609
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 16 Apr 2025
609 points (99.5% liked)
Technology
72734 readers
1151 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
I'm honestly not totally sure what to think about this one, though I recognise that it's a big shift/likely a negative overall result.
Reason I'm humming and hawing, is that there are lots of expensive cybersecurity type 'things' that rely on the CVE system, without explicitly paying in to that system / supporting it directly, from what I recall / have seen. Take someone like Tenable security, who sell vulnerability scanners that extensively use/integrate with the CVE/NVD databases.... companies pay Tenable huge amounts of money for those products. Has Tenable been paying anything into the 'shared' public resource pool? How about all those 'audit' companies, who charge like 10-30k per audit for doing 'vulnerability / penetration tests'.
IT Security has been an expensive/profitable area for a long time, while also relying on generally public/shared resources to facilitate a lot of the work. Maybe an 'industry' funded consortium is the more appropriate way to go.
What a nonsense.
CVE was used by thousands and thousands of security professionals and organizations, companies are just small part of it. Companies contributed a lot with their own research and vulnerabilities they found and reported into CVE. It was useful because it made it easier to categorize and catalogue vulnerabilities and it made everyone's life easier. Not just companies'. It made it easier for Linux distros as well. And so on, and so on. Do Americana really think everything needs to be run as a company and for profit?
I guess we'll now go back to the "good old days" of sharing bugs on Bugtraq.
I still can't comprehend that Americans voted that idiot into White House. Again. Damage he is doing is out of this world and will only become apparent in years to come. Truly incredible.
Unfortunately, many do. It's fuck'n baffling as to why.
Well Russia, China, North Korea, and Iran (to name a few) with the assistance tech-bro billionaires like Elon Musk and Mark Zuckerberg have been waging an information war against the US for well over a decade. All that time, money and effort is finally paying off.
Yeah, but that's sort of the point I was making.... it was a data repository used by "thousands and thousands" of security professionals and organizations. So people who were generating revenue off of the service. I mean, they're professionals, not hobbyists / home users.
I'm not an American, but in terms of everything running like a company/for profit, I'd say that its best if things are sustainable / able to self-maintain. If the US cutting funding means this program can't survive, that's an issue. If it has value to a larger community, the larger community should be able to fund its operation. There's clearly a cost to maintaining the program, and there are clearly people who haven't contributed to paying that cost.
In terms of going back to whatever, the foundation involved is likely to sort out alternative funding, though potentially with decreased functionality (it sounds like they had agreements to pay for secondary vulnerability report reviews, which will likely need to get scaled back). Maybe they'll need to add in a fee for frequent feed pulls, or something similar. I wouldn't say it's completely toast or anythin just yet.
Idk about Tenable specifically, but a lot of the major security vendors have their own pool of security researchers who very frequently contribute to CVE. Mostly from finding vulns in their own product, but a lot of those vulns are due to upstream libraries.