From The Register —

The 25-year-old CVE program plays a huge role in vulnerability management. It is responsible overseeing the assignment and organizing of unique CVE ID numbers, such as CVE-2014-0160 and CVE-2017-5754, for specific vulnerabilities, in this case OpenSSL’s Heartbleed and Intel’s Meltdown, so that when referring to particular flaws and patches, everyone is agreed on exactly what we’re all talking about.

It is used by companies big and small, developers, researchers, the public sector, and more as the primary system for identifying and squashing bugs. When multiple people find the same hole, CVEs are useful for ensuring everyone is working toward that one specific issue.

 

It basically works like this: When an individual researcher or an organization discovers a new bug in some product, a CVE program partner — there are currently a few hundred across 40 countries — is asked to assess the vulnerability report and assign a unique CVE identifier for the flaw if and as necessary.

The program is sponsored, and largely funded by the Cybersecurity and Infrastructure Security Agency, aka CISA, under the umbrella of the US Department of Homeland Security. It appears MITRE has been paid roughly $30 million since 2023 to run CVE and associated programs.

 

This funding ended last week. Keeping developers informed about vulnerabilities in a central location is a national security issue as well as a business issue. If your product is exploited and costs you money as a business owner is one thing, but if the thing that was exploited was a tool that other companies use as well, then the exploit could be expanded and impact huge swaths of the U.S. economy, see Heartbleed.