t include CVSS scores or CPE names in
the new records they create[ii];
the CVE Program (i.e., MITRE staff members) has been reluctant to press them to
do this. If CISA had made this problem a priority, they could have addressed it
during contract negotiations with MITRE.
So, I see good things ahead for the CVE Program. However,
that requires moving MITRE’s contract from CISA to the CVE Foundation next
March. I confess I don’t want this to happen next March; I want it to happen
tomorrow.
If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com, or even better, sign up as a free subscriber to this blog’s Substack community chat and make your comment there.
[i]
MITRE is a nonprofit Federally Funded R&D Corporation (FFRDC) that has
operated the CVE program on behalf of DHS since its inception in 1999 (CISA
came into being six years ago). The idea for CVE came from MITRE researchers.
[ii]
Many CNAs will tell you that the National Vulnerability Database (NVD) had longstanding
policies that they would create CVSS scores and CPE names, and add them to the record;
in fact, if the CNA created either of these items, the NVD would discard what
the CNA created and substitute their own. Fortunately, the NVD now has a new
leader. Hopefully, that will lead to a lot of change there; it’s sorely needed.