Today, CISA – which has been the exclusive funder of the MITRE contract to run the CVE Program – announced that it will renew the contract after all. Thus, it seems we can count on the CVE Program being in place for another year.
However, I don’t need to tell you this
is no way to run a railroad. Given the NVD’s problems that started last
February and seem to be only getting worse as time goes by - and now given the
almost-loss of the CVE Program - it is clear that government-run programs no
longer make sense, even though they may have been required in the early days of
vulnerability management.
As I mentioned in my post
yesterday, the OWASP SBOM Forum, a group that I lead that has been discussing vulnerability
database and identification issues since the NVD’s semi-collapse in February
2024, will discuss the way forward on this issue at our regular bi-weekly
meeting on Friday at 1PM ET. If you would like to join us, please drop me an email
at the address below.
Don’t forget to donate! To
produce these blog posts, I rely on support from people like you. If you
appreciate my posts, please make that known by donating here. Any amount is welcome!
If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment